Cisco Systems ASA 5585-X, ASA 5505, ASA 5580 Twice Static NAT with Destination Address Translation

Page 69

Chapter 3 Information About NAT (ASA 8.3 and Later)

How NAT is Implemented

Figure 3-16shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host.

Figure 3-16 Twice Static NAT with Destination Address Translation

209.165.201.11 209.165.200.225

209.165.201.0/27

Undo Translation

209.165.202.12810.1.2.27

209.165.200.224/27

DMZ

No Translation

Inside 10.1.2.0/27

10.1.2.27

130037

Cisco ASA Series Firewall ASDM Configuration Guide

3-19

Image 69
Contents Software Version Cisco ASA Series Firewall Asdm Configuration GuideCisco ASA Series Firewall Asdm Configuration Guide N T E N T S NAT for VPN Guidelines and Limitations Default Settings NAT and Same Security Level Interfaces Configuring Access Rules Getting Started with Application Layer Protocol Inspection Select IM Map Add/Edit H.323 Match Criterion SIP Class Map Select Radius Accounting Map Cisco Unified Communications Manager Prerequisites ACL Rules Configuring the TLS Proxy for Encrypted Voice Inspection Creating the TLS Proxy TCP Intercept and Limiting Embryonic Connections Blocks Monitoring Cloud Web Security Related Documents IP Audit Policy Licensing Requirements for the ASA CX Module Operating Modes Management Access Host/Networks About This Guide Document ObjectivesRelated Documentation Conventions Convention IndicationBold font Configuring Service Policies Page Configuring a Service Policy Information About Service PoliciesSupported Features Feature Traffic? See Feature DirectionalityFor Through Accounting onlyFeature Matching Within a Service Policy FeatureGlobal Direction ASA IPS ASA CX Order in Which Multiple Feature Actions are AppliedLicensing Requirements for Service Policies Incompatibility of Certain Feature ActionsFeature Matching for Multiple Service Policies Guidelines and Limitations Default Configuration Default SettingsAdding a Service Policy Rule for Through Traffic Task Flows for Configuring Service PoliciesDefault Traffic Classes Task Flow for Configuring a Service Policy RuleCisco ASA Series Firewall Asdm Configuration Guide Click Next Click Match or Do Not Match Cisco ASA Series Firewall Asdm Configuration Guide Configuring a Service Policy Rule for Management Traffic Adding a Service Policy Rule for Management TrafficClick Match or Do Not Match Managing the Order of Service Policy Rules Moving an ACE Feature Name Releases Feature Information Feature History for Service PoliciesIntroduced class-map type management, and inspect Radius-accountingPage Information About Inspection Policy Maps Default Inspection Policy Maps Choose Configuration Firewall Objects Class Maps Choose Configuration Firewall Objects Inspect MapsDefining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class MapFeature History for Inspection Policy Maps Where to Go NextConfiguring Network Address Translation Page Information About NAT ASA 8.3 and Later Why Use NAT?NAT Terminology NAT Types Overview NAT TypesStatic NAT Information About Static NATInformation About Static NAT with Port Address Translation Information About Static NAT with Port TranslationStatic NAT with Identity Port Translation Static Interface NAT with Port Translation Information About One-to-Many Static NATInformation About Other Mapping Scenarios Not Recommended 6shows a typical few-to-many static NAT scenario Dynamic NAT209.165.201.10 Information About Dynamic NATDynamic PAT Dynamic NAT Disadvantages and AdvantagesInformation About Dynamic PAT Dynamic PAT Disadvantages and Advantages Per-Session PAT vs. Multi-Session PAT Version 9.01 and LaterIdentity NAT NAT in Routed and Transparent ModeNAT in Transparent Mode NAT in Routed Mode13 NAT Example Transparent Mode NAT and IPv6 How NAT is ImplementedMain Differences Between Network Object NAT and Twice NAT Information About Twice NAT Information About Network Object NAT14 Twice NAT with Different Destination Addresses 15 Twice NAT with Different Destination Ports 16 Twice Static NAT with Destination Address Translation Rule Type Order of Rules within the Section NAT Rule Order10.1.2.0 NAT InterfacesMapped Addresses and Routing Routing NAT Packets18 Proxy ARP Problems with Identity NAT Determining the Egress Interface Transparent Mode Routing Requirements for Remote NetworksNAT for VPN NAT and Remote Access VPNSrc 203.0.113.16070 4. Http request to Dst NAT and Site-to-Site VPNSee the following sample NAT configuration for ASA1 Boulder Subnet 10.2.2.0 NAT and VPN Management Access25 VPN Management Access DNS and NAT Troubleshooting NAT and VPNEnter show nat detail and show conn all Repeat show nat detail and show conn all26 DNS Reply Modification, DNS Server on Outside 192.168.1.10 28 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 30 PTR Modification, DNS Server on Host Network Information About Network Object NAT Configuring Network Object NAT ASA 8.3 and LaterPrerequisites for Network Object NAT Licensing Requirements for Network Object NATAdditional Guidelines Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Configuring Network Object NATDetailed Steps Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Dynamic PAT Hide Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Add NAT to a new or existing network object Configuring Static NAT or Static NAT-with-Port-TranslationConfiguring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Identity NAT From the Type drop-down list, choose Static Configuring Network Object NAT ASA 8.3 and Later Defaults Configuring Per-Session PAT RulesFields Monitoring Network Object NATConfiguration Examples for Network Object NAT Static NAT for an Inside Web Server Providing Access to an Inside Web Server Static NATCisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Dynamic NAT for Inside, Static NAT for Outside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT with One-to-Many for an Inside Load Balancer Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT-with-Port-Translation Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Create a network object for the FTP server address Cisco ASA Series Firewall Asdm Configuration Guide DNS Reply Modification Using Outside NAT Cisco ASA Series Firewall Asdm Configuration Guide 2001DB8D1A5C8E1 IPv6 Net DNS Reply Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Feature History for Network Object NAT Platform Feature Name Releases Feature InformationNo-proxy-arp and route-lookup keywords, to maintain This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Information About Twice NAT Configuring Twice NAT ASA 8.3 and LaterPrerequisites for Twice NAT Licensing Requirements for Twice NATIPv6 Guidelines Configuring Twice NAT Choose Configuration Firewall NAT Rules, and then click Add Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later Click OK To configure dynamic PAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later To configure static NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later To configure identity NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later 10.1.2.2 Source Destination Configuring Twice NAT ASA 8.3 and Later Monitoring Twice NAT Configuration Examples for Twice NAT Twice NAT with Different Destination Addresses Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Twice NAT with Different Destination Ports Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Feature History for Twice NAT This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Configuring NAT ASA 8.2 and Earlier NAT OverviewIntroduction to NAT NAT Example Routed Mode NAT in Transparent Mode 209.165.201.1 NAT ControlNAT Control and Same Security Traffic Dynamic NAT NAT TypesRemote Host Attempts to Connect to the Real Address PAT Static PAT Static NATBypassing NAT When NAT Control is Enabled Policy NAT Policy NAT with Different Destination Addresses 11 Policy Static NAT with Destination Address Translation NAT and Same Security Level InterfacesOrder of NAT Rules Used to Match Real Addresses Mapped Address GuidelinesDNS and NAT 12 DNS Reply Modification 13 DNS Reply Modification Using Outside NAT Configuring NAT ControlDynamic NAT Implementation Using Dynamic NATGlobal Pools on Different Interfaces with the Same Pool ID Real Addresses and Global Pools Paired Using a Pool IDGlobal 1 16 Different NAT IDs Multiple Addresses in the Same Global Pool17 NAT and PAT Together Outside NAT18 Outside NAT and Inside NAT Combined Managing Global Pools19 Dynamic NAT Scenarios Configuring Dynamic NAT, PAT, or Identity NATConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT 20 Dynamic Policy NAT Scenarios Configuring Dynamic Policy NAT or PATConfiguring NAT ASA 8.2 and Earlier Using Dynamic NAT Using Static NAT Inside Configuring Static NAT, PAT, or Identity NATUse Interface IP Address Use IP AddressClick OK 22 Static Policy NAT Scenarios Configuring Static Policy NAT, PAT, or Identity NATUse IP Address Click Action Exempt Using NAT ExemptionClick Action Do not exempt Configuring Access Control Page Information About Access Rules Configuring Access RulesImplicit Permits General Information About RulesNAT and Access Rules Using RemarksRule Order Implicit DenyOutbound ACL Transactional-Commit ModelInformation About Access Rules Access Rules for Returning TrafficAdditional Guidelines and Limitations Information About EtherType Rules Management Access RulesSupported EtherTypes and Other Traffic Traffic Type Protocol or PortLicensing Requirements for Access Rules Default SettingsAllowing Mpls Configuring Access Rules Adding an Access RuleChoose Configuration Firewall Access Rules Adding an EtherType Rule Transparent Mode Only Configuring Management Access Rules Prerequisites Advanced Access Rule ConfigurationConfiguring Http Redirect Access Rule ExplosionCheck the Enable Object Group Search Algorithm check box Configuring Transactional Commit Model Edit HTTP/HTTPS SettingsFeature History for Access Rules Platform Feature Name Releases Feature Information Page Configuring AAA Rules for Network Access AAA PerformanceLicensing Requirements for AAA Rules Information About Authentication Configuring Authentication for Network AccessASA Authentication Prompts One-Time AuthenticationAAA Prompts and Identity Firewall Deployment Supporting Cut-through Proxy AuthenticationStatic PAT and Http AAA Rules as a Backup Authentication MethodAuthenticate Do not Authenticate Configuring Network Access AuthenticationClick OK Enabling Secure Authentication of Web Clients Authenticating Https Connections with a Virtual Server Authenticating Directly with the ASAAuthenticating Telnet Connections with a Virtual Server Choose Configuration Firewall AAA Rules, then click Advanced Configuring the Authentication Proxy LimitConfiguring Authorization for Network Access Configuring TACACS+ AuthorizationAuthorize Do not Authorize Configuring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any Radius Server for Downloadable ACLs Configuring Accounting for Network Access Account Do not Account MAC Exempt No MAC Exempt Feature History for AAA Rules Configuring Public Servers Information About Public ServersLicensing Requirements for Public Servers Adding a Public Server that Enables Static NAT with PAT Adding a Public Server that Enables Static NATEditing Settings for a Public Server Feature History for Public Servers Configuring Application Inspection Page Getting Started with Application Layer Protocol Inspection How Inspection Engines Work10-1 10-2 When to Use Application Protocol Inspection10-3 Failover GuidelinesDefault Settings and NAT Limitations 323 H.22510-4 IP Options NetBIOS NameServer over IP 10-5SQL*Net SmtpSun RPC over 10-6Configuring Application Layer Protocol Inspection Choose Configuration Firewall Service Policy Rules10-7 10-8 Configuring Inspection of Basic Internet Protocols DNS Inspection11-1 Information About DNS Inspection Default Settings for DNS InspectionGeneral Information About DNS DNS Inspection Actions11-3 Choose Configuration Firewall Objects Inspect Maps DNS11-4 Detailed Steps-Protocol Conformance11-5 Detailed Steps-Filtering11-6 Detailed Steps-Inspections11-7 11-8 11-9 11-10 Header FlagDNS Type Field Value Class11-11 11-12 11-13 Resource Record11-14 Domain Name11-15 Configuring DNS Inspection Click Configure11-16 FTP Inspection Using Strict FTPFTP Inspection Overview 11-1711-18 Select FTP MapFTP Class Map Configuration Global Objects Class Maps FTPAdd/Edit FTP Traffic Class Map 11-1911-20 Add/Edit FTP Match CriterionConfiguration Global Objects Inspect Maps FTP FTP Inspect Map11-21 File Type Filtering Add/Edit FTP Policy Map Security Level11-22 11-23 Add/Edit FTP Policy Map Details11-24 Add/Edit FTP Map11-25 Verifying and Monitoring FTP InspectionHttp Inspection Overview Http InspectionSelect Http Map 11-26Http Class Map Configuration Global Objects Class Maps HttpAdd/Edit Http Traffic Class Map 11-2711-28 Add/Edit Http Match Criterion11-29 11-30 11-31 Configuration Global Objects Inspect Maps Http Http Inspect Map11-32 URI Filtering Add/Edit Http Policy Map Security Level11-33 11-34 Add/Edit Http Policy Map Details11-35 Add/Edit Http Map11-36 11-37 11-38 Icmp Inspection Icmp Error InspectionInstant Messaging Inspection 11-39IM Inspection Overview Adding a Class Map for IM Inspection11-40 Select IM Map IP Options InspectionIP Options Inspection Overview 11-4111-42 Configuring IP Options Inspection11-43 Select IP Options Inspect MapIP Options Inspect Map Add/Edit IP Options Inspect Map11-44 IPsec Pass Through Inspection IPsec Pass Through Inspection Overview11-45 Select IPsec-Pass-Thru Map IPsec Pass Through Inspect Map11-46 Add/Edit IPsec Pass Thru Policy Map Security Level Add/Edit IPsec Pass Thru Policy Map Details11-47 Optional Configuring an IPv6 Inspection Policy Map Default Settings for IPv6 InspectionIPv6 Inspection Information about IPv6 Inspection11-49 Configuring IPv6 InspectionNetBIOS Inspection Overview NetBIOS InspectionSelect Netbios Map 11-50Add/Edit NetBIOS Policy Map NetBIOS Inspect MapConfiguration Global Objects Inspect Maps NetBIOS Pptp InspectionSmtp and Extended Smtp Inspection Smtp and Esmtp Inspection Overview11-52 11-53 Select Esmtp MapConfiguration Global Objects Inspect Maps Esmtp Esmtp Inspect Map11-54 Mime File Type Filtering Add/Edit Esmtp Policy Map Security Level11-55 11-56 Add/Edit Esmtp Policy Map Details11-57 Add/Edit Esmtp Inspect11-58 11-59 11-60 Tftp Inspection11-61 11-62 Ctiqbe Inspection Configuring Inspection for Voice and Video ProtocolsCtiqbe Inspection Overview 12-1Inspection Limitations and Restrictions12-2 Inspection Overview How H.323 Works12-3 12-4 Support in H.245 MessagesSelect H.323 Map Configuration Global Objects Class Maps H.323Class Map 12-5Add/Edit H.323 Traffic Class Map Add/Edit H.323 Match Criterion12-6 Configuration Global Objects Inspect Maps H.323 Inspect Map12-7 Phone Number Filtering Add/Edit H.323 Policy Map Security Level12-8 12-9 Add/Edit H.323 Policy Map Details12-10 Add/Edit HSI Group Add/Edit H.323 Map12-11 Mgcp Inspection Mgcp Inspection Overview12-12 12-13 Using NAT with MgcpSelect Mgcp Map Configuration Global Objects Inspect Maps MgcpMgcp Inspect Map 12-14Gateways and Call Agents Add/Edit Mgcp Policy Map12-15 Rtsp Inspection Add/Edit Mgcp Group12-16 Using RealPlayer Rtsp Inspection Overview12-17 Restrictions and Limitations Configuration Global Objects Inspect Maps RadiusSelect Rtsp Map Rtsp Inspect MapAdd/Edit Rtsp Policy Map Configuration Firewall Objects Class Maps RtspRtsp Class Map 12-19SIP Inspection Add/Edit Rtsp Traffic Class Map12-20 12-21 SIP Inspection OverviewSIP Instant Messaging Select SIP Map12-22 Configuration Global Objects Class Maps SIP SIP Class Map12-23 Add/Edit SIP Traffic Class Map Add/Edit SIP Match Criterion12-24 12-25 Configuration Global Objects Inspect Maps SIP SIP Inspect Map12-26 12-27 Add/Edit SIP Policy Map Security Level12-28 Add/Edit SIP Policy Map Details12-29 12-30 Add/Edit SIP Inspect12-31 Skinny Sccp Inspection Sccp Inspection Overview12-32 12-33 Supporting Cisco IP PhonesSelect Sccp Skinny Map Configuration Global Objects Inspect Maps Sccp SkinnySccp Skinny Inspect Map 12-3412-35 Message ID Filtering12-36 Add/Edit Sccp Skinny Policy Map Security Level12-37 Add/Edit Sccp Skinny Policy Map Details12-38 Add/Edit Message ID FilterConfiguring Inspection of Database Directory Protocols ILS Inspection13-1 13-2 SQL*Net InspectionSun RPC Inspection Configuration Properties Sunrpc ServerSun RPC Inspection Overview Sunrpc Server13-4 Add/Edit Sunrpc ServiceDcerpc Inspection Configuring Inspection for Management Application ProtocolsDcerpc Overview 14-1Select Dcerpc Map Configuration Global Objects Inspect Maps DcerpcDcerpc Inspect Map 14-214-3 Add/Edit Dcerpc Policy Map14-4 GTP InspectionGTP Inspection Overview Select GTP Map14-5 Configuration Global Objects Inspect Maps GTP GTP Inspect Map14-6 Imsi Prefix Filtering Add/Edit GTP Policy Map Security Level14-7 14-8 Add/Edit GTP Policy Map Details14-9 Add/Edit GTP Map14-10 Radius Accounting InspectionSelect Radius Accounting Map Radius Accounting Inspection OverviewAdd Radius Accounting Policy Map 14-11Radius Inspect Map Radius Inspect Map Host14-12 Snmp Inspection RSH InspectionRadius Inspect Map Other 14-13Select Snmp Map Snmp Inspection OverviewSnmp Inspect Map Add/Edit Snmp Map14-15 Xdmcp Inspection14-16 Configuring Unified Communications Page 15-1 15-2 15-3 TLS Proxy Applications in Cisco Unified Communications15-4 Model License Requirement115-5 15-6 16-1 Using the Cisco Unified Communication Wizard16-2 16-3 Licensing Requirements for the Unified Communication Wizard16-4 16-5 Configuring the Private Network for the Phone ProxyConfiguring Servers for the Phone Proxy Click the Generate and Export LDC Certificate button16-6 16-7 Address Default Port Description16-8 16-9 Configuring the Public IP Phone Network16-10 16-11 16-12 16-13 16-14 16-15 Certificate,16-16 16-17 Basic Deployment Off-path Deployment16-18 16-19 16-20 16-21 16-22 Installing a Certificate Exporting an Identity Certificate16-23 16-24 Click Install Certificate16-25 Saving the Identity Certificate Request16-26 16-27 16-28 Information About the Cisco Phone Proxy Configuring the Cisco Phone ProxyPhone Proxy Functionality 17-1TCP/RTP TLS/SRTP 17-2Cisco Unified Communications Manager Supported Cisco UCM and IP Phones for the Phone ProxyCisco Unified IP Phones 17-317-4 Licensing Requirements for the Phone Proxy17-5 Prerequisites for the Phone Proxy Media Termination Instance Prerequisites17-6 DNS Lookup Prerequisites Certificates from the Cisco UCMCisco Unified Communications Manager Prerequisites ACL RulesAddress Port Protocol Description NAT and PAT PrerequisitesNAT Prerequisites PAT PrerequisitesPrerequisites for IP Phones on Multiple Interfaces 7940 IP Phones Support17-9 Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting Tftp Requests17-10 End-User Phone Provisioning Rate Limiting Configuration ExampleWays to Deploy IP Phones to End Users 17-11Phone Proxy Guidelines and Limitations General Guidelines and Limitations17-12 17-13 Media Termination Address Guidelines and LimitationsConfiguring the Phone Proxy Task Flow for Configuring the Phone Proxy17-14 17-15 Creating the CTL File17-16 Adding or Editing a Record Entry in a CTL File17-17 Creating the Media Termination Instance17-18 Creating the Phone Proxy Instance17-19 17-20 Adding or Editing the Tftp Server for a Phone ProxyConfiguring Your Router Linksys Routers17-21 Application Start End Protocol IP Address Enabled Feature History for the Phone ProxyChecked 17-2218-1 TLS Proxy Flow Cisco IP Phone Cisco ASA 18-218-3 Supported Cisco UCM and IP Phones for the TLS Proxy18-4 Licensing for the TLS Proxy18-5 18-6 CTL Provider18-7 Add/Edit CTL Provider18-8 Configure TLS Proxy PaneAdd TLS Proxy Instance Wizard Server Configuration Adding a TLS Proxy Instance18-9 18-10 Add TLS Proxy Instance Wizard Client Configuration18-11 18-12 Add TLS Proxy Instance Wizard Other Steps18-13 Edit TLS Proxy Instance Server Configuration18-14 Edit TLS Proxy Instance Client Configuration18-15 TLS Proxy Add/Edit TLS Proxy18-16 18-17 18-18 Configuring Cisco Mobility Advantage Cisco Mobility Advantage Proxy Functionality19-1 19-2 Mobility Advantage Proxy Deployment ScenariosMMP/SSL/TLS 19-3Mobility Advantage Proxy Using NAT/PAT Trust Relationships for Cisco UMA Deployments19-4 19-5 19-6 Configuring Cisco Mobility AdvantageFeature History for Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage19-7 19-8 Configuring Cisco Unified Presence Information About Cisco Unified Presence20-1 Typical Cisco Unified Presence/LCS Federation Scenario 20-2SIP/TLS 20-320-4 Trust Relationship in the Presence Federation20-5 Xmpp Federation Deployments20-6 Configuration Requirements for Xmpp Federation20-7 Licensing for Cisco Unified Presence20-8 Configuring Cisco Unified Presence Proxy for SIP Federation20-9 Feature History for Cisco Unified Presence20-10 Configuring Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy21-1 21-2 How the UC-IME Works with the Pstn and the Internet21-3 Tickets and Passwords21-4 Call Fallback to the Pstn Architecture21-5 21-6 Basic Deployment21-7 Off Path Deployment21-8 Licensing for Cisco Intercompany Media Engine21-9 21-10 Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine21-11 21-12 Configuring NAT for Cisco Intercompany Media Engine Proxy21-13 Command PurposeCommand Purpose Configuring PAT for the Cisco UCM ServerWhat to Do Next 21-1421-15 Address of Cisco UCM that you want to translate21-16 Creating ACLs for Cisco Intercompany Media Engine ProxyProcedure Guidelines21-17 21-18 Creating the Cisco Intercompany Media Engine Proxy21-19 See Creating the Media Termination Instance21-20 Show running-config uc-ime command21-21 Creating Trustpoints and Generating Certificates21-22 Prerequisites for Installing Certificates21-23 Certified21-24 Creating the TLS Proxy21-25 21-26 ACLs for Cisco Intercompany Media Engine Proxy21-27 Optional Configuring TLS within the Local Enterprise21-28 Commands PurposeWhere proxytrustpoint for the server trust-point Where proxytrustpoint for the client trust-point21-29 21-30 Optional Configuring Off Path Signaling21-31 Engine Proxy,21-32 21-33 21-34 Show uc-ime signaling-sessionsShow uc-ime signaling-sessions statistics Show uc-ime media-sessions detail21-35 Show uc-ime mapping-service-sessions statistics Show uc-ime mapping-service-sessionsShow uc-ime fallback-notification statistics 21-3621-37 Feature History for Cisco Intercompany Media Engine Proxy21-38 Configuring Connection Settings and QoS Page Configuring Connection Settings Information About Connection Settings22-1 TCP Intercept and Limiting Embryonic Connections Dead Connection Detection DCD22-2 TCP Normalization TCP Sequence RandomizationTCP State Bypass 22-322-4 Licensing Requirements for Connection SettingsMaximum Concurrent and Embryonic Connection Guidelines TCP State Bypass Unsupported FeaturesTCP State Bypass 22-5Task Flow For Configuring Connection Settings Configuring Connection SettingsCustomizing the TCP Normalizer with a TCP Map 22-622-7 22-8 Configuring Connection Settings22-9 Configuring Global Timeouts22-10 Introduced set connection advanced-options Feature History for Connection SettingsTcp-state-bypass 22-1122-12 Configuring QoS Information About QoS23-1 Supported QoS Features What is a Token Bucket?23-2 Information About Policing Information About Priority Queuing23-3 How QoS Features Interact Information About Traffic Shaping23-4 Dscp and DiffServ Preservation Licensing Requirements for QoSModel Guidelines 23-523-6 Configuring QoS23-7 12523-8 Configuring the Standard Priority Queue for an Interface23-9 Click Enable priority for this flow23-10 Monitoring QoS Click Enforce priority to selected shape traffic23-11 Viewing QoS Police Statistics Viewing QoS Standard Priority Statistics23-12 Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics23-13 23-14 Feature History for QoSTesting Your Configuration Troubleshooting Connections and ResourcesPinging ASA Interfaces 24-124-2 Network Diagram with Interfaces, Routers, and Hosts24-3 Information About PingPinging From an ASA Interface Troubleshooting the Ping ToolPinging to an ASA Interface Pinging Through the ASA Interface24-5 Using the Ping ToolOutput Symbol Description Determining Packet Routing with Traceroute24-6 24-7 Tracing Packets with Packet Tracer24-8 Monitoring PerformanceMonitoring System Resources Blocks24-9 24-10 Memory24-11 Monitoring Connections24-12 Monitoring Per-Process CPU UsageConfiguring Advanced Network Protection Page 25-1 Configuring the ASA for Cisco Cloud Web SecurityInformation About Cisco Cloud Web Security User Authentication and Cloud Web SecurityRedirection of Web Traffic to Cloud Web Security 25-2Authentication Keys Company Authentication Key Group Authentication Key25-3 Directory Groups ScanCenter PolicyCustom Groups 25-4How Groups and the Authentication Key Interoperate Cloud Web Security Actions25-5 Licensing Requirements for Cisco Cloud Web Security Failover from Primary to Backup Proxy ServerBypassing Scanning with Whitelists IPv4 and IPv6 SupportPrerequisites for Cloud Web Security Optional User Authentication PrerequisitesOptional Fully Qualified Domain Name Prerequisites 25-725-8 Configuring Cisco Cloud Web Security25-9 Choose Configuration Device Management Cloud Web Security25-10 25-11 25-12 25-13 25-14 25-15 25-16 25-17 Examples25-18 25-19 Check Cloud Web Security and click Configure25-20 25-21 Tcp/http25-22 25-23 Optional Configuring Whitelisted Traffic25-24 25-25 Optional Configuring the User Identity MonitorConfiguring the Cloud Web Security Policy Monitoring Cloud Web Security25-26 Related Documents Feature History for Cisco Cloud Web SecurityRelated Documents 25-2725-28 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter26-1 Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Address TypesBotnet Traffic Filter Databases Information About the Dynamic Database26-3 Information About the Static Database26-4 26-5 How the Botnet Traffic Filter WorksLicensing Requirements for the Botnet Traffic Filter Prerequisites for the Botnet Traffic Filter26-6 Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter26-7 26-8 Configuring the Dynamic DatabaseAdding Entries to the Static Database Enabling DNS Snooping26-9 26-10 26-11 Recommended ConfigurationBlocking Botnet Traffic Manually Very Low Moderate High Very High26-12 26-13 Searching the Dynamic DatabaseMonitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging26-14 26-15 Botnet Traffic Filter Monitor Panes26-16 Feature History for the Botnet Traffic FilterInformation About Threat Detection Configuring Threat DetectionLicensing Requirements for Threat Detection 27-1Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics27-2 Guidelines and Limitations Trigger Settings Packet Drop Reason Average Rate Burst RateSecurity Context Guidelines Types of Traffic MonitoredMonitoring Basic Threat Detection Statistics Configuring Basic Threat Detection StatisticsPath Purpose 27-4Feature History for Basic Threat Detection Statistics Configuring Advanced Threat Detection StatisticsInformation About Advanced Threat Detection Statistics 27-5Configuring Advanced Threat Detection Statistics Choose the Configuration Firewall Threat Detection pane27-6 Monitoring Advanced Threat Detection Statistics Last 24 hour27-7 Configuring Scanning Threat Detection Feature History for Advanced Threat Detection Statistics27-8 27-9 Information About Scanning Threat DetectionConfiguring Scanning Threat Detection Average Rate Burst Rate27-10 27-11 Feature History for Scanning Threat Detection27-12 Configuration Firewall Advanced Anti-Spoofing Fields Using Protection ToolsPreventing IP Spoofing 28-1Configuring the Fragment Size Show Fragment28-2 28-3 Configuring TCP Options28-4 TCP Reset SettingsAdd/Edit IP Audit Policy Configuration Configuring IP Audit for Basic IPS SupportIP Audit Policy 28-5IP Audit Signature List IP Audit SignaturesSignature Message Number Signature Title 28-628-7 28-8 Message Number Signature Title28-9 28-10 28-11 28-12 Configuring Filtering Services Information About Web Traffic Filtering29-1 Filtering URLs and FTP Requests with an External Server Information About URL Filtering29-2 Guidelines and Limitations for URL Filtering Licensing Requirements for URL FilteringIdentifying the Filtering Server 29-329-4 Configuring Additional URL Filtering SettingsBuffering the Content Server Response Caching Server Addresses29-5 Configuring Filtering Rules Filtering Http URLs29-6 29-7 29-8 29-9 29-10 29-11 Filtering the Rule TableFeature History for URL Filtering Defining Queries29-12 Configuring Modules Page Configuring the ASA CX Module Information About the ASA CX Module30-1 30-2 How the ASA CX Module Works with the ASAService Policy in Monitor-Only Mode Monitor-Only ModeTraffic-Forwarding Interface in Monitor-Only Mode 30-3Initial Configuration Information About ASA CX Management30-4 Compatibility with ASA Features Information About Authentication ProxyPolicy Configuration and Management Information About VPN and the ASA CX ModuleLicensing Requirements for the ASA CX Module Prerequisites30-6 Monitor-Only Mode Guidelines ASA Clustering Guidelines30-7 Parameters Default Configuring the ASA CX ModuleTask Flow for the ASA CX Module 30-8Connecting the ASA CX Management Interface ASA 5585-X Hardware Module30-9 If you have an inside router If you do not have an inside router30-10 30-11 ASA 5512-X through ASA 5555-X Software Module30-12 30-13 ExampleMultiple Context Mode ASA 5585-X Changing the ASA CX Management IP Address30-14 Sets the ASA CX management IP address, mask, and gateway Single Context ModeExample ASDM, choose Wizards Startup Wizard30-16 Configuring Basic ASA CX Settings at the ASA CX CLI30-17 30-18 Optional Configuring the Authentication Proxy PortCreating the ASA CX Service Policy Redirecting Traffic to the ASA CX Module30-19 30-20 Click the ASA CX Inspection tab30-21 Check the Enable ASA CX for this traffic flow check boxConfiguring Traffic-Forwarding Interfaces Monitor-Only Mode Choose Tools Command Line Interface30-22 Resetting the Password Managing the ASA CX Module30-23 30-24 Reloading or Resetting the Module30-25 Shutting Down the Module30-26 Admin123 Monitoring the ASA CX Module30-27 Showing Module Statistics Showing Module StatusMonitoring Module Connections ModuleCiscoasa# show asp table classify domain cxsc Input Table 30-2930-30 Ciscoasa# show asp drop 30-31Problems with the Authentication Proxy Troubleshooting the ASA CX ModuleCapturing Module Traffic 30-3230-33 Feature History for the ASA CX Module30-34 Capture interface asadataplane commandConfiguring the ASA IPS Module Information About the ASA IPS Module31-1 31-2 How the ASA IPS Module Works with the ASAUsing Virtual Sensors ASA 5510 and Higher Operating Modes31-3 31-4 Information About Management Access31-5 Licensing Requirements for the ASA IPS module31-6 VlanConfiguring the ASA IPS module Task Flow for the ASA IPS Module31-7 31-8 Connecting the ASA IPS Management Interface31-9 31-10 ASA31-11 Sessioning to the Module from the ASA May Be RequiredASA 5512-X through ASA 5555-X Booting the Software Module Configuring Basic IPS Module Network Settings31-12 ASA 5510 and Higher Configuring Basic Network Settings Choose Wizards Startup Wizard31-13 ASA 5505 Configuring Basic Network Settings ASDM, choose Configuration Device Setup SSC Setup31-14 31-15 Configuring the Security Policy on the ASA IPS Module31-16 Click Continue31-17 31-18 Diverting Traffic to the ASA IPS module31-19 Managing the ASA IPS module31-20 Installing and Booting an Image on the Module31-21 31-22 Uninstalling a Software Module Image31-23 31-24 Monitoring the ASA IPS module31-25 Feature History for the ASA IPS module31-26 Configuring the ASA CSC Module Information About the CSC SSM32-1 32-2 ASA32-3 Determining What Traffic to Scan32-4 Common Network Configuration for CSC SSM ScanningLicensing Requirements for the CSC SSM Prerequisites for the CSC SSM32-5 32-6 Parameter DefaultConfiguring the CSC SSM Before Configuring the CSC SSM32-7 32-8 Connecting to the CSC SSM32-9 Determining Service Policy Rule Actions for CSC Scanning32-10 CSC SSM Setup WizardIP Configuration Activation/License32-11 32-12 Host/Notification SettingsManagement Access Host/Networks Password32-13 Restoring the Default Password Choose Tools CSC Password Reset32-14 Wizard Setup CSC Setup Wizard Activation Codes Configuration32-15 CSC Setup Wizard IP Configuration CSC Setup Wizard Host Configuration32-16 CSC Setup Wizard Password Configuration CSC Setup Wizard Management Access ConfigurationCSC Setup Wizard Traffic Selection for CSC Scan 32-1732-18 Specifying Traffic for CSC Scanning32-19 CSC Setup Wizard SummaryChoose Configuration Trend Micro Content Security Web Using the CSC SSM GUIWeb 32-20Mail Smtp Tab32-21 32-22 File Transfer32-23 UpdatesMonitoring the CSC SSM Choose Monitoring Trend Micro Content Security ThreatsThreats 32-24Live Security Events Live Security Events Log32-25 32-26 Software UpdatesResource Graphs Troubleshooting the CSC ModuleCSC Memory 32-27Installing an Image on the Module Recover command32-28 32-29 Resetting the PasswordShutting Down the Module Reloading or Resetting the ModuleShuts down the module 32-30Feature Name Platform Releases Feature Information Feature History for the CSC SSMAdditional References Related Topic Document Title32-32 IN-1 D EIN-2 FTP HttpIN-3 CSC CPUIN-4 CSC SSM GUIIN-5 Application inspectionIN-6 IPSIN-7 See also class mapIN-8 See IcmpIN-9 See QoSIN-10 See PATIN-11 URLIN-12
Related manuals
Manual 712 pages 25.77 Kb Manual 52 pages 35.74 Kb

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.