Main
Cisco ASA 5500 Series Configuration Guide using the CLI
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
About This Guide
Document Objectives
Audience
Related Documentation
Conventions
Obtaining Documentation and Submitting a Service Request
Page
Page
Page
Introduction to the Cisco ASA 5500 Series
Hardware and Software Compatibility
VPN Specifications
New Features
New Features in Version 8.6(1)
Page
New Features in Version 8.4(5)
Page
New Features in Version 8.4(4.1)
Page
Page
New Features in Version 8.4(3)
Page
Page
New Features in Version 8.4(2)
Page
Page
Page
Page
Page
Page
New Features in Version 8.4(1)
Page
Page
Page
Page
Firewall Functional Overview
Security Policy Overview
Permitting or Denying Traffic with Access Lists
Applying NAT
Protecting from IP Fragments
Using AAA for Through Traffic
Applying HTTP, HTTPS, or FTP Filtering
Sending Traffic to the IPS Module
Sending Traffic to the Content Security and Control Module
Applying QoS Policies
Applying Connection Limits and TCP Normalization
Enabling Threat Detection
Firewall Mode Overview
Stateful Inspection Overview
VPN Functional Overview
Security Context Overview
Page
Getting Started
Accessing the Appliance Command-Line Interface
Configuring ASDM Access for Appliances
Accessing ASDM Using the Factory Default Configuration
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
Page
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
Starting ASDM
Connecting to ASDM for the First Time
Starting ASDM from the ASDM-IDM Launcher
Starting ASDM from the Java Web Start Application
Using ASDM in Demo Mode
Factory Default Configurations
Restoring the Factory Default Configuration
Limitations
ASA 5505 Default Configuration
ASA 5505 Routed Mode Default Configuration
Page
ASA 5505 Transparent Mode Sample Configuration
2-14
ASA 5510 and Higher Default Configuration
Working with the Configuration
Saving Configuration Changes
Saving Configuration Changes in Single Context Mode
Saving Configuration Changes in Multiple Context Mode
Saving Each Context and System Separately
Saving All Context Configurations at the Same Time
Copying the Startup Configuration to the Running Configuration
Viewing the Configuration
Clearing and Removing Configuration Settings
Creating Text Configuration Files Offline
Applying Configuration Changes to Connections
Page
Managing Feature Licenses
Supported Feature Licenses Per Model
Licenses Per Model
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
License Notes
Page
Page
Page
VPN License and Feature Compatibility
Information About Feature Licenses
Preinstalled License
Permanent License
Time-Based Licenses
Time-Based License Activation Guidelines
How the Time-Based License Timer Works
How Permanent and Time-Based Licenses Combine
Stacking Time-Based Licenses
Time-Based License Expiration
Shared AnyConnect Premium Licenses
Information About the Shared Licensing Server and Participants
Communication Issues Between Participant and Server
Information About the Shared Licensing Backup Server
Failover and Shared Licenses
Failover and Shared License Servers
Failover and Shared License Participants
Maximum Number of Participants
Failover Licenses (8.3(1) and Later)
Failover License Requirements and Exceptions
How Failover Licenses Combine
Loss of Communication Between Failover Units
Upgrading Failover Pairs
No Payload Encryption Models
Licenses FAQ
Page
Configuring Licenses
Obtaining an Activation Key
Activating or Deactivating Keys
Limitations and Restrictions
Configuring a Shared License
Configuring the Shared Licensing Server
Page
Configuring the Shared Licensing Backup Server (Optional)
Configuring the Shared Licensing Participant
Monitoring Licenses
Viewing Your Current License
Page
3-40
Example 3-2 Standalone Unit Output for show activation-key detail
3-41
Example3-3 Primary Unit Output in a Failover Pair for show activation-key detail
3-42
Example3-4 Secondary Unit Output in a Failover Pair for show activation-key detail
3-43
time-based licenses, so none display in this sample output.
Monitoring the Shared License
3-45
The following is sample output from the show shared license detail command on the license server:
Feature History for Licensing
Page
Page
Page
Page
Page
Page
Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Information About the Firewall Mode
Information About Routed Firewall Mode
Information About Transparent Firewall Mode
Transparent Firewall Network
Bridge Groups
Management Interface (ASA 5510 and Higher)
Allowing Layer 3 Traffic
Allowed MAC Addresses
Passing Traffic Not Allowed in Routed Mode
Passing Traffic For Routed-Mode Features
BPDU Handling
MAC Address vs. Route Lookups
Using the Transparent Firewall in Your Network
Licensing Requirements for the Firewall Mode
Page
Setting the Firewall Mode
Feature History for Firewall Mode
Configuring ARP Inspection for the Transparent Firewall
Information About ARP Inspection
Licensing Requirements for ARP Inspection
Configuring ARP Inspection
Task Flow for Configuring ARP Inspection
Adding a Static ARP Entry
Enabling ARP Inspection
Monitoring ARP Inspection
Feature History for ARP Inspection
Customizing the MAC Address Table for the Transparent Firewall
Information About the MAC Address Table
Licensing Requirements for the MAC Address Table
Configuring the MAC Address Table
Adding a Static MAC Address
Setting the MAC Address Timeout
Disabling MAC Address Learning
Monitoring the MAC Address Table
Feature History for the MAC Address Table
Firewall Mode Examples
How Data Moves Through the ASA in Routed Firewall Mode
An Inside User Visits a Web Server
An Outside User Visits a Web Server on the DMZ
An Inside User Visits a Web Server on the DMZ
An Outside User Attempts to Access an Inside Host
A DMZ User Attempts to Access an Inside Host
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server
An Inside User Visits a Web Server Using NAT
An Outside User Visits a Web Server on the Inside Network
An Outside User Attempts to Access an Inside Host
Page
Configuring Multiple Context Mode
Information About Security Contexts
Common Uses for Security Contexts
Context Configuration Files
Context Configurations
System Configuration
Admin Context Configuration
How the ASA Classifies Packets
Valid Classifier Criteria
Unique Interfaces
Unique MAC Addresses
5-4
Classification Examples
5-5
Cascading Security Contexts
Management Access to Security Contexts
System Administrator Access
Context Administrator Access
Information About Resource Management
Resource Limits
Default Class
Class Members
Information About MAC Addresses
Default MAC Address
Interaction with Manual MAC Addresses
Failover MAC Addresses
Licensing Requirements for Multiple Context Mode
MAC Address Format
MAC Address Format Using a Prefix
MAC Address Format Without a Prefix (Legacy Method; Not Available in 8.6(1) and Later)
Page
Configuring Multiple Contexts
Task Flow for Configuring Multiple Context Mode
Enabling or Disabling Multiple Context Mode
Enabling Multiple Context Mode
Restoring Single Context Mode
Configuring a Class for Resource Management
Page
Configuring a Security Context
Page
Page
Page
Automatically Assigning MAC Addresses to Context Interfaces
Changing Between Contexts and the System Execution Space
Managing Security Contexts
Removing a Security Context
Changing the Admin Context
Changing the Security Context URL
Reloading a Security Context
Reloading by Clearing the Configuration
Reloading by Removing and Re-adding the Context
Monitoring Security Contexts
Viewing Context Information
Page
Viewing Resource Allocation
Page
Page
Viewing Resource Usage
Monitoring SYN Attacks in Contexts
5-34
individual contexts.
5-35
Viewing Assigned MAC Addresses
Viewing MAC Addresses in the System Configuration
5-37
Viewing MAC Addresses Within a Context
This section describes how to view MAC addresses within a context.
For example:
Note The show interface command shows the MAC address in use; if you manually assign a MAC address
5-38
Configuration Examples for Multiple Context Mode
The following example:
resource class.
Adds two contexts from an FTPserver as part of the gold resource class.
Feature History for Multiple Context Mode
Page
Page
Page
Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration
Auto-MDI/MDIX Feature
Interfaces in Transparent Mode
Management Interface
Management Interface Overview
Management Slot/Port Interface
Using Any Interface for Management-Only Traffic
Management Interface for Transparent Mode
No Support for Redundant Management Interfaces
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
Redundant Interfaces
Redundant Interface MAC Address
EtherChannels
Channel Group Interfaces
Connecting to an EtherChannel on Another Device
Link Aggregation Control Protocol
Load Balancing
EtherChannel MAC Address
Licensing Requirements for ASA 5510 and Higher Interfaces
Page
Page
Page
Starting Interface Configuration (ASA 5510 and Higher)
Task Flow for Starting Interface Configuration
Converting In-Use Interfaces to a Redundant or EtherChannel Interface
Detailed Steps (Single Mode)
Page
Page
6-16
EtherChannel interfaceEnter the following command under each interface you want to add to the
6-17
shutdown command. For example, your final EtherChannel configuration is:
Detailed Steps (Multiple Mode)
Page
Page
Page
Enabling the Physical Interface and Configuring Ethernet Parameters
Page
Page
Configuring a Redundant Interface
Configuring a Redundant Interface
Page
Changing the Active Interface
Configuring an EtherChannel
Adding Interfaces to the EtherChannel
Page
Customizing the EtherChannel
Configuring VLAN Subinterfaces and 802.1Q Trunking
Page
Enabling Jumbo Frame Support (Supported Models)
Configuration Examples for ASA 5510 and Higher Interfaces
Physical Interface Parameters Example
Subinterface Parameters Example
Multiple Context Mode Example
EtherChannel Example
Feature History for ASA 5510 and Higher Interfaces
Page
Starting Interface Configuration (ASA 5505)
Information About ASA 5505 Interfaces
Understanding ASA 5505 Ports and Interfaces
Maximum Active VLAN Interfaces for Your License
Page
VLAN MAC Addresses
Licensing Requirements for ASA 5505 Interfaces
Power over Ethernet
Monitoring Traffic Using SPAN
Auto-MDI/MDIX Feature
Page
Starting ASA 5505 Interface Configuration
Task Flow for Starting Interface Configuration
Configuring VLAN Interfaces
Configuring and Enabling Switch Ports as Access Ports
Page
Configuring and Enabling Switch Ports as Trunk Ports
Page
Configuration Examples for ASA 5505 Interfaces
Access Port Example
7-12
Trunk Port Example
Feature History for ASA 5505 Interfaces
Page
Completing Interface Configuration (Routed Mode)
Information About Completing Interface Configuration in Routed Mode
Security Levels
Dual IP Stack (IPv4 and IPv6)
Licensing Requirements for Completing Interface Configuration in Routed Mode
Page
Page
Completing Interface Configuration in Routed Mode
Task Flow for Completing Interface Configuration
Configuring General Interface Parameters
Page
Page
Configuring the MAC Address and MTU
Information About MAC Addresses
Information About the MTU
Page
Configuring IPv6 Addressing
Information About IPv6
IPv6 Addressing
Duplicate Address Detection
Modified EUI-64 Interface IDs
Configuring a Global IPv6 Address and Other Options
Page
Allowing Same Security Level Communication
Information About Inter-Interface Communication
Information About Intra-Interface Communication
Configuration Examples for Interfaces in Routed Mode
ASA 5505 Example
Feature History for Interfaces in Routed Mode
Page
Completing Interface Configuration (Transparent Mode)
Information About Completing Interface Configuration in Transparent Mode
Bridge Groups in Transparent Mode
Security Levels
Licensing Requirements for Completing Interface Configuration in Transparent Mode
Page
Page
Page
Completing Interface Configuration in Transparent Mode
Task Flow for Completing Interface Configuration
Configuring Bridge Groups
Configuring General Interface Parameters
Page
Page
Configuring a Management Interface (ASA 5510 and Higher)
Configuring the MAC Address and MTU
Information About MAC Addresses
Information About the MTU
Page
Configuring IPv6 Addressing
Information About IPv6
IPv6 Addressing
Duplicate Address Detection
Modified EUI-64 Interface IDs
Unsupported Commands
Configuring a Global IPv6 Address and Other Options
Allowing Same Security Level Communication
Information About Inter-Interface Communication
Configuration Examples for Interfaces in Transparent Mode
Feature History for Interfaces in Transparent Mode
Page
Page
Page
Page
Configuring Basic Settings
Configuring the Hostname, Domain Name, and Passwords
Changing the Login Password
Changing the Enable Password
Setting the Hostname
Setting the Domain Name
Setting the Date and Time
Setting the Time Zone and Daylight Saving Time Date Range
Setting the Date and Time Using an NTP Server
Page
Setting the Date and Time Manually
Configuring the Master Passphrase
Information About the Master Passphrase
Licensing Requirements for the Master Passphrase
Adding or Changing the Master Passphrase
Page
Disabling the Master Passphrase
Recovering the Master Passphrase
Feature History for the Master Passphrase
Configuring the DNS Server
Monitoring DNS Cache
DNS Cache Monitoring Commands
Feature History for DNS Cache
Configuring DHCP
Information About DHCP
Licensing Requirements for DHCP
Configuring a DHCP Server
Enabling the DHCP Server
Configuring DHCP Options
Options that Return an IP Address
Options that Return a Text String
Options that Return a Hexadecimal Value
Using Cisco IP Phones with a DHCP Server
Configuring DHCP Relay Services
DHCP Monitoring Commands
Feature History for DHCP
Configuring Dynamic DNS
Information About DDNS
Licensing Requirements for DDNS
Configuring DDNS
Configuration Examples for DDNS
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
Page
Example 5: Client Updates A RR; Server Updates PTR RR
DDNS Monitoring Commands
Feature History for DDNS
Page
Page
Configuring Objects
Configuring Objects and Groups
Information About Objects and Groups
Information About Objects
Information About Object Groups
Licensing Requirements for Objects and Groups
Guidelines and Limitations for Objects and Groups
Configuring Objects
Configuring a Network Object
Configuring a Service Object
Page
Configuring Object Groups
Adding a Protocol Object Group
Adding a Network Object Group
Adding a Service Object Group
Adding an ICMP Type Object Group
Nesting Object Groups
Removing Object Groups
Detailed Step
Monitoring Objects and Groups
Feature History for Objects and Groups
Configuring Regular Expressions
Creating a Regular Expression
Page
Page
Creating a Regular Expression Class Map
Scheduling Extended Access List Activation
Information About Scheduling Access List Activation
Licensing Requirements for Scheduling Access List Activation
Guidelines and Limitations for Scheduling Access List Activation
Configuring and Applying Time Ranges
Configuration Examples for Scheduling Access List Activation
Feature History for Scheduling Access List Activation
Page
Page
Information About Access Lists
Access List Types
Access Control Entry Order
Access Control Implicit Deny
IP Addresses Used for Access Lists When You Use NAT
Page
Adding an Extended Access List
Information About Extended Access Lists
Licensing Requirements for Extended Access Lists
Configuring Extended Access Lists
Adding an Extended Access List
Page
Monitoring Extended Access Lists
Configuration Examples for Extended Access Lists
Configuration Examples for Extended Access Lists (No Objects)
Configuration Examples for Extended Access Lists (Using Objects)
Feature History for Extended Access Lists
Page
Adding an EtherType Access List
Information About EtherType Access Lists
Licensing Requirements for EtherType Access Lists
Configuring EtherType Access Lists
Task Flow for Configuring EtherType Access Lists
Adding EtherType Access Lists
Monitoring EtherType Access Lists
Configuration Examples for EtherType Access Lists
Feature History for EtherType Access Lists
Page
Adding a Standard Access List
Information About Standard Access Lists
Licensing Requirements for Standard Access Lists
Page
Adding Standard Access Lists
Task Flow for Configuring Extended Access Lists
Adding a Standard Access List
Monitoring Access Lists
Configuration Examples for Standard Access Lists
Feature History for Standard Access Lists
Page
Adding a Webtype Access List
Licensing Requirements for Webtype Access Lists
Using Webtype Access Lists
Task Flow for Configuring Webtype Access Lists
Adding Webtype Access Lists with a URL String
Adding Webtype Access Lists with an IP Address
Monitoring Webtype Access Lists
Configuration Examples for Webtype Access Lists
Page
Feature History for Webtype Access Lists
Page
Page
Page
Adding an IPv6 Access List
Information About IPv6 Access Lists
Licensing Requirements for IPv6 Access Lists
Prerequisites for Adding IPv6 Access Lists
Page
Configuring IPv6 Access Lists
Task Flow for Configuring IPv6 Access Lists
Adding IPv6 Access Lists
Page
Monitoring IPv6 Access Lists
Configuration Examples for IPv6 Access Lists
Feature History for IPv6 Access Lists
Page
Configuring Logging for Access Lists
Configuring Logging for Access Lists
Information About Logging Access List Activity
Licensing Requirements for Access List Logging
Configuring Access List Logging
Monitoring Access Lists
Configuration Examples for Access List Logging
Feature History for Access List Logging
Managing Deny Flows
Information About Managing Deny Flows
Licensing Requirements for Managing Deny Flows
Managing Deny Flows
Monitoring Deny Flows
Feature History for Managing Deny Flows
Page
Page
Routing Overview
Information About Routing
Switching
Path Determination
Supported Route Types
Static Versus Dynamic
Single-Path Versus Multipath
Flat Versus Hierarchical
Link-State Versus Distance Vector
How Routing Behaves Within the ASA
Egress Interface Selection Process
Next Hop Selection Process
Supported Internet Protocols for Routing
Information About the Routing Table
Displaying the Routing Table
How the Routing Table Is Populated
Page
Backup Routes
How Forwarding Decisions Are Made
Dynamic Routing and Failover
Information About IPv6 Support
Features That Support IPv6
IPv6-Enabled Commands
Entering IPv6 Addresses in Commands
Disabling Proxy ARPs
Page
Configuring Static and Default Routes
Information About Static and Default Routes
Licensing Requirements for Static and Default Routes
Configuring Static and Default Routes
Configuring a Static Route
Adding or Editing a Static Route
Configuring a Default Static Route
Limitations on Configuring a Default Static Route
Configuring IPv6 Default and Static Routes
Monitoring a Static or Default Route
Page
Configuration Examples for Static or Default Routes
Feature History for Static and Default Routes
Page
Page
Defining Route Maps
Information About Route Maps
Permit and Deny Clauses
Match and Set Clause Values
Licensing Requirements for Route Maps
Defining a Route Map
Customizing a Route Map
Defining a Route to Match a Specific Destination Address
Configuring the Metric Values for a Route Action
Configuration Example for Route Maps
Feature History for Route Maps
Configuring OSPF
Information About OSPF
Licensing Requirements for OSPF
Configuring OSPF
Customizing OSPF
Redistributing Routes Into OSPF
Page
Configuring Route Summarization When Redistributing Routes Into OSPF
Configuring Route Summarization Between OSPF Areas
Configuring OSPF Interface Parameters
Page
Configuring OSPF Area Parameters
Configuring OSPF NSSA
Defining Static OSPF Neighbors
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Restarting the OSPF Process
Configuration Example for OSPF
24-15
Step3 (Optional) To configure OSPF interface parameters, enter the following commands:
Step4 (Optional) To configure OSPF area parameters, enter the following commands:
enter the following commands:
Step6 To restart the OSPF process, enter the following commands:
Monitoring OSPF
Feature History for OSPF
Page
Configuring RIP
Information About RIP
Routing Update Process
RIP Routing Metric
RIP Stability Features
RIP Timers
Licensing Requirements for RIP
Configuring RIP
Enabling RIP
Customizing RIP
Configuring the RIP Version
Configuring Interfaces for RIP
Configuring the RIP Send and Receive Version on an Interface
Configuring Route Summarization
Filtering Networks in RIP
Redistributing Routes into the RIP Routing Process
Enabling RIP Authentication
Page
Monitoring RIP
Configuration Example for RIP
Feature History for RIP
Page
Configuring Multicast Routing
Information About Multicast Routing
Stub Multicast Routing
PIM Multicast Routing
Multicast Group Concept
Licensing Requirements for Multicast Routing
Enabling Multicast Routing
Customizing Multicast Routing
Configuring Stub Multicast Routing and Forwarding IGMP Messages
Configuring a Static Multicast Route
Configuring IGMP Features
Disabling IGMP on an Interface
Configuring IGMP Group Membership
Configuring a Statically Joined IGMP Group
Controlling Access to Multicast Groups
Limiting the Number of IGMP States on an Interface
Modifying the Query Messages to Multicast Groups
Changing the IGMP Version
Configuring PIM Features
Enabling and Disabling PIM on an Interface
Configuring a Static Rendezvous Point Address
Configuring the Designated Router Priority
Configuring and Filtering PIM Register Messages
Configuring PIM Message Intervals
Filtering PIM Neighbors
Configuring a Bidirectional Neighbor Filter
Configuring a Multicast Boundary
Configuration Example for Multicast Routing
Related Documents
Feature History for Multicast Routing
Page
Configuring EIGRP
Information About EIGRP
Licensing Requirements for EIGRP
Configuring EIGRP
Enabling EIGRP
Enabling EIGRP Stub Routing
Customizing EIGRP
Defining a Network for an EIGRP Routing Process
Configuring Interfaces for EIGRP
Configuring Passive Interfaces
Configuring the Summary Aggregate Addresses on Interfaces
Changing the Interface Delay Value
Enabling EIGRP Authentication on an Interface
Defining an EIGRP Neighbor
Redistributing Routes Into EIGRP
Filtering Networks in EIGRP
Customizing the EIGRP Hello Interval and Hold Time
Disabling Automatic Route Summarization
Configuring Default Information in EIGRP
Disabling EIGRP Split Horizon
Restarting the EIGRP Process
Monitoring EIGRP
Configuration Example for EIGRP
Feature History for EIGRP
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Configuring IPv6 Neighbor Discovery
Information About IPv6 Neighbor Discovery
Neighbor Solicitation Messages
Neighbor Reachable Time
Router Advertisement Messages
Static IPv6 Neighbors
Licensing Requirements for IPv6 Neighbor Discovery
Guidelines and Limitations
Page
Default Settings for IPv6 Neighbor Discovery
Configuring the Neighbor Solicitation Message Interval
Configuring the Neighbor Reachable Time
Configuring the Router Advertisement Transmission Interval
Configuring the Router Lifetime Value
Configuring DAD Settings
Configuring IPv6 Addresses on an Interface
Suppressing Router Advertisement Messages
Configuring the IPv6 Prefix
Configuring a Static IPv6 Neighbor
Monitoring IPv6 Neighbor Discovery
Related Documents for IPv6 Prefixes RFCs for IPv6 Prefixes and Documentation
Feature History for IPv6 Neighbor Discovery
Page
Page
Information About NAT
Why Use NAT?
NAT Terminology
NAT Types
NAT Types Overview
Static NAT
Information About Static NAT
Information About Static NAT with Port Translation
Information About Static NAT with Port Address Translation
Static NAT with Identity Port Translation
Static NAT with Port Translation for Non-Standard Ports
Static Interface NAT with Port Translation
Information About One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
Dynamic NAT
Information About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Dynamic PAT Disadvantages and Advantages
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode
NAT for VPN
29-15
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
29-18
Page
NAT Rule Order
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Page
Transparent Mode Routing Requirements for Remote Networks
Determining the Egress Interface
DNS and NAT
Page
29-26
29-27
Page
Configuring Network Object NAT
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Configuring Network Object NAT
Configuring Dynamic NAT
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Configuring Identity NAT
Page
Monitoring Network Object NAT
Configuration Examples for Network Object NAT
Providing Access to an Inside Web Server (Static NAT)
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
30-20
30-21
Feature History for Network Object NAT
Page
Page
Configuring Twice NAT
Information About Twice NAT
Licensing Requirements for Twice NAT Prerequisites for Twice NAT
Configuring Twice NAT
Configuring Dynamic NAT
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Page
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Page
Page
Configuring Identity NAT
Page
Page
Page
Monitoring Twice NAT
Configuration Examples for Twice NAT
Different Translation Depending on the Destination (Dynamic PAT)
Page
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
Page
Feature History for Twice NAT
Page
Page
Page
Page
Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies
Supported Features for Through Traffic
Supported Features for Management Traffic
Feature Directionality
Feature Matching Within a Service Policy
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Feature Matching for Multiple Service Policies
Licensing Requirements for Service Policies
Default Configuration
Default Class Maps
Task Flows for Configuring Service Policies
Task Flow for Using the Modular Policy Framework
Page
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
Identifying Traffic (Layer 3/4 Class Maps)
Creating a Layer 3/4 Class Map for Through Traffic
Page
Creating a Layer 3/4 Class Map for Management Traffic
Defining Actions (Layer 3/4 Policy Map)
Page
Applying Actions to an Interface (Service Policy)
Monitoring Modular Policy Framework
Configuration Examples for Modular Policy Framework
32-19
Applying Inspection and QoS Policing to HTTP Traffic
Applying Inspection to HTTP Traffic Globally
32-20
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
port
Applying Inspection to HTTP Traffic with NAT
Feature History for Service Policies
Page
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Information About Inspection Policy Maps
Default Inspection Policy Maps
Defining Actions in an Inspection Policy Map
Page
Page
Page
Identifying Traffic in an Inspection Class Map
Page
Page
Page
Page
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About Interface Access Rules and Global Access Rules
Using Access Rules and EtherType Rules on the Same Interface
Implicit Deny
Inbound and Outbound Rules
Information About Extended Access Rules
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Management Access Rules
Information About EtherType Rules
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS
Licensing Requirements for Access Rules
Prerequisites
Configuring Access Rules
Monitoring Access Rules
Configuration Examples for Permitting or Denying Network Access
Feature History for Access Rules
Configuring AAA Servers and the Local Database
Information About AAA
Information About Authentication
Information About Authorization
Information About Accounting
Summary of Server Support
RADIUS Server Support
Authentication Methods
Attribute Support
RADIUS Authorization Functions
TACACS+ Server Support
RSA/SDI Server Support
RSA/SDI Version Support
Two-step Authentication Process
RSA/SDI Primary and Replica Servers
NT Server Support
Kerberos Server Support
LDAP Server Support
Authentication with LDAP
LDAP Server Types
HTTP Forms Authentication for Clientless SSL VPN
Local Database Support, Including as a Falback Method
How Fallback Works with Multiple Servers in a Group
Using Certificates and User Login Credentials
Using User Login Credentials
Using Certificates
Licensing Requirements for AAA Servers
Configuring AAA
Task Flow for Configuring AAA
Configuring AAA Server Groups
Page
Page
Page
Page
Configuring Authorization with LDAP for VPN
Page
Configuring LDAP Attribute Maps
Page
Adding a User Account to the Local Database
Guidelines
Page
Page
Page
Page
Managing User Passwords
Page
Page
Authenticating Users with a Public Key for SSH
Differentiating User Roles Using AAA
Using Local Authentication
Using RADIUS Authentication
Using LDAP Authentication
Using TACACS+ Authentication
Monitoring AAA Servers
Feature History for AAA Servers
Page
Configuring the Identity Firewall
Information About the Identity Firewall
Overview of the Identity Firewall
Architecture for Identity Firewall Deployments
Features of the Identity Firewall
LAN
Deployment Scenarios
36-5
Figure36-2 Deployment Scenario without Redundancy
No Redundancy
Figure36-3 Deployment Scenario with Redundant Components
LAN
Page
Cut-through Proxy and VPN Authentication
Licensing for the Identity Firewall
Prerequisites
Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring the Active Directory Domain
Page
Configuring Active Directory Agents
Configuring Identity Options
Page
Page
Page
Page
Page
Configuring Identity-based Access Rules
Page
Configuring Cut-through Proxy Authentication
Page
Configuring VPN Authentication
Monitoring the Identity Firewall
Monitoring AD Agents
Monitoring Groups
Monitoring Memory Usage for the Identity Firewall
Monitoring Users for the Identity Firewall
Feature History for the Identity Firewall
Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH
Licensing Requirements for ASA Access for ASDM, Telnet, or SSH
Configuring Telnet Access
Using a Telnet Client
Configuring SSH Access
Using an SSH Client
Configuring HTTPS Access for ASDM
Configuring CLI Parameters
Licensing Requirements for CLI Parameters
Configuring a Login Banner
Customizing a CLI Prompt
Changing the Console Timeout
Configuring ICMP Access
Information About ICMP Access
Licensing Requirements for ICMP Access
Configuring ICMP Access
Configuring Management Access Over a VPN Tunnel
Licensing Requirements for a Management Interface
Configuring a Management Interface
Configuring AAA for System Administrators
Information About AAA for System Administrators
Information About Management Authentication
Comparing CLI Access with and without Authentication
Comparing ASDM Access with and without Authentication
Information About Command Authorization
Supported Command Authorization Methods
About Preserving User Credentials
Security Contexts and Command Authorization
Licensing Requirements for AAA for System Administrators
Prerequisites
Page
Configuring Authentication for CLI and ASDM Access
Configuring Authentication to Access Privileged EXEC Mode (the enable Command)
Configuring Authentication for the enable Command
Authenticating Users with the login Command
Limiting User CLI and ASDM Access with Management Authorization
Configuring Command Authorization
Configuring Local Command Authorization
Page
Page
Viewing Local Command Privilege Levels
Configuring Commands on the TACACS+ Server
Page
Page
Configuring TACACS+ Command Authorization
Configuring Management Access Accounting
Viewing the Currently Logged-In User
Recovering from a Lockout
Setting a Management Session Quota
Feature History for Management Access
Page
Configuring AAA Rules for Network Access
AAA Performance
Licensing Requirements for AAA Rules
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
Static PAT and HTTP
Configuring Network Access Authentication
Page
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating HTTP(S) Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Page
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Page
Page
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
About the Downloadable Access List Feature and Cisco Secure ACS
Page
Configuring Cisco Secure ACS for Downloadable Access Lists
Configuring Any RADIUS Server for Downloadable Access Lists
Converting Wildcard Netmask Expressions in Downloadable Access Lists
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Page
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Feature History for AAA Rules
Page
Configuring Filtering Services
Information About Web Traffic Filtering
Configuring ActiveX Filtering
Information About ActiveX Filtering
Licensing Requirements for ActiveX Filtering
Guidelines and Limitations for ActiveX Filtering
Configuring ActiveX Filtering
Configuration Examples for ActiveX Filtering
Feature History for ActiveX Filtering
Configuring Java Applet Filtering
Information About Java Applet Filtering
Licensing Requirements for Java Applet Filtering
Guidelines and Limitations for Java Applet Filtering
Configuring Java Applet Filtering
Configuration Examples for Java Applet Filtering
Feature History for Java Applet Filtering
Filtering URLs and FTP Requests with an External Server
Information About URL Filtering
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
Identifying the Filtering Server
Page
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Caching Server Addresses
Filtering HTTP URLs
Enabling HTTP Filtering
Enabling Filtering of Long HTTP URLs
Truncating Long HTTP URLs
Exempting Traffic from Filtering
Filtering HTTPS URLs
Filtering FTP Requests
Monitoring Filtering Statistics
39-16
The following is sample output from the show url-block command:
The following is sample output from the show url-block block statistics command:
The following is sample output from the show url-cache stats command:
The following is sample output from the show perfmon command:
Feature History for URL Filtering
Page
Configuring Web Cache Services Using WCCP
Information About WCCP
Licensing Requirements for WCCP
Enabling WCCP Redirection
WCCP Monitoring Commands
Feature History for WCCP
Configuring Digital Certificates
Information About Digital Certificates
Public Key Cryptography
Certificate Scalability
Key Pairs
Trustpoints
Certificate Enrollment
Proxy for SCEP Requests
Revocation Checking
Supported CA Servers
CRLs
OCSP
The Local CA
Storage for Local CA Files
The Local CA Server
Licensing Requirements for Digital Certificates
Prerequisites for Local Certificates
Prerequisites for SCEP Proxy Support
Page
Configuring Digital Certificates
Configuring Key Pairs
Removing Key Pairs
Configuring Trustpoints
Page
Page
Configuring CRLs for a Trustpoint
Page
Exporting a Trustpoint Configuration
Importing a Trustpoint Configuration
Configuring CA Certificate Map Rules
Obtaining Certificates Manually
Page
Obtaining Certificates Automatically with SCEP
Configuring Proxy Support for SCEP Requests
Enabling the Local CA Server
Configuring the Local CA Server
Page
Customizing the Local CA Server
Debugging the Local CA Server
Disabling the Local CA Server
Deleting the Local CA Server
Configuring Local CA Certificate Characteristics
Configuring the Issuer Name
Configuring the CA Certificate Lifetime
Configuring the User Certificate Lifetime
Configuring the CRL Lifetime
Configuring the Server Keysize
Setting Up External Local CA File Storage
Page
Downloading CRLs
Storing CRLs
Setting Up Enrollment Parameters
Adding and Enrolling Users
Page
Renewing Users
Restoring Users
Removing Users
Revoking Certificates
Maintaining the Local CA Certificate Database
Rolling Over Local CA Certificates
Archiving the Local CA Server Certificate and Keypair
Monitoring Digital Certificates
41-42
The following example shows an RSA general-purpose key:
The following example shows the local CA CRL:
The following example shows one user on-hold:
Feature History for Certificate Management
Page
Page
Page
Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
3 4
Page
Page
Page
Configuring Application Layer Protocol Inspection
Page
Page
Page
Page
Page
Page
Configuring Inspection of Basic Internet Protocols
DNS Inspection
How DNS Application Inspection Works
How DNS Rewrite Works
Configuring DNS Rewrite
Configuring DNS Rewrite with Two NAT Zones
Overview of DNS Rewrite with Three NAT Zones
Page
Configuring DNS Rewrite with Three NAT Zones
Configuring a DNS Inspection Policy Map for Additional Inspection Control
Page
Page
Verifying and Monitoring DNS Inspection
FTP Inspection
FTP Inspection Overview
Using the strict Option
Configuring an FTP Inspection Policy Map for Additional Inspection Control
Page
Page
Page
Verifying and Monitoring FTP Inspection
HTTP Inspection
HTTP Inspection Overview
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
Page
Page
ICMP Inspection
ICMP Error Inspection
Instant Messaging Inspection
IM Inspection Overview
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
Page
Page
43-24
IP Options Inspection
This section describes the IP Options inspection engine. This section includes the following topics:
IP Options Inspection Overview
Configuring an IP Options Inspection Policy Map for Additional Inspection Control
IPsec Pass Through Inspection
IPsec Pass Through Inspection Overview
Example for Defining an IPsec Pass Through Parameter Map
IPv6 Inspection
Configuring an IPv6 Inspection Policy Map
NetBIOS Inspection
NetBIOS Inspection Overview
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
PPTP Inspection
SMTP and Extended SMTP Inspection
SMTP and ESMTP Inspection Overview
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
Page
TFTP Inspection
Configuring Inspection for Voice and Video Protocols
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
Verifying and Monitoring CTIQBE Inspection
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
H.239 Support in H.245 Messages
Limitations and Restrictions
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
Page
Page
Configuring H.323 and H.225 Timeout Values
Verifying and Monitoring H.323 Inspection
Monitoring H.225 Sessions
Monitoring H.245 Sessions
Monitoring H.323 RAS Sessions
MGCP Inspection
MGCP Inspection Overview
Page
Configuring an MGCP Inspection Policy Map for Additional Inspection Control
Configuring MGCP Timeout Values
Verifying and Monitoring MGCP Inspection
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
Configuring an RTSP Inspection Policy Map for Additional Inspection Control
Page
Page
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Configuring a SIP Inspection Policy Map for Additional Inspection Control
Page
Page
Page
Configuring SIP Timeout Values
Verifying and Monitoring SIP Inspection
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
Page
Verifying and Monitoring SCCP Inspection
Page
Page
Configuring Inspection of Database and Directory Protocols
ILS Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
Managing Sun RPC Services
Verifying and Monitoring Sun RPC Inspection
Page
Page
Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC Overview
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
GTP Inspection
GTP Inspection Overview
Configuring a GTP Inspection Policy Map for Additional Inspection Control
Page
Page
Page
Verifying and Monitoring GTP Inspection
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
RSH Inspection
SNMP Inspection
SNMP Inspection Overview
Configuring an SNMP Inspection Policy Map for Additional Inspection Control
XDMCP Inspection
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Information About Cisco Unified Communications Proxy Features
Information About the Adaptive Security Appliance in Cisco Unified Communications
Page
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Page
Page
Page
Page
Configuring the Cisco Phone Proxy
Information About the Cisco Phone Proxy
Phone Proxy Functionality
Page
Supported Cisco UCM and IP Phones for the Phone Proxy
Licensing Requirements for the Phone Proxy
Page
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
Cisco Unified Communications Manager Prerequisites
Access List Rules
NAT and PAT Prerequisites
Prerequisites for IP Phones on Multiple Interfaces
7960 and 7940 IP Phones Support
Cisco IP Communicator Prerequisites
Prerequisites for Rate Limiting TFTP Requests
Rate Limiting Configuration Example
About ICMP Traffic Destined for the Media Termination Address
End-User Phone Provisioning
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
Importing Certificates from the Cisco UCM
Page
Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
Creating the CTL File
Page
Using an Existing CTL File
Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
Creating the Media Termination Instance
Creating the Phone Proxy Instance
Page
Enabling the Phone Proxy with SIP and Skinny Inspection
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
Configuring Your Router
Troubleshooting the Phone Proxy
Debugging Information from the Security Appliance
Page
Page
Page
Debugging Information from IP Phones
IP Phone Registration Failure
TFTP Auth Error Displays on IP Phone Console
Configuration File Parsing Error
Configuration File Parsing Error: Unable to Get DNS Response
Non-configuration File Parsing Error
Cisco UCM Does Not Respond to TFTP Request for Configuration File
IP Phone Does Not Respond After the Security Appliance Sends TFTP Data
IP Phone Requesting Unsigned File Error
IP Phone Unable to Download CTL File
IP Phone Registration Failure from Signaling Connections
Page
SSL Handshake Failure
Certificate Validation Errors
Media Termination Address Errors
Audio Problems with IP Phones
Media Failure for a Voice Call
Saving SAST Keys
Page
Configuration Examples for the Phone Proxy
Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
48-44
48-45
Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
48-46
Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
48-47
48-48
Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
48-50
Example 6: VLAN Transversal
48-52
Feature History for the Phone Proxy
Page
Configuring the T
Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
Decryption and Inspection of Unified Communications Encrypted Signaling
CTL Client Overview
Page
Licensing for the TLS Proxy
Page
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
Page
Creating an Internal CA
Creating a CTL Provider Instance
Page
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
Page
49-15
Monitoring the TLS Proxy
The following is sample output reflecting a successful TLS proxy session setup for a SIP phone:
49-16
49-17
Feature History for the TLS Proxy for Encrypted Voice Inspection
Table49-2 lists the release history for this feature.
Table49-2 Feature History for Cisco Phone Proxy
Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced.
Page
Configuring Cisco Mobility Advantage
Information about the Cisco Mobility Advantage Proxy Feature
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Page
Mobility Advantage Proxy Using NAT/PAT
Trust Relationships for Cisco UMA Deployments
Licensing for the Cisco Mobility Advantage Proxy Feature
Configuring Cisco Mobility Advantage
Task Flow for Configuring Cisco Mobility Advantage
Installing the Cisco UMA Server Certificate
Page
Enabling the TLS Proxy for MMP Inspection
Monitoring for Cisco Mobility Advantage
Configuration Examples for Cisco Mobility Advantage
Example 2: Cisco UMC/Cisco UMA Architecture Security Appliance as TLS Proxy Only
50-13
DMZ
Feature History for Cisco Mobility Advantage
Configuring Cisco Unified Presence
Information About Cisco Unified Presence
Architecture for Cisco Unified Presence for SIP Federation Deployments
51-2
Page
Trust Relationship in the Presence Federation
Security Certificate Exchange Between Cisco UP and the Security Appliance
XMPP Federation Deployments
Configuration Requirements for XMPP Federation
Licensing for Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
Installing Certificates
Page
Page
Enabling the TLS Proxy for SIP Inspection
Monitoring Cisco Unified Presence
Configuration Example for Cisco Unified Presence
Example Configuration for SIP Federation Deployments
51-16
51-17
Example Access List Configuration for XMPP Federation
command.
Example NAT Configuration for XMPP Federation
Page
Feature History for Cisco Unified Presence
Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
Features of Cisco Intercompany Media Engine Proxy
How the UC-IME Works with the PSTN and the Internet
Tickets and Passwords
M
Call Fallback to the PSTN
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
Architecture
Basic Deployment
Off Path Deployment
M
V V
Internet
M
Licensing for Cisco Intercompany Media Engine
V
Page
Page
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
M
M
Configuring NAT for Cisco Intercompany Media Engine Proxy
M
M
Configuring PAT for the Cisco UCM Server
M
Page
Creating Access Lists for Cisco Intercompany Media Engine Proxy
Creating the Media Termination Instance
Creating the Cisco Intercompany Media Engine Proxy
Page
Page
Page
Page
Page
Creating the TLS Proxy
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Page
(Optional) Configuring TLS within the Local Enterprise
Page
Page
(Optional) Configuring Off Path Signaling
M
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
Page
Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard
Troubleshooting Cisco Intercompany Media Engine Proxy
Page
Page
Feature History for Cisco Intercompany Media Engine Proxy
Page
Page
Page
Configuring Connection Settings
Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
Dead Connection Detection (DCD)
TCP Sequence Randomization
TCP Normalization
TCP State Bypass
Licensing Requirements for Connection Settings
TCP State Bypass Guidelines and Limitations
Configuring Connection Settings
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
Customizing the TCP Normalizer with a TCP Map
Page
Page
Page
Configuring Connection Settings
Page
Page
Page
Monitoring Connection Settings
Monitoring TCP State Bypass
Configuration Examples for Connection Settings
Configuration Examples for Connection Limits and Timeouts
Configuration Examples for TCP State Bypass
Configuration Examples for TCP Normalization
Feature History for Connection Settings
Configuring QoS
Information About QoS
Supported QoS Features
What is a Token Bucket?
Information About Policing
Information About Priority Queuing
Information About Traffic Shaping
How QoS Features Interact
DSCP and DiffServ Preservation
Licensing Requirements for QoS
Configuring QoS
Determining the Queue and TX Ring Limits for a Standard Priority Queue
Configuring the Standard Priority Queue for an Interface
Page
Configuring a Service Rule for Standard Priority Queuing and Policing
Page
Page
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
(Optional) Configuring the Hierarchical Priority Queuing Policy
Configuring the Service Rule
Page
Monitoring QoS
Viewing QoS Police Statistics
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Queue Statistics
Feature History for QoS
Page
Page
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
How the ASA Uses the Dynamic Database
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
55-5
How the Botnet Traffic Filter Works
Figure 55-2 shows how the Botnet Traffic Filter works with the static database.
Licensing Requirements for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Page
Adding Entries to the Static Database
Enabling DNS Snooping
Default DNS Inspection Configuration and Recommended Configuration
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Recommended Configuration
Page
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Commands
Page
Configuration Examples for the Botnet Traffic Filter
Recommended Configuration Example
55-20
Example5 5-2 Multiple Mode Botnet Traffic Filter Recommended Example
Other Configuration Examples
55-21
To shun connections, see the Blocking Unwanted Connections section on page57-2.
Feature History for the Botnet Traffic Filter
Configuring Threat Detection
Information About Threat Detection
Licensing Requirements for Threat Detection
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Page
Configuring Basic Threat Detection Statistics
Monitoring Basic Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Page
Monitoring Advanced Threat Detection Statistics
Page
Page
Page
Page
Feature History for Advanced Threat Detection Statistics
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
Page
Configuring Scanning Threat Detection
Monitoring Shunned Hosts, Attackers, and Targets
Feature History for Scanning Threat Detection
Configuration Examples for Threat Detection
Page
Using Protection Tools
Preventing IP Spoofing
Configuring the Fragment Size
Blocking Unwanted Connections
Configuring IP Audit for Basic IPS Support
Configuring IP Audit
IP Audit Signature List
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Configuring the ASA IPS Module
Information About the ASA IPS module
How the ASA IPS module Works with the ASA
Operating Modes
Using Virtual Sensors (ASA 5510 and Higher)
Information About Management Access
Licensing Requirements for the ASA IPS module
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
Connecting Management Interface Cables
Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)
58-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter58 Configuring the ASA IPS Module Configuring the ASA IPS module
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module)
Sessioning to the Module from the ASA
SSP
ASA 5585-X
Switch
PC (IP Address from DHCP)
Configuring Basic IPS Module Network Settings
(ASA 5510 and Higher) Configuring Basic Network Settings
(ASA 5505) Configuring Basic Network Settings
Page
Page
(ASA 5512-X through ASA 5555-X) Installing the Software Module
Configuring the Security Policy on the ASA IPS module
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
Page
Diverting Traffic to the ASA IPS module
Page
Page
Monitoring the ASA IPS module
Troubleshooting the ASA IPS module
Installing an Image on the Module
Page
Uninstalling a Software Module Image
Page
Configuration Examples for the ASA IPS module
Feature History for the ASA IPS module
Page
Configuring the ASA CX Module
Information About the ASA CX Module
How the ASA CX Module Works with the ASA
Information About ASA CX Management
Initial Configuration
Policy Configuration and Management
Information About Authentication Proxy
Information About VPN and the ASA CX Module
Compatibility with ASA Features
Licensing Requirements for the ASA CX Module
Configuring the ASA CX Module
Task Flow for the ASA CX Module
Connecting Management Interface Cables
59-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter59 Configuring the ASA CX Module Configuring the ASA CX Module
Configuring the ASA CX Management IP Address
Configuring Basic ASA CX Settings at the ASA CX CLI
ASA 5585-X
SSP
ASA Management 0/0
Page
Configuring the Security Policy on the ASA CX Module Using PRSM
(Optional) Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Monitoring the ASA CX Module
Showing Module Status
Showing Module Statistics
Monitoring Module Connections
59-15
59-16
The following is sample output from the show asp event dp-cp cxsc-msg command:
The following is sample output from the show conn detail command:
Capturing Module Traffic
Troubleshooting the ASA CX Module
General Recovery Procedures
Page
Debugging the Module
Problems with the Authentication Proxy
59-21
3. In the packet captures, the redirect request should be going to destination port 2000.
Configuration Examples for the ASA CX Module
Feature History for the ASA CX Module
Configuring the ASA CSC Module
Information About the CSC SSM
Page
Determining What Traffic to Scan
Page
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
Page
Configuring the CSC SSM
Before Configuring the CSC SSM
Connecting to the CSC SSM
Page
Diverting Traffic to the CSC SSM
Page
Page
Monitoring the CSC SSM
Troubleshooting the CSC Module
Installing an Image on the Module
Page
Configuration Examples for the CSC SSM
Page
Feature History for the CSC SSM
Page
Page
Information About High Availability
Introduction to Failover and High Availability
Failover System Requirements
Hardware Requirements
Software Requirements
License Requirements
Failover and Stateful Failover Links
Failover Link
Stateful Failover Link
Failover Interface Speed for Stateful Links
Avoiding Interrupted Failover Links
Page
61-7
Scenario 3Recommended
Scenario 4Recommended
Active/Active and Active/Standby Failover
Determining Which Type of Failover to Use
Stateless (Regular) and Stateful Failover
Stateless (Regular) Failover
Stateful Failover
Transparent Firewall Mode Requirements
Auto Update Server Support in Failover Configurations
Auto Update Process Overview
Monitoring the Auto Update Process
Failover Health Monitoring
Unit Health Monitoring
Interface Monitoring
Failover Times
Failover Messages
Failover System Messages
Debug Messages
SNMP
Page
Configuring Active/Standby Failover
Information About Active/Standby Failover
Active/Standby Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Page
Optional Active/Standby Failover Settings
Licensing Requirements for Active/Standby Failover
Prerequisites for Active/Standby Failover
Configuring Active/Standby Failover
Task Flow for Configuring Active/Standby Failover
Configuring the Primary Unit
Page
Page
Configuring the Secondary Unit
Configuring Optional Active/Standby Failover Settings
Enabling HTTP Replication with Stateful Failover
Disabling and Enabling Interface Monitoring
Configuring Failover Criteria
Configuring the Unit and Interface Health Poll Times
Configuring Virtual MAC Addresses
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit
Testing the Failover Functionality
Monitoring Active/Standby Failover
Feature History for Active/Standby Failover
Configuring Active/Active Failover
Information About Active/Active Failover
Active/Active Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Optional Active/Active Failover Settings
Licensing Requirements for Active/Active Failover
Prerequisites for Active/Active Failover
Configuring Active/Active Failover
Task Flow for Configuring Active/Active Failover
Configuring the Primary Failover Unit
Page
Page
Configuring the Secondary Failover Unit
Configuring Optional Active/Active Failover Settings
Configuring Failover Group Preemption
Page
Enabling HTTP Replication with Stateful Failover
Disabling and Enabling Interface Monitoring
Configuring Interface Health Monitoring
Configuring Failover Criteria
Configuring Virtual MAC Addresses
Page
Configuring Support for Asymmetrically Routed Packets
Page
63-20
Example63-2 admin Context Configuration
through the interface outsideISP-B (192.168.2.2) on ASA SecAppB.
Example6 3-3 ctx1 Context Configuration
Figure 63-1 shows the ASR support working as follows:
Remote Command Execution
Changing Command Modes
Security Considerations
Limitations of Remote Command Execution
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit or Failover Group
Testing the Failover Functionality
Monitoring Active/Active Failover
Feature History for Active/Active Failover
Page
Page
Page
Configuring IPsec and ISAKMP
Information About Tunneling, IPsec, and ISAKMP
IPsec Overview
ISAKMP and IKE Overview
Licensing Requirements for Remote Access IPsec VPNs
Page
Page
Page
Page
Configuring ISAKMP
Configuring IKEv1 and IKEv2 Policies
Page
Page
Page
Enabling IKE on the Outside Interface
Disabling IKEv1 Aggressive Mode
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
Enabling IPsec over NAT-T
Using NAT-T
Enabling IPsec with IKEv1 over TCP
Waiting for Active Sessions to Terminate Before Rebooting
Alerting Peers Before Disconnecting
Configuring Certificate Group Matching for IKEv1
Creating a Certificate Group Matching Rule and Policy
Page
Using the Tunnel-group-map default-group Command
Configuring IPsec
Understanding IPsec Tunnels
Understanding IKEv1 Transform Sets and IKEv2 Proposals
Defining Crypto Maps
Page
Page
Page
Page
Page
Applying Crypto Maps to Interfaces
Using Interface Access Lists
Page
Page
Changing IPsec SA Lifetimes
Creating a Basic IPsec Configuration
Page
Using Dynamic Crypto Maps
Page
Page
Providing Site-to-Site Redundancy
Viewing an IPsec Configuration
Clearing Security Associations
Clearing Crypto Map Configurations
Supporting the Nokia VPN Client
Page
Page
Page
Configuring L2TP over IPsec
Information About L2TP over IPsec/IKEv1
IPsec Transport and Tunnel Modes
Tunnel mode
Transport mode
Licensing Requirements for L2TP over IPsec
Page
Page
Page
Prerequisites for Configuring L2TP over IPsec
Configuring L2TP over IPsec
Detailed CLI Configuration Steps
Page
Page
Creating IKE Policies to Respond to Windows 7 Proposals
Detailed CLI Configuration Steps
Page
Page
Creating IKE Policies to Respond to Windows 7 Proposals
65-17
Configuration Example for L2TP over IPsec Using ASA 8.2.5
Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later
Feature History for L2TP over IPsec
Setting General VPN Parameters
Configuring VPNs in Single, Routed Mode
Configuring IPsec to Bypass ACLs
Permitting Intra-Interface Traffic (Hairpinning)
NAT Considerations for Intra-Interface Traffic
Setting Maximum Active IPsec or SSL VPN Sessions
Using Client Update to Ensure Acceptable IPsec Client Revision Levels
Page
Understanding Load Balancing
Comparing Load Balancing to Failover
Load Balancing
Failover
Implementing Load Balancing
Prerequisites
Eligible Platforms
Eligible Clients
VPN Load-Balancing Algorithm
VPN Load-Balancing Cluster Configurations
Some Typical Mixed Cluster Scenarios
Scenario 1: Mixed Cluster with No SSL VPN Connections
Scenario 2: Mixed Cluster Handling SSL VPN Connections
Configuring Load Balancing
Configuring the Public and Private Interfaces for Load Balancing
Configuring the Load Balancing Cluster Attributes
Enabling Redirection Using a Fully Qualified Domain Name
Frequently Asked Questions About Load Balancing
IP Address Pool Exhaustion
Unique IP Address Pools
Using Load Balancing and Failover on the Same Device
Load Balancing on Multiple Interfaces
Viewing Load Balancing
66-16
Configuring VPN Session Limits
Page
Page
Configuring Connection Profiles, Group Policies, and Users
Overview of Connection Profiles, Group Policies, and Users
Connection Profiles
General Connection Profile Connection Parameters
IPsec Tunnel-Group Connection Parameters
Connection Profile Connection Parameters for SSL VPN Sessions
Configuring Connection Profiles
Maximum Connection Profiles
Default IPsec Remote Access Connection Profile Configuration
Configuring IPsec Tunnel-Group General Attributes
Configuring Remote-Access Connection Profiles
Specifying a Name and Type for the Remote Access Connection Profile
Configuring Remote-Access Connection Profile General Attributes
Page
Page
Page
Configuring Double Authentication
Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes
Page
Configuring IPsec Remote-Access Connection Profile PPP Attributes
Page
Configuring LAN-to-LAN Connection Profiles
Default LAN-to-LAN Connection Profile Configuration
Specifying a Name and Type for a LAN-to-LAN Connection Profile
Configuring LAN-to-LAN Connection Profile General Attributes
Configuring LAN-to-LAN IPsec IKEv1 Attributes
Page
Configuring Connection Profiles for Clientless SSL VPN Sessions
Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions
Page
Page
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
Page
Page
Page
Customizing Login Windows for Users of Clientless SSL VPN sessions
Configuring Microsoft Active Directory Settings for Password Management
Using Active Directory to Force the User to Change Password at Next Logon
Using Active Directory to Specify Maximum Password Age
Using Active Directory to Override an Account Disabled AAA Indicator
Using Active Directory to Enforce Minimum Password Length
Using Active Directory to Enforce Password Complexity
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
AnyConnect Client and RADIUS/SDI Server Interaction
Configuring the Security Appliance to Support RADIUS/SDI Messages
Group Policies
Default Group Policy
67-38
Configuring Group Policies
Configuring an External Group Policy
Configuring an Internal Group Policy
Configuring Group Policy Attributes
Configuring WINS and DNS Servers
Page
Configuring VPN-Specific Attributes
Page
Page
Page
Configuring Security Attributes
Page
Configuring the Banner Message
Configuring IPsec-UDP Attributes for IKEv1
Configuring Split-Tunneling Attributes
Differences in Client Split Tunneling Behavior for Traffic within the Subnet
Setting the Split-Tunneling Policy
Creating a Network List for Split-Tunneling
Configuring Domain Attributes for Tunneling
Defining a Default Domain Name for Tunneled Packets
Defining a List of Domains for Split Tunneling
Configuring DHCP Intercept
Configuring Attributes for VPN Hardware Clients
Configuring Secure Unit Authentication
Configuring User Authentication
Configuring an Idle Timeout
Configuring IP Phone Bypass
Configuring LEAP Bypass
Enabling Network Extension Mode
Configuring Backup Server Attributes
Configuring Browser Client Parameters
Page
Configuring Network Admission Control Parameters
Page
os name.
Configuring Address Pools
Configuring Firewall Policies
Supporting a Zone Labs Integrity Server
Overview of the Integrity Server and ASA Interaction
Configuring Integrity Server Support
Setting Client Firewall Parameters
Cisco Integrated Firewall
Cisco Security Agent
No Firewall
Custom Firewall
Zone Labs Firewalls
Sygate Personal Firewalls
Network Ice, Black Ice Firewall:
Configuring Client Access Rules
Page
Configuring Group-Policy Attributes for Clientless SSL VPN Sessions
Applying Customization
Specifying a Deny Message
Configuring Group-Policy Filter Attributes for Clientless SSL VPN Sessions
Specifying the User Home Page
Configuring Auto-Signon
Specifying the Access List for Clientless SSL VPN Sessions
Applying a URL List
Enabling ActiveX Relay for a Group Policy
Enabling Application Access on Clientless SSL VPN Sessions for a Group Policy
Configuring the Port-Forwarding Display Name
Configuring the Maximum Object Size to Ignore for Updating the Session Timer
Specifying HTTP Compression
Specifying the SSO Server
Configuring Group-Policy Attributes for AnyConnect Secure Mobility Client Connections
Page
Configuring User Attributes
Viewing the Username Configuration
Configuring Attributes for Specific Users
Setting a User Password and Privilege Level
Configuring User Attributes
Configuring VPN User Attributes
Configuring Inheritance
Configuring Access Hours
Configuring Maximum Simultaneous Logins
Configuring the Idle Timeout
Configuring the Maximum Connect Time
Applying an ACL Filter
Specifying the IP Address and Netmask
Specifying the Tunnel Protocol
Restricting Remote User Access
Enabling Password Storage for Software Client Users
Configuring Clientless SSL VPN Access for Specific Users
Specifying the Content/Objects to Filter from the HTML
Specifying the User Home Page
Applying Customization
Specifying a Deny Message
Specifying the Access List for Clientless SSL VPN Sessions
Applying a URL List
Enabling ActiveX Relay for a User
Enabling Application Access for Clientless SSL VPN Sessions
Configuring the Port-Forwarding Display Name
Configuring the Maximum Object Size to Ignore for Updating the Session Timer
Configuring Auto-Signon
Specifying HTTP Compression
Specifying the SSO Server
Configuring IP Addresses for VPNs
Configuring an IP Address Assignment Method
Configuring Local IP Address Pools
Configuring AAA Addressing
Configuring DHCP Addressing
Page
Page
Page
Configuring Remote Access IPsec VPNs
Information About Remote Access IPsec VPNs
Licensing Requirements for Remote Access IPsec VPNs
Page
Page
Page
Page
Configuring Remote Access IPsec VPNs
Configuring Interfaces
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
Configuring an Address Pool
Adding a User
Creating an IKEv1 Transform Set or IKEv2 Proposal
Defining a Tunnel Group
Creating a Dynamic Crypto Map
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
69-14
Saving the Security Appliance Configuration
Saves the changes to the configuration.
Configuration Examples for Remote Access IPsec VPNs
The following example shows how to configure a remote access IPsec/IKEv1 VPN:
Step1
Creates a crypto map entry that uses a dynamic crypto map.
Step2
Feature History for Remote Access VPNs
Table69-1 lists the release history for this feature.
Table69-1 Feature History for Feature-1
Page
Configuring Network Admission Control
Information about Network Admission Control
Licensing Requirements
Page
Prerequisites for NAC
Viewing the NAC Policies on the Security Appliance
Detailed Steps.
Adding, Accessing, or Removing a NAC Policy
Configuring a NAC Policy
Specifying the Access Control Server Group
Setting the Query-for-Posture-Changes Timer
Setting the Revalidation Timer
Configuring the Default ACL for NAC
Configuring Exemptions from NAC
Page
Assigning a NAC Policy to a Group Policy
Changing Global NAC Framework Settings
Changing Clientless Authentication Settings
Enabling and Disabling Clientless Authentication
Changing the Login Credentials Used for Clientless Authentication
Changing NAC Framework Session Attributes
Page
Page
Page
Configuring Easy VPN Services on the ASA 5505
Specifying the Client/Server Role of the Cisco ASA 5505
Specifying the Primary and Secondary Servers
Specifying the Mode
NEM with Multiple Interfaces
Configuring Automatic Xauth Authentication
Configuring IPsec Over TCP
Comparing Tunneling Options
Specifying the Tunnel Group or Trustpoint
Specifying the Tunnel Group
Specifying the Trustpoint
Configuring Split Tunneling
Configuring Device Pass-Through
Configuring Remote Management
Guidelines for Configuring the Easy VPN Server
Group Policy and User Attributes Pushed to the Client
Page
Authentication Options
Configuring the PPPoE Client
PPPoE Client Overview
Configuring the PPPoE Client Username and Password
Enabling PPPoE
Using PPPoE with a Fixed IP Address
Monitoring and Debugging the PPPoE Client
Clearing the Configuration
Using Related Commands
Page
Configuring LAN-to-LAN IPsec VPNs
Summary of the Configuration
Configuring Interfaces
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
Configuring ISAKMP Policies for IKEv1 Connections
Configuring ISAKMP Policies for IKEv2 Connections
Creating an IKEv1 Transform Set
Creating an IKEv2 Proposal
Configuring an ACL
Defining a Tunnel Group
Page
Creating a Crypto Map and Applying It To an Interface
Applying Crypto Maps to Interfaces
Configuring Clientless SSL VPN
Information About Clientless SSL VPN
Licensing Requirements
Page
Prerequisites for Clientless SSL VPN
Observing Clientless SSL VPN Security Precautions
Disabling URL on the Portal Page
Using SSL to Access the Central Site
Using HTTPS for Clientless SSL VPN Sessions
Configuring Clientless SSL VPN and ASDM Ports
Configuring Support for Proxy Servers
Page
Configuring SSL/TLS Encryption Protocols
Authenticating with Digital Certificates
Enabling Cookies on Browsers for Clientless SSL VPN
Configuring Application Helper
Managing Passwords
Using Single Sign-on with Clientless SSL VPN
Configuring SSO with HTTP Basic or NTLM Authentication
Configuring SSO Authentication Using SiteMinder
Adding the Cisco Authentication Scheme to SiteMinder
Configuring SSO Authentication Using SAML Browser Post Profile
Page
Configuring the SAML POST SSO Server
Configuring SSO with the HTTP Form Protocol
1 4 5
3
5
2
Page
Page
Gathering HTTP Form Data
Page
Page
Page
Configuring SSO for Plug-ins
Configuring SSO with Macro Substitution
Encoding
Page
Authenticating with Digital Certificates
Creating and Applying Clientless SSL VPN Policies for Accessing Resources
Assigning Users to Group Policies
Using the Security Appliance Authentication Server
Using a RADIUS Server
Using an LDAP Server
Configuring Connection Profile Attributes for Clientless SSL VPN
Configuring Group Policy and User Attributes for Clientless SSL VPN
Configuring Browser Access to Plug-ins
Page
Preparing the Security Appliance for a Plug-in
Installing Plug-ins Redistributed By Cisco
Page
Providing Access to Third-Party Plug-ins
Configuring and Applying the POST URL
Providing Access to a Citrix Java Presentation Server
Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access
Creating and Installing the Citrix Plug-in
Viewing the Plug-ins Installed on the Security Appliance
Why a Microsoft Kerberos Constrained Delegation Solution
Understanding How KCD Works
Authentication Flow with KCD
Before Configuring KCD
Configuring KCD
Showing KCD Status Information
74-47
Showing Cached Kerberos Tickets
Shows sample output returned from this command.
To display all Kerberos tickets cached on the ASA, enter the following commands: Command Function
userUsed to view the Kerberos tickets of a specific
user
Configuring Application Access
About Smart Tunnels
Why Smart Tunnels?
Page
Adding Applications to Be Eligible for Smart Tunnel Access
Page
Page
Page
Assigning a Smart Tunnel List
Configuring and Applying Smart Tunnel Policy
Configuring and Applying a Smart Tunnel Tunnel Policy
Specifying Servers for Smart Tunnel Auto Sign-on
Page
Adding or Editing a Smart Tunnel Auto Sign-on Server Entry
Automating Smart Tunnel Access
Enabling and Disabling Smart Tunnel Access
Logging Off Smart Tunnel
When Its Parent Process Terminates
With A Notification Icon
Configuring Port Forwarding
Information About Port Forwarding
Configuring DNS for Port Forwarding
Adding Applications to Be Eligible for Port Forwarding
Page
Assigning a Port Forwarding List
Automating Port Forwarding
Enabling and Disabling Port Forwarding
Application Access User Notes
Using Application Access on Vista
Closing Application Access to Prevent hosts File Errors
Recovering from hosts File Errors When Using Application Access
Understanding the hosts File
Stopping Application Access Improperly
Reconfiguring a Hosts File Automatically Using Clientless SSL VPN
Reconfiguring hosts File Manually
Configuring File Access
CIFS File Access Requirement and Limitation
Adding Support for File Access
Page
Page
Ensuring Clock Accuracy for SharePoint Access
Using Clientless SSL VPN with PDAs
Using E-Mail over Clientless SSL VPN
Configuring E-mail Proxies
Configuring Web E-mail: MS Outlook Web App
Configuring Portal Access Rules
Optimizing Clientless SSL VPN Performance
Configuring Caching
Configuring Content Transformation
Configuring a Certificate for Signing Rewritten Java Content
Disabling Content Rewrite
Using Proxy Bypass
Configuring Application Profile Customization Framework
APCF Syntax
Configuration Examples for APCF
Clientless SSL VPN End User Setup
Defining the End User Interface
Viewing the Clientless SSL VPN Home Page
Viewing the Clientless SSL VPN Application Access Panel
Viewing the Floating Toolbar
Customizing Clientless SSL VPN Pages
Information About Customization
Exporting a Customization Template
Editing the Customization Template
74-92
74-93
74-94
74-95
74-96
Importing a Customization Object
Applying Customizations to Connection Profiles, Group Policies and Users
Page
Login Screen Advanced Customization
Page
Modifying Your HTML File
Configuring Browser Access to Client-Server Plug-ins
About Installing Browser Plug-ins
RDP Plug-in ActiveX Debug Quick Reference
Preparing the Security Appliance for a Plug-in
Configuring the ASA to Use the New HTML File
Customizing Help
Customizing a Help File Provided By Cisco
Creating Help Files for Languages Not Provided by Cisco
Importing a Help File to Flash Memory
Exporting a Previously Imported Help File from Flash Memory
Requiring Usernames and Passwords
Communicating Security Tips
Configuring Remote Systems to Use Clientless SSL VPN Features
Starting Clientless SSL VPN
Using the Clientless SSL VPN Floating Toolbar
Browsing the Web
Browsing the Network (File Management)
Using Port Forwarding
Using E-mail Via Port Forwarding
Using E-mail Via Web Access
Using E-mail Via E-mail Proxy
Using Smart Tunnel
Translating the Language of User Messages
Understanding Language Translation
Creating Translation Tables
Page
Referencing the Language in a Customization Object
Page
Changing a Group Policy or User Attributes to Use the Customization Object
Capturing Data
Creating a Capture File
Using a Browser to Display Capture Data
Page
Page
Configuring AnyConnect VPN Client Connections
Information About AnyConnect VPN Client Connections
Licensing Requirements for AnyConnect Connections
Page
Page
Remote PC System Requirements
Remote HTTPS Certificates Limitation
Configuring AnyConnect Connections
Configuring the ASA to Web-Deploy the Client
Enabling Permanent Client Installation
Configuring DTLS
Prompting Remote Users
Page
Enabling AnyConnect Client Profile Downloads
Enabling Additional AnyConnect Client Features
Enabling Start Before Logon
Translating Languages for AnyConnect User Messages
Understanding Language Translation
Creating Translation Tables
Page
Configuring Advanced AnyConnect Features
Enabling Rekey
Enabling and Adjusting Dead Peer Detection
Enabling Keepalive
Using Compression
Adjusting MTU Size
Configuring Session Timeouts
Updating AnyConnect Client Images
Enabling IPv6 VPN Access
Monitoring AnyConnect Connections
Logging Off AnyConnect VPN Sessions
Configuration Examples for Enabling AnyConnect Connections
Feature History for AnyConnect Connections
Page
Configuring AnyConnect Host Scan
Host Scan Dependencies and System Requirements
Dependencies
System Requirements
Licensing
Host Scan Packaging
Installing and Enabling Host Scan on the ASA
Installing or Upgrading Host Scan
Enabling or Disabling a Host Scan
Detailed Steps for Enabling Host Scan
Detailed Steps for Disabling Host Scan
Viewing the Host Scan Version Enabled on the ASA
Uninstalling Host Scan
Assigning AnyConnect Feature Modules to Group Policies
Other Important Documentation Addressing Host Scan
Page
Page
Page
Configuring Logging
Information About Logging
Logging in Multiple Context Mode
Analyzing Syslog Messages
Syslog Message Format
Severity Levels
Message Classes and Range of Syslog IDs
Filtering Syslog Messages
Using Custom Message Lists
Licensing Requirements for Logging
Prerequisites for Logging
Configuring Logging
Enabling Logging
Configuring an Output Destination
Page
Sending Syslog Messages to an External Syslog Server
Sending Syslog Messages to the Internal Log Buffer
Sending Syslog Messages to an E-mail Address
Sending Syslog Messages to ASDM
Sending Syslog Messages to the Console Port
Sending Syslog Messages to an SNMP Server
Sending Syslog Messages to a Telnet or SSH Session
Creating a Custom Event List
Generating Syslog Messages in EMBLEM Format to a Syslog Server
Changing the Amount of Internal Flash Memory Available for Logs
Configuring the Logging Queue
Sending All Syslog Messages in a Class to a Specified Output Destination
Enabling Secure Logging
Including the Device ID in Non-EMBLEM Format Syslog Messages
Including the Date and Time in Syslog Messages
Disabling a Syslog Message
Changing the Severity Level of a Syslog Message
Limiting the Rate of Syslog Message Generation
Monitoring the Logs
Configuration Examples for Logging
Feature History for Logging
Page
Page
Configuring
Information About NSEL
Using NSEL and Syslog Messages
Licensing Requirements for NSEL Prerequisites for NSEL
Configuring NSEL
Configuring NSEL Collectors
Configuring Flow-Export Actions Through Modular Policy Framework
Page
Configuring Template Timeout Intervals
Changing the Time Interval for Sending Flow-Update Events to a Collector
Delaying Flow-Create Events
Disabling and Reenabling NetFlow-related Syslog Messages
Clearing Runtime Counters
Monitoring NSEL
NSEL Monitoring Commands
78-11
The following example shows how to display the flow-export active configuration:
The following example shows how to display the flow-export delay configuration:
The following example shows how to display the flow-export destination configurations:
The following example shows how to display the flow-export template configuration:
Configuration Examples for NSEL
Page
Related Documents
Feature History for NSEL
Page
Page
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
Information About MIBs and Traps
SNMP Object Identifiers
Page
SNMP Physical Vendor Type Values
Page
Page
Page
Page
Page
Supported Tables in MIBs
Supported Traps (Notifications)
Page
Page
SNMP Version 3
SNMP Version 3 Overview
Security Models
SNMP Groups
SNMP Users
SNMP Hosts
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
Licensing Requirements for SNMP
Prerequisites for SNMP
Configuring SNMP
Enabling SNMP
Page
Configuring SNMP Traps
Configuring a CPU Usage Threshold
Configuring a Physical Interface Threshold
Using SNMP Version 1 or 2c
Using SNMP Version 3
Troubleshooting Tips
Interface Types and Examples
Monitoring SNMP
SNMP Syslog Messaging
SNMP Monitoring
Configuration Examples for SNMP
Configuration Example for SNMP Versions 1 and 2c
Configuration Example for SNMP Version 3
RFCs for SNMP Version 3
MIBs
79-30
Application Services and Third-Party Tools
Feature History for SNMP
Page
Configuring Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting
What is Sent to Cisco?
DNS Requirement
Anonymous Reporting and Smart Call Home Prompt
Information About Smart Call Home
Licensing Requirements for Anonymous Reporting and Smart Call Home
Prerequisites for Smart Call Home and Anonymous Reporting
Configuring Anonymous Reporting and Smart Call Home
Configuring Anonymous Reporting
Configuring Smart Call Home
Enabling Smart Call Home
Declaring and Authenticating a CA Trust Point
Configuring DNS
Subscribing to Alert Groups
Configuring Periodic Notification
Information about the Message Severity Threshold
Configuring Alert Group Subscription
Testing Call Home Communications
Sending a Smart Call Home Test Message Manually
Sending a Smart Call Home Alert Group Message Manually
Sending the Output of a Command
Optional Configuration Procedures
Configuring Smart Call Home Customer Contact Information
Page
Configuring the Mail Server
Configuring Call Home Traffic Rate Limiting
Destination Profile Management
Page
Page
Monitoring Smart Call Home
Configuration Example for Smart Call Home
Feature History for Anonymous Reporting and Smart Call Home
Page
Page
Managing Software and Configurations
Managing the Flash File System
Viewing Files in Flash Memory
Deleting Files from Flash Memory
Downloading Software or Configuration Files to Flash Memory
Downloading a File to a Specific Location
Downloading a File to the Startup or Running Configuration
Configuring the Application Image and ASDM Image to Boot
Configuring the File to Boot as the Startup Configuration
Deleting Files from a USB Drive on the ASA 5500-X Series
Performing Zero Downtime Upgrades for Failover Pairs
Upgrading an Active/Standby Failover Configuration
Upgrading an Active/Active Failover Configuration
Backing Up Configuration Files or Other Files
Backing up the Single Mode Configuration or Multiple Mode System Configuration
Backing Up a Context Configuration or Other File in Flash Memory
Backing Up a Context Configuration within a Context
Copying the Configuration from the Terminal Display
Backing Up Additional Files Using the Export and Import Commands
Using a Script to Back Up and Restore Files
Prerequisites
Running the Script
81-11
Sample Script
81-12
81-13
81-14
81-15
Configuring Auto Update Support
Configuring Communication with an Auto Update Server
Page
Configuring Client Updates as an Auto Update Server
Viewing Auto Update Status
Downgrading Your Software
Information About Activation Key Compatibility
Performing the Downgrade
Page
Page
Troubleshooting
Testing Your Configuration
Enabling ICMP Debugging Messages and Syslog Messages
Pinging ASA Interfaces
82-4
If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:
Passing Traffic Through the ASA
?
Page
Disabling the Test Configuration
Determining Packet Routing with Traceroute
Tracing Packets with Packet Tracer
Handling TCP Packet Loss
Reloading the ASA
Performing Password Recovery
Recovering Passwords for the ASA
Disabling Password Recovery
Resetting the Password on the SSM Hardware Module
Using the ROM Monitor to Load a Software Image
Erasing the Flash File System
Other Troubleshooting Tools
Viewing Debugging Messages
Capturing Packets
Viewing the Crash Dump
Coredump
Common Problems
Page
Page
Page
Page
A
Using the Command-Line Interface
Firewall Mode and Security Context Mode
Command Modes and Prompts
Syntax Formatting
Abbreviating Commands
Command-Line Editing
Command Completion
Command Help
Filtering show Command Output
Command Output Paging
Adding Comments
Text Configuration Files
How Commands Correspond with Lines in the Text File
Command-Specific Configuration Mode Commands
Automatic Text Entries
Line Order
Commands Not Included in the Text Configuration
Passwords
Multiple Security Context Files
Supported Character Sets
B
Addresses, Protocols, and Ports
IPv4 Addresses and Subnet Masks
Classes
Private Networks
Subnet Masks
Determining the Subnet Mask
Determining the Address to Use with the Subnet Mask
Class C-Size Network Address
Class B-Size Network Address
IPv6 Addresses
IPv6 Address Format
IPv6 Address Types
Unicast Addresses
Global Address
Site-Local Address
Link-Local Address
IPv4-Compatible IPv6 Addresses
Unspecified Address
Multicast Address
Anycast Address
Required Addresses
IPv6 Address Prefixes
Protocols and Applications
TCP and UDP Ports
Page
Page
Local Ports and Protocols
ICMP Types
Page
C
Configuring an External Server for Authorization and Authentication
Understanding Policy Enforcement of Permissions and Attributes
Configuring an External LDAP Server
Organizing the ASA for LDAP Operations
Searching the LDAP Hierarchy
Binding the ASA to the LDAP Server
Defining the ASA LDAP Configuration
Supported Cisco Attributes for LDAP Authorization
Page
Page
Page
Page
Page
Page
Page
Cisco AV Pair Attribute Syntax
Cisco AV Pairs ACL Examples
URL Types Supported in ACLs
Guidelines for Using Cisco-AV Pairs (ACLs)
Active Directory/LDAP VPN Remote Access Authorization Examples
User-Based Attributes Policy Enforcement
Page
Placing LDAP Users in a Specific Group Policy
Page
Enforcing Static IP Address Assignment for AnyConnect Tunnels
Page
Enforcing Dial-in Allow or Deny Access
Page
Page
Enforcing Logon Hours and Time-of-Day Rules
Page
Configuring an External RADIUS Server
Reviewing the RADIUS Configuration Procedure
ASA RADIUS Authorization Attributes
Page
Page
Page
Page
Page
Page
Page
Page
ASA IETF RADIUS Authorization Attributes
RADIUS Accounting Disconnect Reason Codes
Configuring an External TACACS+ Server
Page
Page
GLOSSARY
Numerics
A
B
C
D
Page
E
F
G
H
I
Page
J
K
L
M
N
O
P
Page
Page
Q
R
S
Page
T
Page
U
V
W
X
Page
Page
INDEX
Symbols
Numerics
A
Page
Page
B
C
Page
D
Page
E
F
G
H
I
Page
J
K
L
M
Page
N
O
P
proxy ARP
Q
R
S
Page
Page
Page
T
Page
U
V
W
X
Z