Cisco Systems ASA 5505, ASA 5545-X, ASA 5555-X, ASA 5580 Configuring Cisco Cloud Web Security, 25-8

Page 576

Chapter 25 Configuring the ASA for Cisco Cloud Web Security

Default Settings

When an interface to the Cloud Web Security proxy servers goes down, output from the show scansafe server command shows both servers up for approximately 15-25 minutes. This condition may occur because the polling mechanism is based on the active connection, and because that interface is down, it shows zero connection, and it takes the longest poll time approach.

Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX action.

Cloud Web Security inspection is compatibile with HTTP inspection for the same traffic. HTTP inspection is enabled by default as part of the default global policy.

Cloud Web Security is not supported with extended PAT or any application that can potentially use the same source port and IP address for separate connections. For example, if two different connections (targeted to separate servers) use extended PAT, the ASA might reuse the same source IP and source port for both connection translations because they are differentiated by the separate destinations. When the ASA redirects these connections to the Cloud Web Security server, it replaces the destination with the Cloud Web Security server IP address and port (8080 by default). As a result, both connections now appear to belong to the same flow (same source IP/port and destination IP/port), and return traffic cannot be untranslated properly.

The Default Inspection Traffic traffic class does not include the default ports for the Cloud Web Security inspection (80 and 443).

Default Settings

By default, Cisco Cloud Web Security is not enabled.

Configuring Cisco Cloud Web Security

Configuring Communication with the Cloud Web Security Proxy Server, page 25-8

(Multiple Context Mode) Allowing Cloud Web Security Per Security Context, page 25-10

Configuring a Service Policy to Send Traffic to Cloud Web Security, page 25-10

(Optional) Configuring Whitelisted Traffic, page 25-23

Configuring the Cloud Web Security Policy, page 25-26

Configuring Communication with the Cloud Web Security Proxy Server

Guidelines

The public key is embedded in the ASA software, so there is no need for you to configure it.

Cisco ASA Series Firewall ASDM Configuration Guide

25-8

Page 575 Page 577
Image 576
Page 575 Page 577
Contents Cisco ASA Series Firewall Asdm Configuration Guide Software VersionCisco ASA Series Firewall Asdm Configuration Guide N T E N T S NAT for VPN Guidelines and Limitations Default Settings NAT and Same Security Level Interfaces Configuring Access Rules Getting Started with Application Layer Protocol Inspection Select IM Map Add/Edit H.323 Match Criterion SIP Class Map Select Radius Accounting Map Cisco Unified Communications Manager Prerequisites ACL Rules Configuring the TLS Proxy for Encrypted Voice Inspection Creating the TLS Proxy TCP Intercept and Limiting Embryonic Connections Blocks Monitoring Cloud Web Security Related Documents IP Audit Policy Licensing Requirements for the ASA CX Module Operating Modes Management Access Host/Networks About This Guide Document ObjectivesRelated Documentation Conventions Convention IndicationBold font Configuring Service Policies Page Configuring a Service Policy Information About Service PoliciesSupported Features Feature Directionality Feature Traffic? SeeFor Through Accounting onlyFeature Matching Within a Service Policy FeatureGlobal Direction Order in Which Multiple Feature Actions are Applied ASA IPS ASA CXLicensing Requirements for Service Policies Incompatibility of Certain Feature ActionsFeature Matching for Multiple Service Policies Guidelines and Limitations Default Settings Default ConfigurationTask Flows for Configuring Service Policies Adding a Service Policy Rule for Through TrafficDefault Traffic Classes Task Flow for Configuring a Service Policy RuleCisco ASA Series Firewall Asdm Configuration Guide Click Next Click Match or Do Not Match Cisco ASA Series Firewall Asdm Configuration Guide Adding a Service Policy Rule for Management Traffic Configuring a Service Policy Rule for Management TrafficClick Match or Do Not Match Managing the Order of Service Policy Rules Moving an ACE Feature History for Service Policies Feature Name Releases Feature InformationIntroduced class-map type management, and inspect Radius-accountingPage Information About Inspection Policy Maps Default Inspection Policy Maps Choose Configuration Firewall Objects Inspect Maps Choose Configuration Firewall Objects Class MapsDefining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class MapWhere to Go Next Feature History for Inspection Policy MapsConfiguring Network Address Translation Page Why Use NAT? Information About NAT ASA 8.3 and LaterNAT Terminology NAT Types NAT Types OverviewStatic NAT Information About Static NATInformation About Static NAT with Port Translation Information About Static NAT with Port Address TranslationStatic NAT with Identity Port Translation Information About One-to-Many Static NAT Static Interface NAT with Port TranslationInformation About Other Mapping Scenarios Not Recommended Dynamic NAT 6shows a typical few-to-many static NAT scenarioInformation About Dynamic NAT 209.165.201.10Dynamic PAT Dynamic NAT Disadvantages and AdvantagesInformation About Dynamic PAT Per-Session PAT vs. Multi-Session PAT Version 9.01 and Later Dynamic PAT Disadvantages and AdvantagesNAT in Routed and Transparent Mode Identity NATNAT in Routed Mode NAT in Transparent Mode13 NAT Example Transparent Mode NAT and IPv6 How NAT is ImplementedMain Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT14 Twice NAT with Different Destination Addresses 15 Twice NAT with Different Destination Ports 16 Twice Static NAT with Destination Address Translation NAT Rule Order Rule Type Order of Rules within the SectionNAT Interfaces 10.1.2.0Routing NAT Packets Mapped Addresses and Routing18 Proxy ARP Problems with Identity NAT Transparent Mode Routing Requirements for Remote Networks Determining the Egress InterfaceNAT and Remote Access VPN NAT for VPNSrc 203.0.113.16070 4. Http request to NAT and Site-to-Site VPN DstSee the following sample NAT configuration for ASA1 Boulder NAT and VPN Management Access Subnet 10.2.2.025 VPN Management Access Troubleshooting NAT and VPN DNS and NATEnter show nat detail and show conn all Repeat show nat detail and show conn all26 DNS Reply Modification, DNS Server on Outside 192.168.1.10 28 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 30 PTR Modification, DNS Server on Host Network Configuring Network Object NAT ASA 8.3 and Later Information About Network Object NATLicensing Requirements for Network Object NAT Prerequisites for Network Object NATAdditional Guidelines Configuring Network Object NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT PoolDetailed Steps Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Dynamic PAT Hide Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Static NAT or Static NAT-with-Port-Translation Add NAT to a new or existing network objectConfiguring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Identity NAT From the Type drop-down list, choose Static Configuring Network Object NAT ASA 8.3 and Later Configuring Per-Session PAT Rules DefaultsMonitoring Network Object NAT FieldsConfiguration Examples for Network Object NAT Providing Access to an Inside Web Server Static NAT Static NAT for an Inside Web ServerCisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Dynamic NAT for Inside, Static NAT for Outside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT with One-to-Many for an Inside Load Balancer Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT-with-Port-Translation Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Create a network object for the FTP server address Cisco ASA Series Firewall Asdm Configuration Guide DNS Reply Modification Using Outside NAT Cisco ASA Series Firewall Asdm Configuration Guide 2001DB8D1A5C8E1 IPv6 Net DNS Reply Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Feature History for Network Object NAT Platform Feature Name Releases Feature InformationNo-proxy-arp and route-lookup keywords, to maintain This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Configuring Twice NAT ASA 8.3 and Later Information About Twice NATLicensing Requirements for Twice NAT Prerequisites for Twice NATIPv6 Guidelines Configuring Twice NAT Choose Configuration Firewall NAT Rules, and then click Add Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later Click OK To configure dynamic PAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later To configure static NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later To configure identity NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later 10.1.2.2 Source Destination Configuring Twice NAT ASA 8.3 and Later Monitoring Twice NAT Configuration Examples for Twice NAT Twice NAT with Different Destination Addresses Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Twice NAT with Different Destination Ports Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Feature History for Twice NAT This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Configuring NAT ASA 8.2 and Earlier NAT OverviewIntroduction to NAT NAT Example Routed Mode NAT in Transparent Mode NAT Control 209.165.201.1NAT Control and Same Security Traffic NAT Types Dynamic NATRemote Host Attempts to Connect to the Real Address PAT Static NAT Static PATBypassing NAT When NAT Control is Enabled Policy NAT Policy NAT with Different Destination Addresses NAT and Same Security Level Interfaces 11 Policy Static NAT with Destination Address TranslationOrder of NAT Rules Used to Match Real Addresses Mapped Address GuidelinesDNS and NAT 12 DNS Reply Modification Configuring NAT Control 13 DNS Reply Modification Using Outside NATUsing Dynamic NAT Dynamic NAT ImplementationReal Addresses and Global Pools Paired Using a Pool ID Global Pools on Different Interfaces with the Same Pool IDGlobal 1 Multiple Addresses in the Same Global Pool 16 Different NAT IDsOutside NAT 17 NAT and PAT TogetherManaging Global Pools 18 Outside NAT and Inside NAT CombinedConfiguring Dynamic NAT, PAT, or Identity NAT 19 Dynamic NAT ScenariosConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT Configuring Dynamic Policy NAT or PAT 20 Dynamic Policy NAT ScenariosConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT Using Static NAT Configuring Static NAT, PAT, or Identity NAT InsideUse IP Address Use Interface IP AddressClick OK Configuring Static Policy NAT, PAT, or Identity NAT 22 Static Policy NAT ScenariosUse IP Address Using NAT Exemption Click Action ExemptClick Action Do not exempt Configuring Access Control Page Configuring Access Rules Information About Access RulesGeneral Information About Rules Implicit PermitsUsing Remarks NAT and Access RulesRule Order Implicit DenyTransactional-Commit Model Outbound ACLInformation About Access Rules Access Rules for Returning TrafficAdditional Guidelines and Limitations Management Access Rules Information About EtherType RulesSupported EtherTypes and Other Traffic Traffic Type Protocol or PortLicensing Requirements for Access Rules Default SettingsAllowing Mpls Configuring Access Rules Adding an Access RuleChoose Configuration Firewall Access Rules Adding an EtherType Rule Transparent Mode Only Configuring Management Access Rules Advanced Access Rule Configuration PrerequisitesConfiguring Http Redirect Access Rule ExplosionCheck the Enable Object Group Search Algorithm check box Edit HTTP/HTTPS Settings Configuring Transactional Commit ModelFeature History for Access Rules Platform Feature Name Releases Feature Information Page Configuring AAA Rules for Network Access AAA PerformanceLicensing Requirements for AAA Rules Configuring Authentication for Network Access Information About AuthenticationOne-Time Authentication ASA Authentication PromptsDeployment Supporting Cut-through Proxy Authentication AAA Prompts and Identity FirewallAAA Rules as a Backup Authentication Method Static PAT and HttpConfiguring Network Access Authentication Authenticate Do not AuthenticateClick OK Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating Https Connections with a Virtual ServerAuthenticating Telnet Connections with a Virtual Server Configuring the Authentication Proxy Limit Choose Configuration Firewall AAA Rules, then click AdvancedConfiguring Authorization for Network Access Configuring TACACS+ AuthorizationAuthorize Do not Authorize Configuring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any Radius Server for Downloadable ACLs Configuring Accounting for Network Access Account Do not Account MAC Exempt No MAC Exempt Feature History for AAA Rules Configuring Public Servers Information About Public ServersLicensing Requirements for Public Servers Adding a Public Server that Enables Static NAT Adding a Public Server that Enables Static NAT with PATEditing Settings for a Public Server Feature History for Public Servers Configuring Application Inspection Page Getting Started with Application Layer Protocol Inspection How Inspection Engines Work10-1 When to Use Application Protocol Inspection 10-2Failover Guidelines 10-3Default Settings and NAT Limitations 323 H.22510-4 NetBIOS Name IP OptionsServer over IP 10-5Smtp SQL*NetSun RPC over 10-6Configuring Application Layer Protocol Inspection Choose Configuration Firewall Service Policy Rules10-7 10-8 Configuring Inspection of Basic Internet Protocols DNS Inspection11-1 Default Settings for DNS Inspection Information About DNS InspectionGeneral Information About DNS DNS Inspection ActionsChoose Configuration Firewall Objects Inspect Maps DNS 11-3Detailed Steps-Protocol Conformance 11-4Detailed Steps-Filtering 11-5Detailed Steps-Inspections 11-611-7 11-8 11-9 Header Flag 11-10DNS Type Field Value Class11-11 11-12 Resource Record 11-13Domain Name 11-1411-15 Configuring DNS Inspection Click Configure11-16 Using Strict FTP FTP InspectionFTP Inspection Overview 11-17Select FTP Map 11-18Configuration Global Objects Class Maps FTP FTP Class MapAdd/Edit FTP Traffic Class Map 11-19Add/Edit FTP Match Criterion 11-20Configuration Global Objects Inspect Maps FTP FTP Inspect Map11-21 File Type Filtering Add/Edit FTP Policy Map Security Level11-22 Add/Edit FTP Policy Map Details 11-23Add/Edit FTP Map 11-24Verifying and Monitoring FTP Inspection 11-25Http Inspection Http Inspection OverviewSelect Http Map 11-26Configuration Global Objects Class Maps Http Http Class MapAdd/Edit Http Traffic Class Map 11-27Add/Edit Http Match Criterion 11-2811-29 11-30 11-31 Configuration Global Objects Inspect Maps Http Http Inspect Map11-32 URI Filtering Add/Edit Http Policy Map Security Level11-33 Add/Edit Http Policy Map Details 11-34Add/Edit Http Map 11-3511-36 11-37 11-38 Icmp Error Inspection Icmp InspectionInstant Messaging Inspection 11-39IM Inspection Overview Adding a Class Map for IM Inspection11-40 IP Options Inspection Select IM MapIP Options Inspection Overview 11-41Configuring IP Options Inspection 11-42Select IP Options Inspect Map 11-43IP Options Inspect Map Add/Edit IP Options Inspect Map11-44 IPsec Pass Through Inspection IPsec Pass Through Inspection Overview11-45 Select IPsec-Pass-Thru Map IPsec Pass Through Inspect Map11-46 Add/Edit IPsec Pass Thru Policy Map Security Level Add/Edit IPsec Pass Thru Policy Map Details11-47 Default Settings for IPv6 Inspection Optional Configuring an IPv6 Inspection Policy MapIPv6 Inspection Information about IPv6 InspectionConfiguring IPv6 Inspection 11-49NetBIOS Inspection NetBIOS Inspection OverviewSelect Netbios Map 11-50NetBIOS Inspect Map Add/Edit NetBIOS Policy MapConfiguration Global Objects Inspect Maps NetBIOS Pptp InspectionSmtp and Extended Smtp Inspection Smtp and Esmtp Inspection Overview11-52 Select Esmtp Map 11-53Configuration Global Objects Inspect Maps Esmtp Esmtp Inspect Map11-54 Mime File Type Filtering Add/Edit Esmtp Policy Map Security Level11-55 Add/Edit Esmtp Policy Map Details 11-56Add/Edit Esmtp Inspect 11-5711-58 11-59 Tftp Inspection 11-6011-61 11-62 Configuring Inspection for Voice and Video Protocols Ctiqbe InspectionCtiqbe Inspection Overview 12-1Inspection Limitations and Restrictions12-2 Inspection Overview How H.323 Works12-3 Support in H.245 Messages 12-4Configuration Global Objects Class Maps H.323 Select H.323 MapClass Map 12-5Add/Edit H.323 Traffic Class Map Add/Edit H.323 Match Criterion12-6 Configuration Global Objects Inspect Maps H.323 Inspect Map12-7 Phone Number Filtering Add/Edit H.323 Policy Map Security Level12-8 Add/Edit H.323 Policy Map Details 12-912-10 Add/Edit HSI Group Add/Edit H.323 Map12-11 Mgcp Inspection Mgcp Inspection Overview12-12 Using NAT with Mgcp 12-13Configuration Global Objects Inspect Maps Mgcp Select Mgcp MapMgcp Inspect Map 12-14Gateways and Call Agents Add/Edit Mgcp Policy Map12-15 Rtsp Inspection Add/Edit Mgcp Group12-16 Using RealPlayer Rtsp Inspection Overview12-17 Configuration Global Objects Inspect Maps Radius Restrictions and LimitationsSelect Rtsp Map Rtsp Inspect MapConfiguration Firewall Objects Class Maps Rtsp Add/Edit Rtsp Policy MapRtsp Class Map 12-19SIP Inspection Add/Edit Rtsp Traffic Class Map12-20 SIP Inspection Overview 12-21SIP Instant Messaging Select SIP Map12-22 Configuration Global Objects Class Maps SIP SIP Class Map12-23 Add/Edit SIP Traffic Class Map Add/Edit SIP Match Criterion12-24 12-25 Configuration Global Objects Inspect Maps SIP SIP Inspect Map12-26 Add/Edit SIP Policy Map Security Level 12-27Add/Edit SIP Policy Map Details 12-2812-29 Add/Edit SIP Inspect 12-3012-31 Skinny Sccp Inspection Sccp Inspection Overview12-32 Supporting Cisco IP Phones 12-33Configuration Global Objects Inspect Maps Sccp Skinny Select Sccp Skinny MapSccp Skinny Inspect Map 12-34Message ID Filtering 12-35Add/Edit Sccp Skinny Policy Map Security Level 12-36Add/Edit Sccp Skinny Policy Map Details 12-37Add/Edit Message ID Filter 12-38Configuring Inspection of Database Directory Protocols ILS Inspection13-1 SQL*Net Inspection 13-2Configuration Properties Sunrpc Server Sun RPC InspectionSun RPC Inspection Overview Sunrpc ServerAdd/Edit Sunrpc Service 13-4Configuring Inspection for Management Application Protocols Dcerpc InspectionDcerpc Overview 14-1Configuration Global Objects Inspect Maps Dcerpc Select Dcerpc MapDcerpc Inspect Map 14-2Add/Edit Dcerpc Policy Map 14-3GTP Inspection 14-4GTP Inspection Overview Select GTP Map14-5 Configuration Global Objects Inspect Maps GTP GTP Inspect Map14-6 Imsi Prefix Filtering Add/Edit GTP Policy Map Security Level14-7 Add/Edit GTP Policy Map Details 14-8Add/Edit GTP Map 14-9Radius Accounting Inspection 14-10Radius Accounting Inspection Overview Select Radius Accounting MapAdd Radius Accounting Policy Map 14-11Radius Inspect Map Radius Inspect Map Host14-12 RSH Inspection Snmp InspectionRadius Inspect Map Other 14-13Snmp Inspection Overview Select Snmp MapSnmp Inspect Map Add/Edit Snmp MapXdmcp Inspection 14-1514-16 Configuring Unified Communications Page 15-1 15-2 TLS Proxy Applications in Cisco Unified Communications 15-3Model License Requirement1 15-415-5 15-6 Using the Cisco Unified Communication Wizard 16-116-2 Licensing Requirements for the Unified Communication Wizard 16-316-4 Configuring the Private Network for the Phone Proxy 16-5Configuring Servers for the Phone Proxy Click the Generate and Export LDC Certificate button16-6 Address Default Port Description 16-716-8 Configuring the Public IP Phone Network 16-916-10 16-11 16-12 16-13 16-14 Certificate, 16-1516-16 16-17 Basic Deployment Off-path Deployment16-18 16-19 16-20 16-21 16-22 Installing a Certificate Exporting an Identity Certificate16-23 Click Install Certificate 16-24Saving the Identity Certificate Request 16-2516-26 16-27 16-28 Configuring the Cisco Phone Proxy Information About the Cisco Phone ProxyPhone Proxy Functionality 17-117-2 TCP/RTP TLS/SRTPSupported Cisco UCM and IP Phones for the Phone Proxy Cisco Unified Communications ManagerCisco Unified IP Phones 17-3Licensing Requirements for the Phone Proxy 17-417-5 Prerequisites for the Phone Proxy Media Termination Instance Prerequisites17-6 Certificates from the Cisco UCM DNS Lookup PrerequisitesCisco Unified Communications Manager Prerequisites ACL RulesNAT and PAT Prerequisites Address Port Protocol DescriptionNAT Prerequisites PAT PrerequisitesPrerequisites for IP Phones on Multiple Interfaces 7940 IP Phones Support17-9 Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting Tftp Requests17-10 Rate Limiting Configuration Example End-User Phone ProvisioningWays to Deploy IP Phones to End Users 17-11Phone Proxy Guidelines and Limitations General Guidelines and Limitations17-12 Media Termination Address Guidelines and Limitations 17-13Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy17-14 Creating the CTL File 17-15Adding or Editing a Record Entry in a CTL File 17-16Creating the Media Termination Instance 17-17Creating the Phone Proxy Instance 17-1817-19 Adding or Editing the Tftp Server for a Phone Proxy 17-20Configuring Your Router Linksys Routers17-21 Feature History for the Phone Proxy Application Start End Protocol IP Address EnabledChecked 17-2218-1 18-2 TLS Proxy Flow Cisco IP Phone Cisco ASASupported Cisco UCM and IP Phones for the TLS Proxy 18-3Licensing for the TLS Proxy 18-418-5 CTL Provider 18-6Add/Edit CTL Provider 18-7Configure TLS Proxy Pane 18-8Add TLS Proxy Instance Wizard Server Configuration Adding a TLS Proxy Instance18-9 Add TLS Proxy Instance Wizard Client Configuration 18-1018-11 Add TLS Proxy Instance Wizard Other Steps 18-12Edit TLS Proxy Instance Server Configuration 18-13Edit TLS Proxy Instance Client Configuration 18-1418-15 TLS Proxy Add/Edit TLS Proxy18-16 18-17 18-18 Configuring Cisco Mobility Advantage Cisco Mobility Advantage Proxy Functionality19-1 Mobility Advantage Proxy Deployment Scenarios 19-219-3 MMP/SSL/TLSMobility Advantage Proxy Using NAT/PAT Trust Relationships for Cisco UMA Deployments19-4 19-5 Configuring Cisco Mobility Advantage 19-6Feature History for Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage19-7 19-8 Configuring Cisco Unified Presence Information About Cisco Unified Presence20-1 20-2 Typical Cisco Unified Presence/LCS Federation Scenario20-3 SIP/TLSTrust Relationship in the Presence Federation 20-4Xmpp Federation Deployments 20-5Configuration Requirements for Xmpp Federation 20-6Licensing for Cisco Unified Presence 20-7Configuring Cisco Unified Presence Proxy for SIP Federation 20-8Feature History for Cisco Unified Presence 20-920-10 Configuring Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy21-1 How the UC-IME Works with the Pstn and the Internet 21-2Tickets and Passwords 21-321-4 Call Fallback to the Pstn Architecture21-5 Basic Deployment 21-6Off Path Deployment 21-7Licensing for Cisco Intercompany Media Engine 21-821-9 21-10 Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine21-11 Configuring NAT for Cisco Intercompany Media Engine Proxy 21-12Command Purpose 21-13Configuring PAT for the Cisco UCM Server Command PurposeWhat to Do Next 21-14Address of Cisco UCM that you want to translate 21-15Creating ACLs for Cisco Intercompany Media Engine Proxy 21-16Procedure Guidelines21-17 Creating the Cisco Intercompany Media Engine Proxy 21-18See Creating the Media Termination Instance 21-19Show running-config uc-ime command 21-20Creating Trustpoints and Generating Certificates 21-21Prerequisites for Installing Certificates 21-22Certified 21-23Creating the TLS Proxy 21-2421-25 ACLs for Cisco Intercompany Media Engine Proxy 21-26Optional Configuring TLS within the Local Enterprise 21-27Commands Purpose 21-28Where proxytrustpoint for the server trust-point Where proxytrustpoint for the client trust-point21-29 Optional Configuring Off Path Signaling 21-30Engine Proxy, 21-3121-32 21-33 Show uc-ime signaling-sessions 21-34Show uc-ime signaling-sessions statistics Show uc-ime media-sessions detail21-35 Show uc-ime mapping-service-sessions Show uc-ime mapping-service-sessions statisticsShow uc-ime fallback-notification statistics 21-36Feature History for Cisco Intercompany Media Engine Proxy 21-3721-38 Configuring Connection Settings and QoS Page Configuring Connection Settings Information About Connection Settings22-1 TCP Intercept and Limiting Embryonic Connections Dead Connection Detection DCD22-2 TCP Sequence Randomization TCP NormalizationTCP State Bypass 22-3Licensing Requirements for Connection Settings 22-4TCP State Bypass Unsupported Features Maximum Concurrent and Embryonic Connection GuidelinesTCP State Bypass 22-5Configuring Connection Settings Task Flow For Configuring Connection SettingsCustomizing the TCP Normalizer with a TCP Map 22-622-7 Configuring Connection Settings 22-8Configuring Global Timeouts 22-922-10 Feature History for Connection Settings Introduced set connection advanced-optionsTcp-state-bypass 22-1122-12 Configuring QoS Information About QoS23-1 Supported QoS Features What is a Token Bucket?23-2 Information About Policing Information About Priority Queuing23-3 How QoS Features Interact Information About Traffic Shaping23-4 Licensing Requirements for QoS Dscp and DiffServ PreservationModel Guidelines 23-5Configuring QoS 23-6125 23-7Configuring the Standard Priority Queue for an Interface 23-8Click Enable priority for this flow 23-923-10 Monitoring QoS Click Enforce priority to selected shape traffic23-11 Viewing QoS Police Statistics Viewing QoS Standard Priority Statistics23-12 Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics23-13 Feature History for QoS 23-14Troubleshooting Connections and Resources Testing Your ConfigurationPinging ASA Interfaces 24-1Network Diagram with Interfaces, Routers, and Hosts 24-2Information About Ping 24-3Troubleshooting the Ping Tool Pinging From an ASA InterfacePinging to an ASA Interface Pinging Through the ASA InterfaceUsing the Ping Tool 24-5Output Symbol Description Determining Packet Routing with Traceroute24-6 Tracing Packets with Packet Tracer 24-7Monitoring Performance 24-8Monitoring System Resources Blocks24-9 Memory 24-10Monitoring Connections 24-11Monitoring Per-Process CPU Usage 24-12Configuring Advanced Network Protection Page Configuring the ASA for Cisco Cloud Web Security 25-1User Authentication and Cloud Web Security Information About Cisco Cloud Web SecurityRedirection of Web Traffic to Cloud Web Security 25-2Authentication Keys Company Authentication Key Group Authentication Key25-3 ScanCenter Policy Directory GroupsCustom Groups 25-4How Groups and the Authentication Key Interoperate Cloud Web Security Actions25-5 Failover from Primary to Backup Proxy Server Licensing Requirements for Cisco Cloud Web SecurityBypassing Scanning with Whitelists IPv4 and IPv6 SupportOptional User Authentication Prerequisites Prerequisites for Cloud Web SecurityOptional Fully Qualified Domain Name Prerequisites 25-7Configuring Cisco Cloud Web Security 25-8Choose Configuration Device Management Cloud Web Security 25-925-10 25-11 25-12 25-13 25-14 25-15 25-16 Examples 25-1725-18 Check Cloud Web Security and click Configure 25-1925-20 Tcp/http 25-2125-22 Optional Configuring Whitelisted Traffic 25-2325-24 Optional Configuring the User Identity Monitor 25-25Configuring the Cloud Web Security Policy Monitoring Cloud Web Security25-26 Feature History for Cisco Cloud Web Security Related DocumentsRelated Documents 25-2725-28 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter26-1 Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known AddressesBotnet Traffic Filter Databases Information About the Dynamic DatabaseInformation About the Static Database 26-326-4 How the Botnet Traffic Filter Works 26-5Licensing Requirements for the Botnet Traffic Filter Prerequisites for the Botnet Traffic Filter26-6 Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter26-7 Configuring the Dynamic Database 26-8Adding Entries to the Static Database Enabling DNS Snooping26-9 26-10 Recommended Configuration 26-11Blocking Botnet Traffic Manually Very Low Moderate High Very High26-12 Searching the Dynamic Database 26-13Monitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging26-14 Botnet Traffic Filter Monitor Panes 26-15Feature History for the Botnet Traffic Filter 26-16Configuring Threat Detection Information About Threat DetectionLicensing Requirements for Threat Detection 27-1Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics27-2 Trigger Settings Packet Drop Reason Average Rate Burst Rate Guidelines and LimitationsSecurity Context Guidelines Types of Traffic MonitoredConfiguring Basic Threat Detection Statistics Monitoring Basic Threat Detection StatisticsPath Purpose 27-4Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection StatisticsInformation About Advanced Threat Detection Statistics 27-5Configuring Advanced Threat Detection Statistics Choose the Configuration Firewall Threat Detection pane27-6 Monitoring Advanced Threat Detection Statistics Last 24 hour27-7 Configuring Scanning Threat Detection Feature History for Advanced Threat Detection Statistics27-8 Information About Scanning Threat Detection 27-9Configuring Scanning Threat Detection Average Rate Burst Rate27-10 Feature History for Scanning Threat Detection 27-1127-12 Using Protection Tools Configuration Firewall Advanced Anti-Spoofing FieldsPreventing IP Spoofing 28-1Configuring the Fragment Size Show Fragment28-2 Configuring TCP Options 28-3TCP Reset Settings 28-4Configuring IP Audit for Basic IPS Support Add/Edit IP Audit Policy ConfigurationIP Audit Policy 28-5IP Audit Signatures IP Audit Signature ListSignature Message Number Signature Title 28-628-7 Message Number Signature Title 28-828-9 28-10 28-11 28-12 Configuring Filtering Services Information About Web Traffic Filtering29-1 Filtering URLs and FTP Requests with an External Server Information About URL Filtering29-2 Licensing Requirements for URL Filtering Guidelines and Limitations for URL FilteringIdentifying the Filtering Server 29-3Configuring Additional URL Filtering Settings 29-4Buffering the Content Server Response Caching Server Addresses29-5 Configuring Filtering Rules Filtering Http URLs29-6 29-7 29-8 29-9 29-10 Filtering the Rule Table 29-11Feature History for URL Filtering Defining Queries29-12 Configuring Modules Page Configuring the ASA CX Module Information About the ASA CX Module30-1 How the ASA CX Module Works with the ASA 30-2Monitor-Only Mode Service Policy in Monitor-Only ModeTraffic-Forwarding Interface in Monitor-Only Mode 30-3Initial Configuration Information About ASA CX Management30-4 Information About Authentication Proxy Compatibility with ASA FeaturesPolicy Configuration and Management Information About VPN and the ASA CX ModuleLicensing Requirements for the ASA CX Module Prerequisites30-6 Monitor-Only Mode Guidelines ASA Clustering Guidelines30-7 Configuring the ASA CX Module Parameters DefaultTask Flow for the ASA CX Module 30-8Connecting the ASA CX Management Interface ASA 5585-X Hardware Module30-9 If you have an inside router If you do not have an inside router30-10 ASA 5512-X through ASA 5555-X Software Module 30-1130-12 Example 30-13Multiple Context Mode ASA 5585-X Changing the ASA CX Management IP Address30-14 Single Context Mode Sets the ASA CX management IP address, mask, and gatewayExample ASDM, choose Wizards Startup WizardConfiguring Basic ASA CX Settings at the ASA CX CLI 30-1630-17 Optional Configuring the Authentication Proxy Port 30-18Creating the ASA CX Service Policy Redirecting Traffic to the ASA CX Module30-19 Click the ASA CX Inspection tab 30-20Check the Enable ASA CX for this traffic flow check box 30-21Configuring Traffic-Forwarding Interfaces Monitor-Only Mode Choose Tools Command Line Interface30-22 Resetting the Password Managing the ASA CX Module30-23 Reloading or Resetting the Module 30-24Shutting Down the Module 30-2530-26 Admin123 Monitoring the ASA CX Module30-27 Showing Module Status Showing Module StatisticsMonitoring Module Connections Module30-29 Ciscoasa# show asp table classify domain cxsc Input Table30-30 30-31 Ciscoasa# show asp dropTroubleshooting the ASA CX Module Problems with the Authentication ProxyCapturing Module Traffic 30-32Feature History for the ASA CX Module 30-33Capture interface asadataplane command 30-34Configuring the ASA IPS Module Information About the ASA IPS Module31-1 How the ASA IPS Module Works with the ASA 31-2Using Virtual Sensors ASA 5510 and Higher Operating Modes31-3 Information About Management Access 31-4Licensing Requirements for the ASA IPS module 31-5Vlan 31-6Configuring the ASA IPS module Task Flow for the ASA IPS Module31-7 Connecting the ASA IPS Management Interface 31-831-9 ASA 31-10Sessioning to the Module from the ASA May Be Required 31-11ASA 5512-X through ASA 5555-X Booting the Software Module Configuring Basic IPS Module Network Settings31-12 ASA 5510 and Higher Configuring Basic Network Settings Choose Wizards Startup Wizard31-13 ASA 5505 Configuring Basic Network Settings ASDM, choose Configuration Device Setup SSC Setup31-14 Configuring the Security Policy on the ASA IPS Module 31-15Click Continue 31-1631-17 Diverting Traffic to the ASA IPS module 31-18Managing the ASA IPS module 31-19Installing and Booting an Image on the Module 31-2031-21 Uninstalling a Software Module Image 31-2231-23 Monitoring the ASA IPS module 31-24Feature History for the ASA IPS module 31-2531-26 Configuring the ASA CSC Module Information About the CSC SSM32-1 ASA 32-2Determining What Traffic to Scan 32-3Common Network Configuration for CSC SSM Scanning 32-4Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM32-5 Parameter Default 32-6Configuring the CSC SSM Before Configuring the CSC SSM32-7 Connecting to the CSC SSM 32-8Determining Service Policy Rule Actions for CSC Scanning 32-9CSC SSM Setup Wizard 32-10IP Configuration Activation/License32-11 Host/Notification Settings 32-12Management Access Host/Networks Password32-13 Restoring the Default Password Choose Tools CSC Password Reset32-14 Wizard Setup CSC Setup Wizard Activation Codes Configuration32-15 CSC Setup Wizard IP Configuration CSC Setup Wizard Host Configuration32-16 CSC Setup Wizard Management Access Configuration CSC Setup Wizard Password ConfigurationCSC Setup Wizard Traffic Selection for CSC Scan 32-17Specifying Traffic for CSC Scanning 32-18CSC Setup Wizard Summary 32-19Using the CSC SSM GUI Choose Configuration Trend Micro Content Security WebWeb 32-20Mail Smtp Tab32-21 File Transfer 32-22Updates 32-23Choose Monitoring Trend Micro Content Security Threats Monitoring the CSC SSMThreats 32-24Live Security Events Live Security Events Log32-25 Software Updates 32-26Troubleshooting the CSC Module Resource GraphsCSC Memory 32-27Installing an Image on the Module Recover command32-28 Resetting the Password 32-29Reloading or Resetting the Module Shutting Down the ModuleShuts down the module 32-30Feature History for the CSC SSM Feature Name Platform Releases Feature InformationAdditional References Related Topic Document Title32-32 D E IN-1FTP Http IN-2CSC CPU IN-3CSC SSM GUI IN-4Application inspection IN-5IPS IN-6See also class map IN-7See Icmp IN-8See QoS IN-9See PAT IN-10URL IN-11IN-12
Related manuals
Manual 712 pages 25.77 Kb Manual 52 pages 35.74 Kb

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.
Top Page Image Contents