Cisco Systems ASA 5545-X, ASA 5505, ASA 5555-X Platform Feature Name Releases Feature Information

Page 187

Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)

Feature History for Twice NAT

Table 5-1

Feature History for Twice NAT (continued)

 

 

 

 

 

 

 

Platform

 

Feature Name

 

Releases

Feature Information

 

 

 

NAT support for reverse DNS lookups

9.0(1)

NAT now supports translation of the DNS PTR record for

 

 

 

reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and

 

 

 

NAT64 with DNS inspection enabled for the NAT rule.

 

 

 

 

Per-session PAT

 

9.0(1)

The per-session PAT feature improves the scalability of PAT

 

 

 

and, for clustering, allows each member unit to own PAT

 

 

 

connections; multi-session PAT connections have to be

 

 

 

forwarded to and owned by the master unit. At the end of a

 

 

 

per-session PAT session, the ASA sends a reset and

 

 

 

immediately removes the xlate. This reset causes the end

 

 

 

node to immediately release the connection, avoiding the

 

 

 

TIME_WAIT state. Multi-session PAT, on the other hand,

 

 

 

uses the PAT timeout, by default 30 seconds. For

 

 

 

“hit-and-run” traffic, such as HTTP or HTTPS, the

 

 

 

per-session feature can dramatically increase the

 

 

 

connection rate supported by one address. Without the

 

 

 

per-session feature, the maximum connection rate for one

 

 

 

address for an IP protocol is approximately 2000 per

 

 

 

second. With the per-session feature, the connection rate for

 

 

 

one address for an IP protocol is 65535/average-lifetime.

 

 

 

By default, all TCP traffic and UDP DNS traffic use a

 

 

 

per-session PAT xlate. For traffic that requires multi-session

 

 

 

PAT, such as H.323, SIP, or Skinny, you can disable

 

 

 

per-session PAT by creating a per-session deny rule.

 

 

 

We introduced the following screen: Configuration >

 

 

 

Firewall > Advanced > Per-Session NAT Rules.

 

 

 

 

Cisco ASA Series Firewall ASDM Configuration Guide

5-51

Page 186 Page 188
Image 187
Page 186 Page 188
Contents Software Version Cisco ASA Series Firewall Asdm Configuration GuideCisco ASA Series Firewall Asdm Configuration Guide N T E N T S NAT for VPN Guidelines and Limitations Default Settings NAT and Same Security Level Interfaces Configuring Access Rules Getting Started with Application Layer Protocol Inspection Select IM Map Add/Edit H.323 Match Criterion SIP Class Map Select Radius Accounting Map Cisco Unified Communications Manager Prerequisites ACL Rules Configuring the TLS Proxy for Encrypted Voice Inspection Creating the TLS Proxy TCP Intercept and Limiting Embryonic Connections Blocks Monitoring Cloud Web Security Related Documents IP Audit Policy Licensing Requirements for the ASA CX Module Operating Modes Management Access Host/Networks Document Objectives About This GuideRelated Documentation Convention Indication ConventionsBold font Configuring Service Policies Page Information About Service Policies Configuring a Service PolicySupported Features Accounting only Feature DirectionalityFeature Traffic? See For ThroughFeature Feature Matching Within a Service PolicyGlobal Direction ASA IPS ASA CX Order in Which Multiple Feature Actions are AppliedIncompatibility of Certain Feature Actions Licensing Requirements for Service PoliciesFeature Matching for Multiple Service Policies Guidelines and Limitations Default Configuration Default SettingsTask Flow for Configuring a Service Policy Rule Task Flows for Configuring Service PoliciesAdding a Service Policy Rule for Through Traffic Default Traffic ClassesCisco ASA Series Firewall Asdm Configuration Guide Click Next Click Match or Do Not Match Cisco ASA Series Firewall Asdm Configuration Guide Configuring a Service Policy Rule for Management Traffic Adding a Service Policy Rule for Management TrafficClick Match or Do Not Match Managing the Order of Service Policy Rules Moving an ACE Radius-accounting Feature History for Service PoliciesFeature Name Releases Feature Information Introduced class-map type management, and inspectPage Information About Inspection Policy Maps Default Inspection Policy Maps Identifying Traffic in an Inspection Class Map Choose Configuration Firewall Objects Inspect MapsChoose Configuration Firewall Objects Class Maps Defining Actions in an Inspection Policy MapFeature History for Inspection Policy Maps Where to Go NextConfiguring Network Address Translation Page Information About NAT ASA 8.3 and Later Why Use NAT?NAT Terminology Information About Static NAT NAT TypesNAT Types Overview Static NATInformation About Static NAT with Port Address Translation Information About Static NAT with Port TranslationStatic NAT with Identity Port Translation Static Interface NAT with Port Translation Information About One-to-Many Static NATInformation About Other Mapping Scenarios Not Recommended 6shows a typical few-to-many static NAT scenario Dynamic NAT209.165.201.10 Information About Dynamic NATDynamic NAT Disadvantages and Advantages Dynamic PATInformation About Dynamic PAT Dynamic PAT Disadvantages and Advantages Per-Session PAT vs. Multi-Session PAT Version 9.01 and LaterIdentity NAT NAT in Routed and Transparent ModeNAT in Transparent Mode NAT in Routed Mode13 NAT Example Transparent Mode How NAT is Implemented NAT and IPv6Main Differences Between Network Object NAT and Twice NAT Information About Twice NAT Information About Network Object NAT14 Twice NAT with Different Destination Addresses 15 Twice NAT with Different Destination Ports 16 Twice Static NAT with Destination Address Translation Rule Type Order of Rules within the Section NAT Rule Order10.1.2.0 NAT InterfacesMapped Addresses and Routing Routing NAT Packets18 Proxy ARP Problems with Identity NAT Determining the Egress Interface Transparent Mode Routing Requirements for Remote NetworksNAT for VPN NAT and Remote Access VPNSrc 203.0.113.16070 4. Http request to Dst NAT and Site-to-Site VPNSee the following sample NAT configuration for ASA1 Boulder Subnet 10.2.2.0 NAT and VPN Management Access25 VPN Management Access Repeat show nat detail and show conn all Troubleshooting NAT and VPNDNS and NAT Enter show nat detail and show conn all26 DNS Reply Modification, DNS Server on Outside 192.168.1.10 28 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 30 PTR Modification, DNS Server on Host Network Information About Network Object NAT Configuring Network Object NAT ASA 8.3 and LaterPrerequisites for Network Object NAT Licensing Requirements for Network Object NATAdditional Guidelines Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Configuring Network Object NATDetailed Steps Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Dynamic PAT Hide Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Add NAT to a new or existing network object Configuring Static NAT or Static NAT-with-Port-TranslationConfiguring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Identity NAT From the Type drop-down list, choose Static Configuring Network Object NAT ASA 8.3 and Later Defaults Configuring Per-Session PAT RulesFields Monitoring Network Object NATConfiguration Examples for Network Object NAT Static NAT for an Inside Web Server Providing Access to an Inside Web Server Static NATCisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Dynamic NAT for Inside, Static NAT for Outside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT with One-to-Many for an Inside Load Balancer Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT-with-Port-Translation Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Create a network object for the FTP server address Cisco ASA Series Firewall Asdm Configuration Guide DNS Reply Modification Using Outside NAT Cisco ASA Series Firewall Asdm Configuration Guide 2001DB8D1A5C8E1 IPv6 Net DNS Reply Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Platform Feature Name Releases Feature Information Feature History for Network Object NATNo-proxy-arp and route-lookup keywords, to maintain This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Information About Twice NAT Configuring Twice NAT ASA 8.3 and LaterPrerequisites for Twice NAT Licensing Requirements for Twice NATIPv6 Guidelines Configuring Twice NAT Choose Configuration Firewall NAT Rules, and then click Add Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later Click OK To configure dynamic PAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later To configure static NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later To configure identity NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later 10.1.2.2 Source Destination Configuring Twice NAT ASA 8.3 and Later Monitoring Twice NAT Configuration Examples for Twice NAT Twice NAT with Different Destination Addresses Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Twice NAT with Different Destination Ports Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Feature History for Twice NAT This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page NAT Overview Configuring NAT ASA 8.2 and EarlierIntroduction to NAT NAT Example Routed Mode NAT in Transparent Mode 209.165.201.1 NAT ControlNAT Control and Same Security Traffic Dynamic NAT NAT TypesRemote Host Attempts to Connect to the Real Address PAT Static PAT Static NATBypassing NAT When NAT Control is Enabled Policy NAT Policy NAT with Different Destination Addresses 11 Policy Static NAT with Destination Address Translation NAT and Same Security Level InterfacesMapped Address Guidelines Order of NAT Rules Used to Match Real AddressesDNS and NAT 12 DNS Reply Modification 13 DNS Reply Modification Using Outside NAT Configuring NAT ControlDynamic NAT Implementation Using Dynamic NATGlobal Pools on Different Interfaces with the Same Pool ID Real Addresses and Global Pools Paired Using a Pool IDGlobal 1 16 Different NAT IDs Multiple Addresses in the Same Global Pool17 NAT and PAT Together Outside NAT18 Outside NAT and Inside NAT Combined Managing Global Pools19 Dynamic NAT Scenarios Configuring Dynamic NAT, PAT, or Identity NATConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT 20 Dynamic Policy NAT Scenarios Configuring Dynamic Policy NAT or PATConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT Using Static NAT Inside Configuring Static NAT, PAT, or Identity NATUse Interface IP Address Use IP AddressClick OK 22 Static Policy NAT Scenarios Configuring Static Policy NAT, PAT, or Identity NATUse IP Address Click Action Exempt Using NAT ExemptionClick Action Do not exempt Configuring Access Control Page Information About Access Rules Configuring Access RulesImplicit Permits General Information About RulesImplicit Deny Using RemarksNAT and Access Rules Rule OrderOutbound ACL Transactional-Commit ModelAccess Rules for Returning Traffic Information About Access RulesAdditional Guidelines and Limitations Traffic Type Protocol or Port Management Access RulesInformation About EtherType Rules Supported EtherTypes and Other TrafficDefault Settings Licensing Requirements for Access RulesAllowing Mpls Adding an Access Rule Configuring Access RulesChoose Configuration Firewall Access Rules Adding an EtherType Rule Transparent Mode Only Configuring Management Access Rules Prerequisites Advanced Access Rule ConfigurationAccess Rule Explosion Configuring Http RedirectCheck the Enable Object Group Search Algorithm check box Configuring Transactional Commit Model Edit HTTP/HTTPS SettingsFeature History for Access Rules Platform Feature Name Releases Feature Information Page AAA Performance Configuring AAA Rules for Network AccessLicensing Requirements for AAA Rules Information About Authentication Configuring Authentication for Network AccessASA Authentication Prompts One-Time AuthenticationAAA Prompts and Identity Firewall Deployment Supporting Cut-through Proxy AuthenticationStatic PAT and Http AAA Rules as a Backup Authentication MethodAuthenticate Do not Authenticate Configuring Network Access AuthenticationClick OK Enabling Secure Authentication of Web Clients Authenticating Https Connections with a Virtual Server Authenticating Directly with the ASAAuthenticating Telnet Connections with a Virtual Server Choose Configuration Firewall AAA Rules, then click Advanced Configuring the Authentication Proxy LimitConfiguring TACACS+ Authorization Configuring Authorization for Network AccessAuthorize Do not Authorize Configuring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any Radius Server for Downloadable ACLs Configuring Accounting for Network Access Account Do not Account MAC Exempt No MAC Exempt Feature History for AAA Rules Information About Public Servers Configuring Public ServersLicensing Requirements for Public Servers Adding a Public Server that Enables Static NAT with PAT Adding a Public Server that Enables Static NATEditing Settings for a Public Server Feature History for Public Servers Configuring Application Inspection Page How Inspection Engines Work Getting Started with Application Layer Protocol Inspection10-1 10-2 When to Use Application Protocol Inspection10-3 Failover Guidelines323 H.225 Default Settings and NAT Limitations10-4 10-5 NetBIOS NameIP Options Server over IP10-6 SmtpSQL*Net Sun RPC overChoose Configuration Firewall Service Policy Rules Configuring Application Layer Protocol Inspection10-7 10-8 DNS Inspection Configuring Inspection of Basic Internet Protocols11-1 DNS Inspection Actions Default Settings for DNS InspectionInformation About DNS Inspection General Information About DNS11-3 Choose Configuration Firewall Objects Inspect Maps DNS11-4 Detailed Steps-Protocol Conformance11-5 Detailed Steps-Filtering11-6 Detailed Steps-Inspections11-7 11-8 11-9 11-10 Header FlagClass DNS Type Field Value11-11 11-12 11-13 Resource Record11-14 Domain Name11-15 Click Configure Configuring DNS Inspection11-16 11-17 Using Strict FTPFTP Inspection FTP Inspection Overview11-18 Select FTP Map11-19 Configuration Global Objects Class Maps FTPFTP Class Map Add/Edit FTP Traffic Class Map11-20 Add/Edit FTP Match CriterionFTP Inspect Map Configuration Global Objects Inspect Maps FTP11-21 Add/Edit FTP Policy Map Security Level File Type Filtering11-22 11-23 Add/Edit FTP Policy Map Details11-24 Add/Edit FTP Map11-25 Verifying and Monitoring FTP Inspection11-26 Http InspectionHttp Inspection Overview Select Http Map11-27 Configuration Global Objects Class Maps HttpHttp Class Map Add/Edit Http Traffic Class Map11-28 Add/Edit Http Match Criterion11-29 11-30 11-31 Http Inspect Map Configuration Global Objects Inspect Maps Http11-32 Add/Edit Http Policy Map Security Level URI Filtering11-33 11-34 Add/Edit Http Policy Map Details11-35 Add/Edit Http Map11-36 11-37 11-38 11-39 Icmp Error InspectionIcmp Inspection Instant Messaging InspectionAdding a Class Map for IM Inspection IM Inspection Overview11-40 11-41 IP Options InspectionSelect IM Map IP Options Inspection Overview11-42 Configuring IP Options Inspection11-43 Select IP Options Inspect MapAdd/Edit IP Options Inspect Map IP Options Inspect Map11-44 IPsec Pass Through Inspection Overview IPsec Pass Through Inspection11-45 IPsec Pass Through Inspect Map Select IPsec-Pass-Thru Map11-46 Add/Edit IPsec Pass Thru Policy Map Details Add/Edit IPsec Pass Thru Policy Map Security Level11-47 Information about IPv6 Inspection Default Settings for IPv6 InspectionOptional Configuring an IPv6 Inspection Policy Map IPv6 Inspection11-49 Configuring IPv6 Inspection11-50 NetBIOS InspectionNetBIOS Inspection Overview Select Netbios MapPptp Inspection NetBIOS Inspect MapAdd/Edit NetBIOS Policy Map Configuration Global Objects Inspect Maps NetBIOSSmtp and Esmtp Inspection Overview Smtp and Extended Smtp Inspection11-52 11-53 Select Esmtp MapEsmtp Inspect Map Configuration Global Objects Inspect Maps Esmtp11-54 Add/Edit Esmtp Policy Map Security Level Mime File Type Filtering11-55 11-56 Add/Edit Esmtp Policy Map Details11-57 Add/Edit Esmtp Inspect11-58 11-59 11-60 Tftp Inspection11-61 11-62 12-1 Configuring Inspection for Voice and Video ProtocolsCtiqbe Inspection Ctiqbe Inspection OverviewLimitations and Restrictions Inspection12-2 How H.323 Works Inspection Overview12-3 12-4 Support in H.245 Messages12-5 Configuration Global Objects Class Maps H.323Select H.323 Map Class MapAdd/Edit H.323 Match Criterion Add/Edit H.323 Traffic Class Map12-6 Inspect Map Configuration Global Objects Inspect Maps H.32312-7 Add/Edit H.323 Policy Map Security Level Phone Number Filtering12-8 12-9 Add/Edit H.323 Policy Map Details12-10 Add/Edit H.323 Map Add/Edit HSI Group12-11 Mgcp Inspection Overview Mgcp Inspection12-12 12-13 Using NAT with Mgcp12-14 Configuration Global Objects Inspect Maps MgcpSelect Mgcp Map Mgcp Inspect MapAdd/Edit Mgcp Policy Map Gateways and Call Agents12-15 Add/Edit Mgcp Group Rtsp Inspection12-16 Rtsp Inspection Overview Using RealPlayer12-17 Rtsp Inspect Map Configuration Global Objects Inspect Maps RadiusRestrictions and Limitations Select Rtsp Map12-19 Configuration Firewall Objects Class Maps RtspAdd/Edit Rtsp Policy Map Rtsp Class MapAdd/Edit Rtsp Traffic Class Map SIP Inspection12-20 12-21 SIP Inspection OverviewSelect SIP Map SIP Instant Messaging12-22 SIP Class Map Configuration Global Objects Class Maps SIP12-23 Add/Edit SIP Match Criterion Add/Edit SIP Traffic Class Map12-24 12-25 SIP Inspect Map Configuration Global Objects Inspect Maps SIP12-26 12-27 Add/Edit SIP Policy Map Security Level12-28 Add/Edit SIP Policy Map Details12-29 12-30 Add/Edit SIP Inspect12-31 Sccp Inspection Overview Skinny Sccp Inspection12-32 12-33 Supporting Cisco IP Phones12-34 Configuration Global Objects Inspect Maps Sccp SkinnySelect Sccp Skinny Map Sccp Skinny Inspect Map12-35 Message ID Filtering12-36 Add/Edit Sccp Skinny Policy Map Security Level12-37 Add/Edit Sccp Skinny Policy Map Details12-38 Add/Edit Message ID FilterILS Inspection Configuring Inspection of Database Directory Protocols13-1 13-2 SQL*Net InspectionSunrpc Server Configuration Properties Sunrpc ServerSun RPC Inspection Sun RPC Inspection Overview13-4 Add/Edit Sunrpc Service14-1 Configuring Inspection for Management Application ProtocolsDcerpc Inspection Dcerpc Overview14-2 Configuration Global Objects Inspect Maps DcerpcSelect Dcerpc Map Dcerpc Inspect Map14-3 Add/Edit Dcerpc Policy Map14-4 GTP InspectionSelect GTP Map GTP Inspection Overview14-5 GTP Inspect Map Configuration Global Objects Inspect Maps GTP14-6 Add/Edit GTP Policy Map Security Level Imsi Prefix Filtering14-7 14-8 Add/Edit GTP Policy Map Details14-9 Add/Edit GTP Map14-10 Radius Accounting Inspection14-11 Radius Accounting Inspection OverviewSelect Radius Accounting Map Add Radius Accounting Policy MapRadius Inspect Map Host Radius Inspect Map14-12 14-13 RSH InspectionSnmp Inspection Radius Inspect Map OtherAdd/Edit Snmp Map Snmp Inspection OverviewSelect Snmp Map Snmp Inspect Map14-15 Xdmcp Inspection14-16 Configuring Unified Communications Page 15-1 15-2 15-3 TLS Proxy Applications in Cisco Unified Communications15-4 Model License Requirement115-5 15-6 16-1 Using the Cisco Unified Communication Wizard16-2 16-3 Licensing Requirements for the Unified Communication Wizard16-4 16-5 Configuring the Private Network for the Phone ProxyClick the Generate and Export LDC Certificate button Configuring Servers for the Phone Proxy16-6 16-7 Address Default Port Description16-8 16-9 Configuring the Public IP Phone Network16-10 16-11 16-12 16-13 16-14 16-15 Certificate,16-16 16-17 Off-path Deployment Basic Deployment16-18 16-19 16-20 16-21 16-22 Exporting an Identity Certificate Installing a Certificate16-23 16-24 Click Install Certificate16-25 Saving the Identity Certificate Request16-26 16-27 16-28 17-1 Configuring the Cisco Phone ProxyInformation About the Cisco Phone Proxy Phone Proxy FunctionalityTCP/RTP TLS/SRTP 17-217-3 Supported Cisco UCM and IP Phones for the Phone ProxyCisco Unified Communications Manager Cisco Unified IP Phones17-4 Licensing Requirements for the Phone Proxy17-5 Media Termination Instance Prerequisites Prerequisites for the Phone Proxy17-6 ACL Rules Certificates from the Cisco UCMDNS Lookup Prerequisites Cisco Unified Communications Manager PrerequisitesPAT Prerequisites NAT and PAT PrerequisitesAddress Port Protocol Description NAT Prerequisites7940 IP Phones Support Prerequisites for IP Phones on Multiple Interfaces17-9 Prerequisites for Rate Limiting Tftp Requests Cisco IP Communicator Prerequisites17-10 17-11 Rate Limiting Configuration ExampleEnd-User Phone Provisioning Ways to Deploy IP Phones to End UsersGeneral Guidelines and Limitations Phone Proxy Guidelines and Limitations17-12 17-13 Media Termination Address Guidelines and LimitationsTask Flow for Configuring the Phone Proxy Configuring the Phone Proxy17-14 17-15 Creating the CTL File17-16 Adding or Editing a Record Entry in a CTL File17-17 Creating the Media Termination Instance17-18 Creating the Phone Proxy Instance17-19 17-20 Adding or Editing the Tftp Server for a Phone ProxyLinksys Routers Configuring Your Router17-21 17-22 Feature History for the Phone ProxyApplication Start End Protocol IP Address Enabled Checked18-1 TLS Proxy Flow Cisco IP Phone Cisco ASA 18-218-3 Supported Cisco UCM and IP Phones for the TLS Proxy18-4 Licensing for the TLS Proxy18-5 18-6 CTL Provider18-7 Add/Edit CTL Provider18-8 Configure TLS Proxy PaneAdding a TLS Proxy Instance Add TLS Proxy Instance Wizard Server Configuration18-9 18-10 Add TLS Proxy Instance Wizard Client Configuration18-11 18-12 Add TLS Proxy Instance Wizard Other Steps18-13 Edit TLS Proxy Instance Server Configuration18-14 Edit TLS Proxy Instance Client Configuration18-15 Add/Edit TLS Proxy TLS Proxy18-16 18-17 18-18 Cisco Mobility Advantage Proxy Functionality Configuring Cisco Mobility Advantage19-1 19-2 Mobility Advantage Proxy Deployment ScenariosMMP/SSL/TLS 19-3Trust Relationships for Cisco UMA Deployments Mobility Advantage Proxy Using NAT/PAT19-4 19-5 19-6 Configuring Cisco Mobility AdvantageTask Flow for Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage19-7 19-8 Information About Cisco Unified Presence Configuring Cisco Unified Presence20-1 Typical Cisco Unified Presence/LCS Federation Scenario 20-2SIP/TLS 20-320-4 Trust Relationship in the Presence Federation20-5 Xmpp Federation Deployments20-6 Configuration Requirements for Xmpp Federation20-7 Licensing for Cisco Unified Presence20-8 Configuring Cisco Unified Presence Proxy for SIP Federation20-9 Feature History for Cisco Unified Presence20-10 Features of Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy21-1 21-2 How the UC-IME Works with the Pstn and the Internet21-3 Tickets and Passwords21-4 Architecture Call Fallback to the Pstn21-5 21-6 Basic Deployment21-7 Off Path Deployment21-8 Licensing for Cisco Intercompany Media Engine21-9 21-10 Task Flow for Configuring Cisco Intercompany Media Engine Configuring Cisco Intercompany Media Engine Proxy21-11 21-12 Configuring NAT for Cisco Intercompany Media Engine Proxy21-13 Command Purpose21-14 Configuring PAT for the Cisco UCM ServerCommand Purpose What to Do Next21-15 Address of Cisco UCM that you want to translate21-16 Creating ACLs for Cisco Intercompany Media Engine ProxyGuidelines Procedure21-17 21-18 Creating the Cisco Intercompany Media Engine Proxy21-19 See Creating the Media Termination Instance21-20 Show running-config uc-ime command21-21 Creating Trustpoints and Generating Certificates21-22 Prerequisites for Installing Certificates21-23 Certified21-24 Creating the TLS Proxy21-25 21-26 ACLs for Cisco Intercompany Media Engine Proxy21-27 Optional Configuring TLS within the Local Enterprise21-28 Commands PurposeWhere proxytrustpoint for the client trust-point Where proxytrustpoint for the server trust-point21-29 21-30 Optional Configuring Off Path Signaling21-31 Engine Proxy,21-32 21-33 21-34 Show uc-ime signaling-sessionsShow uc-ime media-sessions detail Show uc-ime signaling-sessions statistics21-35 21-36 Show uc-ime mapping-service-sessionsShow uc-ime mapping-service-sessions statistics Show uc-ime fallback-notification statistics21-37 Feature History for Cisco Intercompany Media Engine Proxy21-38 Configuring Connection Settings and QoS Page Information About Connection Settings Configuring Connection Settings22-1 Dead Connection Detection DCD TCP Intercept and Limiting Embryonic Connections22-2 22-3 TCP Sequence RandomizationTCP Normalization TCP State Bypass22-4 Licensing Requirements for Connection Settings22-5 TCP State Bypass Unsupported FeaturesMaximum Concurrent and Embryonic Connection Guidelines TCP State Bypass22-6 Configuring Connection SettingsTask Flow For Configuring Connection Settings Customizing the TCP Normalizer with a TCP Map22-7 22-8 Configuring Connection Settings22-9 Configuring Global Timeouts22-10 22-11 Feature History for Connection SettingsIntroduced set connection advanced-options Tcp-state-bypass22-12 Information About QoS Configuring QoS23-1 What is a Token Bucket? Supported QoS Features23-2 Information About Priority Queuing Information About Policing23-3 Information About Traffic Shaping How QoS Features Interact23-4 23-5 Licensing Requirements for QoSDscp and DiffServ Preservation Model Guidelines23-6 Configuring QoS23-7 12523-8 Configuring the Standard Priority Queue for an Interface23-9 Click Enable priority for this flow23-10 Click Enforce priority to selected shape traffic Monitoring QoS23-11 Viewing QoS Standard Priority Statistics Viewing QoS Police Statistics23-12 Viewing QoS Standard Priority Queue Statistics Viewing QoS Shaping Statistics23-13 23-14 Feature History for QoS24-1 Troubleshooting Connections and ResourcesTesting Your Configuration Pinging ASA Interfaces24-2 Network Diagram with Interfaces, Routers, and Hosts24-3 Information About PingPinging Through the ASA Interface Troubleshooting the Ping ToolPinging From an ASA Interface Pinging to an ASA Interface24-5 Using the Ping ToolDetermining Packet Routing with Traceroute Output Symbol Description24-6 24-7 Tracing Packets with Packet Tracer24-8 Monitoring PerformanceBlocks Monitoring System Resources24-9 24-10 Memory24-11 Monitoring Connections24-12 Monitoring Per-Process CPU UsageConfiguring Advanced Network Protection Page 25-1 Configuring the ASA for Cisco Cloud Web Security25-2 User Authentication and Cloud Web SecurityInformation About Cisco Cloud Web Security Redirection of Web Traffic to Cloud Web SecurityCompany Authentication Key Group Authentication Key Authentication Keys25-3 25-4 ScanCenter PolicyDirectory Groups Custom GroupsCloud Web Security Actions How Groups and the Authentication Key Interoperate25-5 IPv4 and IPv6 Support Failover from Primary to Backup Proxy ServerLicensing Requirements for Cisco Cloud Web Security Bypassing Scanning with Whitelists25-7 Optional User Authentication PrerequisitesPrerequisites for Cloud Web Security Optional Fully Qualified Domain Name Prerequisites25-8 Configuring Cisco Cloud Web Security25-9 Choose Configuration Device Management Cloud Web Security25-10 25-11 25-12 25-13 25-14 25-15 25-16 25-17 Examples25-18 25-19 Check Cloud Web Security and click Configure25-20 25-21 Tcp/http25-22 25-23 Optional Configuring Whitelisted Traffic25-24 25-25 Optional Configuring the User Identity MonitorMonitoring Cloud Web Security Configuring the Cloud Web Security Policy25-26 25-27 Feature History for Cisco Cloud Web SecurityRelated Documents Related Documents25-28 Information About the Botnet Traffic Filter Configuring the Botnet Traffic Filter26-1 Information About the Dynamic Database Botnet Traffic Filter Address TypesBotnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases26-3 Information About the Static Database26-4 26-5 How the Botnet Traffic Filter WorksPrerequisites for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter26-6 Task Flow for Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter26-7 26-8 Configuring the Dynamic DatabaseEnabling DNS Snooping Adding Entries to the Static Database26-9 26-10 26-11 Recommended ConfigurationVery Low Moderate High Very High Blocking Botnet Traffic Manually26-12 26-13 Searching the Dynamic DatabaseBotnet Traffic Filter Syslog Messaging Monitoring the Botnet Traffic Filter26-14 26-15 Botnet Traffic Filter Monitor Panes26-16 Feature History for the Botnet Traffic Filter27-1 Configuring Threat DetectionInformation About Threat Detection Licensing Requirements for Threat DetectionInformation About Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics27-2 Types of Traffic Monitored Trigger Settings Packet Drop Reason Average Rate Burst RateGuidelines and Limitations Security Context Guidelines27-4 Configuring Basic Threat Detection StatisticsMonitoring Basic Threat Detection Statistics Path Purpose27-5 Configuring Advanced Threat Detection StatisticsFeature History for Basic Threat Detection Statistics Information About Advanced Threat Detection StatisticsChoose the Configuration Firewall Threat Detection pane Configuring Advanced Threat Detection Statistics27-6 Last 24 hour Monitoring Advanced Threat Detection Statistics27-7 Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection27-8 27-9 Information About Scanning Threat DetectionAverage Rate Burst Rate Configuring Scanning Threat Detection27-10 27-11 Feature History for Scanning Threat Detection27-12 28-1 Using Protection ToolsConfiguration Firewall Advanced Anti-Spoofing Fields Preventing IP SpoofingShow Fragment Configuring the Fragment Size28-2 28-3 Configuring TCP Options28-4 TCP Reset Settings28-5 Configuring IP Audit for Basic IPS SupportAdd/Edit IP Audit Policy Configuration IP Audit Policy28-6 IP Audit SignaturesIP Audit Signature List Signature Message Number Signature Title28-7 28-8 Message Number Signature Title28-9 28-10 28-11 28-12 Information About Web Traffic Filtering Configuring Filtering Services29-1 Information About URL Filtering Filtering URLs and FTP Requests with an External Server29-2 29-3 Licensing Requirements for URL FilteringGuidelines and Limitations for URL Filtering Identifying the Filtering Server29-4 Configuring Additional URL Filtering SettingsCaching Server Addresses Buffering the Content Server Response29-5 Filtering Http URLs Configuring Filtering Rules29-6 29-7 29-8 29-9 29-10 29-11 Filtering the Rule TableDefining Queries Feature History for URL Filtering29-12 Configuring Modules Page Information About the ASA CX Module Configuring the ASA CX Module30-1 30-2 How the ASA CX Module Works with the ASA30-3 Monitor-Only ModeService Policy in Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only ModeInformation About ASA CX Management Initial Configuration30-4 Information About VPN and the ASA CX Module Information About Authentication ProxyCompatibility with ASA Features Policy Configuration and ManagementPrerequisites Licensing Requirements for the ASA CX Module30-6 ASA Clustering Guidelines Monitor-Only Mode Guidelines30-7 30-8 Configuring the ASA CX ModuleParameters Default Task Flow for the ASA CX ModuleASA 5585-X Hardware Module Connecting the ASA CX Management Interface30-9 If you do not have an inside router If you have an inside router30-10 30-11 ASA 5512-X through ASA 5555-X Software Module30-12 30-13 ExampleASA 5585-X Changing the ASA CX Management IP Address Multiple Context Mode30-14 ASDM, choose Wizards Startup Wizard Single Context ModeSets the ASA CX management IP address, mask, and gateway Example30-16 Configuring Basic ASA CX Settings at the ASA CX CLI30-17 30-18 Optional Configuring the Authentication Proxy PortRedirecting Traffic to the ASA CX Module Creating the ASA CX Service Policy30-19 30-20 Click the ASA CX Inspection tab30-21 Check the Enable ASA CX for this traffic flow check boxChoose Tools Command Line Interface Configuring Traffic-Forwarding Interfaces Monitor-Only Mode30-22 Managing the ASA CX Module Resetting the Password30-23 30-24 Reloading or Resetting the Module30-25 Shutting Down the Module30-26 Monitoring the ASA CX Module Admin12330-27 Module Showing Module StatusShowing Module Statistics Monitoring Module ConnectionsCiscoasa# show asp table classify domain cxsc Input Table 30-2930-30 Ciscoasa# show asp drop 30-3130-32 Troubleshooting the ASA CX ModuleProblems with the Authentication Proxy Capturing Module Traffic30-33 Feature History for the ASA CX Module30-34 Capture interface asadataplane commandInformation About the ASA IPS Module Configuring the ASA IPS Module31-1 31-2 How the ASA IPS Module Works with the ASAOperating Modes Using Virtual Sensors ASA 5510 and Higher31-3 31-4 Information About Management Access31-5 Licensing Requirements for the ASA IPS module31-6 VlanTask Flow for the ASA IPS Module Configuring the ASA IPS module31-7 31-8 Connecting the ASA IPS Management Interface31-9 31-10 ASA31-11 Sessioning to the Module from the ASA May Be RequiredConfiguring Basic IPS Module Network Settings ASA 5512-X through ASA 5555-X Booting the Software Module31-12 Choose Wizards Startup Wizard ASA 5510 and Higher Configuring Basic Network Settings31-13 ASDM, choose Configuration Device Setup SSC Setup ASA 5505 Configuring Basic Network Settings31-14 31-15 Configuring the Security Policy on the ASA IPS Module31-16 Click Continue31-17 31-18 Diverting Traffic to the ASA IPS module31-19 Managing the ASA IPS module31-20 Installing and Booting an Image on the Module31-21 31-22 Uninstalling a Software Module Image31-23 31-24 Monitoring the ASA IPS module31-25 Feature History for the ASA IPS module31-26 Information About the CSC SSM Configuring the ASA CSC Module32-1 32-2 ASA32-3 Determining What Traffic to Scan32-4 Common Network Configuration for CSC SSM ScanningPrerequisites for the CSC SSM Licensing Requirements for the CSC SSM32-5 32-6 Parameter DefaultBefore Configuring the CSC SSM Configuring the CSC SSM32-7 32-8 Connecting to the CSC SSM32-9 Determining Service Policy Rule Actions for CSC Scanning32-10 CSC SSM Setup WizardActivation/License IP Configuration32-11 32-12 Host/Notification SettingsPassword Management Access Host/Networks32-13 Choose Tools CSC Password Reset Restoring the Default Password32-14 CSC Setup Wizard Activation Codes Configuration Wizard Setup32-15 CSC Setup Wizard Host Configuration CSC Setup Wizard IP Configuration32-16 32-17 CSC Setup Wizard Management Access ConfigurationCSC Setup Wizard Password Configuration CSC Setup Wizard Traffic Selection for CSC Scan32-18 Specifying Traffic for CSC Scanning32-19 CSC Setup Wizard Summary32-20 Using the CSC SSM GUIChoose Configuration Trend Micro Content Security Web WebSmtp Tab Mail32-21 32-22 File Transfer32-23 Updates32-24 Choose Monitoring Trend Micro Content Security ThreatsMonitoring the CSC SSM ThreatsLive Security Events Log Live Security Events32-25 32-26 Software Updates32-27 Troubleshooting the CSC ModuleResource Graphs CSC MemoryRecover command Installing an Image on the Module32-28 32-29 Resetting the Password32-30 Reloading or Resetting the ModuleShutting Down the Module Shuts down the moduleRelated Topic Document Title Feature History for the CSC SSMFeature Name Platform Releases Feature Information Additional References32-32 IN-1 D EIN-2 FTP HttpIN-3 CSC CPUIN-4 CSC SSM GUIIN-5 Application inspectionIN-6 IPSIN-7 See also class mapIN-8 See IcmpIN-9 See QoSIN-10 See PATIN-11 URLIN-12
Related manuals
Manual 712 pages 25.77 Kb Manual 52 pages 35.74 Kb

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.
Top Page Image Contents