Cisco Systems ASA5515K9, ASA 5500 Monitoring the Identity Firewall

36-25

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter36 Configuring the Identity Firewall

Monitoring the Identity Firewall

•Apply VPN-Filter with bypassing access-list check disabled

•Apply VPN-Filter with bypassing access-list check enabled

Configuration Example -- VPN with IDFW Rule -1

By default, “sysopt connection permit-vpn" is enabled and VPN traffic is exempted from access-list

check. In order to apply regular interface based ACL rules for VPN traffic, VPN traffic access-list

bypassing needs to be disabled.

In the this example, if the user logs in from outside interface, the IDFW rules will control what network

resource he can access. All VPN users are be stored under domain LOCAL. Therefore, it is only

meaningful to apply the rules over LOCAL users or object-group containing LOCAL users.

! Apply VPN-Filter with bypassing access-list check disabled

no sysopt connection permit-vpn

access-list v1 extended deny ip user LOCAL\idfw any 10.0.0.0 255.255.255.0

access-list v1 extended permit ip user LOCAL\idfw any 20.0.0.0 255.255.255.0

access-group v1 in interface outside >> Control VPN user based on regular IDFW ACLs

Configuration ExampleVPN with IDFW Rule -2

By default, "sysopt connection permit-vpn" is enabled, with VPN traffic access bypassing enabled.

VPN-filter can be used to apply the IDFW rules on the VPN traffic. VPN-filter with IDFW rules can be

defined in CLI username and group-policy.

In the example, when user idfw logs in, he is able to access to network resources in 10.0.00/24 subnet.

However, when user user1 loggs in, his access to network resources in 10.0.00/24 subnet will be denied.

Note that all VPN users will be stored under domain LOCAL. Therefore, it is only meaningful to apply

the rules over LOCAL users or object-group containing LOCAL users.

Note: IDFW rules can only be aplpied to vpn-filter under group-policy and are not available in all the

other group-policy features.

! Apply VPN-Filter with bypassing access-list check enabled

sysopt connection permit-vpn

access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0

access-list v2 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0

username user1 password QkBIIYVi6IFLEsYv encrypted privilege 0 username user1 attributes

vpn-group-policy group1 vpn-filter value v2 >> Per user VPN-filter control

username idfw password eEm2dmjMaopcGozT encrypted

username idfw attributes

vpn-group-policy testgroup vpn-filter value v1

sysopt connection permit-vpn

access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0 access-list

v1 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0 group-policy group1

internal

group-policy group1 attributes >> Per group VPN-filter control

vpn-filter value v1

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

Monitoring the Identity Firewall

This section contains the following topics:

•Monitoring AD Agents, page26

•Monitoring Groups, page26

Contents

Main Cisco ASA 5500 Series Configuration Guide using the CLI Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This Guide Document Objectives Audience Related Documentation Conventions Obtaining Documentation and Submitting a Service Request Page Page Page Introduction to the Cisco ASA 5500 Series Hardware and Software Compatibility VPN Specifications New Features New Features in Version 8.6(1) Page New Features in Version 8.4(5) Page New Features in Version 8.4(4.1) Page Page New Features in Version 8.4(3) Page Page New Features in Version 8.4(2) Page Page Page Page Page Page New Features in Version 8.4(1) Page Page Page Page Firewall Functional Overview Security Policy Overview Permitting or Denying Traffic with Access Lists Applying NAT Protecting from IP Fragments Using AAA for Through Traffic Applying HTTP, HTTPS, or FTP Filtering Sending Traffic to the IPS Module Sending Traffic to the Content Security and Control Module Applying QoS Policies Applying Connection Limits and TCP Normalization Enabling Threat Detection Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Security Context Overview Page Getting Started Accessing the Appliance Command-Line Interface Configuring ASDM Access for Appliances Accessing ASDM Using the Factory Default Configuration Accessing ASDM Using a Non-Default Configuration (ASA 5505) Page Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) Starting ASDM Connecting to ASDM for the First Time Starting ASDM from the ASDM-IDM Launcher Starting ASDM from the Java Web Start Application Using ASDM in Demo Mode Factory Default Configurations Restoring the Factory Default Configuration Limitations ASA 5505 Default Configuration ASA 5505 Routed Mode Default Configuration Page ASA 5505 Transparent Mode Sample Configuration 2-14 ASA 5510 and Higher Default Configuration Working with the Configuration Saving Configuration Changes Saving Configuration Changes in Single Context Mode Saving Configuration Changes in Multiple Context Mode Saving Each Context and System Separately Saving All Context Configurations at the Same Time Copying the Startup Configuration to the Running Configuration Viewing the Configuration Clearing and Removing Configuration Settings Creating Text Configuration Files Offline Applying Configuration Changes to Connections Page Managing Feature Licenses Supported Feature Licenses Per Model Licenses Per Model Page Page Page Page Page Page Page Page Page Page Page Page Page Page License Notes Page Page Page VPN License and Feature Compatibility Information About Feature Licenses Preinstalled License Permanent License Time-Based Licenses Time-Based License Activation Guidelines How the Time-Based License Timer Works How Permanent and Time-Based Licenses Combine Stacking Time-Based Licenses Time-Based License Expiration Shared AnyConnect Premium Licenses Information About the Shared Licensing Server and Participants Communication Issues Between Participant and Server Information About the Shared Licensing Backup Server Failover and Shared Licenses Failover and Shared License Servers Failover and Shared License Participants Maximum Number of Participants Failover Licenses (8.3(1) and Later) Failover License Requirements and Exceptions How Failover Licenses Combine Loss of Communication Between Failover Units Upgrading Failover Pairs No Payload Encryption Models Licenses FAQ Page Configuring Licenses Obtaining an Activation Key Activating or Deactivating Keys Limitations and Restrictions Configuring a Shared License Configuring the Shared Licensing Server Page Configuring the Shared Licensing Backup Server (Optional) Configuring the Shared Licensing Participant Monitoring Licenses Viewing Your Current License Page 3-40 Example 3-2 Standalone Unit Output for show activation-key detail 3-41 Example3-3 Primary Unit Output in a Failover Pair for show activation-key detail 3-42 Example3-4 Secondary Unit Output in a Failover Pair for show activation-key detail 3-43 time-based licenses, so none display in this sample output. Monitoring the Shared License 3-45 The following is sample output from the show shared license detail command on the license server: Feature History for Licensing Page Page Page Page Page Page Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Information About the Firewall Mode Information About Routed Firewall Mode Information About Transparent Firewall Mode Transparent Firewall Network Bridge Groups Management Interface (ASA 5510 and Higher) Allowing Layer 3 Traffic Allowed MAC Addresses Passing Traffic Not Allowed in Routed Mode Passing Traffic For Routed-Mode Features BPDU Handling MAC Address vs. Route Lookups Using the Transparent Firewall in Your Network Licensing Requirements for the Firewall Mode Page Setting the Firewall Mode Feature History for Firewall Mode Configuring ARP Inspection for the Transparent Firewall Information About ARP Inspection Licensing Requirements for ARP Inspection Configuring ARP Inspection Task Flow for Configuring ARP Inspection Adding a Static ARP Entry Enabling ARP Inspection Monitoring ARP Inspection Feature History for ARP Inspection Customizing the MAC Address Table for the Transparent Firewall Information About the MAC Address Table Licensing Requirements for the MAC Address Table Configuring the MAC Address Table Adding a Static MAC Address Setting the MAC Address Timeout Disabling MAC Address Learning Monitoring the MAC Address Table Feature History for the MAC Address Table Firewall Mode Examples How Data Moves Through the ASA in Routed Firewall Mode An Inside User Visits a Web Server An Outside User Visits a Web Server on the DMZ An Inside User Visits a Web Server on the DMZ An Outside User Attempts to Access an Inside Host A DMZ User Attempts to Access an Inside Host How Data Moves Through the Transparent Firewall An Inside User Visits a Web Server An Inside User Visits a Web Server Using NAT An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host Page Configuring Multiple Context Mode Information About Security Contexts Common Uses for Security Contexts Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the ASA Classifies Packets Valid Classifier Criteria Unique Interfaces Unique MAC Addresses 5-4 Classification Examples 5-5 Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access Information About Resource Management Resource Limits Default Class Class Members Information About MAC Addresses Default MAC Address Interaction with Manual MAC Addresses Failover MAC Addresses Licensing Requirements for Multiple Context Mode MAC Address Format MAC Address Format Using a Prefix MAC Address Format Without a Prefix (Legacy Method; Not Available in 8.6(1) and Later) Page Configuring Multiple Contexts Task Flow for Configuring Multiple Context Mode Enabling or Disabling Multiple Context Mode Enabling Multiple Context Mode Restoring Single Context Mode Configuring a Class for Resource Management Page Configuring a Security Context Page Page Page Automatically Assigning MAC Addresses to Context Interfaces Changing Between Contexts and the System Execution Space Managing Security Contexts Removing a Security Context Changing the Admin Context Changing the Security Context URL Reloading a Security Context Reloading by Clearing the Configuration Reloading by Removing and Re-adding the Context Monitoring Security Contexts Viewing Context Information Page Viewing Resource Allocation Page Page Viewing Resource Usage Monitoring SYN Attacks in Contexts 5-34 individual contexts. 5-35 Viewing Assigned MAC Addresses Viewing MAC Addresses in the System Configuration 5-37 Viewing MAC Addresses Within a Context This section describes how to view MAC addresses within a context. For example: Note The show interface command shows the MAC address in use; if you manually assign a MAC address 5-38 Configuration Examples for Multiple Context Mode The following example: resource class. Adds two contexts from an FTPserver as part of the gold resource class. Feature History for Multiple Context Mode Page Page Page Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration Auto-MDI/MDIX Feature Interfaces in Transparent Mode Management Interface Management Interface Overview Management Slot/Port Interface Using Any Interface for Management-Only Traffic Management Interface for Transparent Mode No Support for Redundant Management Interfaces Management 0/0 Interface on the ASA 5512-X through ASA 5555-X Redundant Interfaces Redundant Interface MAC Address EtherChannels Channel Group Interfaces Connecting to an EtherChannel on Another Device Link Aggregation Control Protocol Load Balancing EtherChannel MAC Address Licensing Requirements for ASA 5510 and Higher Interfaces Page Page Page Starting Interface Configuration (ASA 5510 and Higher) Task Flow for Starting Interface Configuration Converting In-Use Interfaces to a Redundant or EtherChannel Interface Detailed Steps (Single Mode) Page Page 6-16 EtherChannel interfaceEnter the following command under each interface you want to add to the 6-17 shutdown command. For example, your final EtherChannel configuration is: Detailed Steps (Multiple Mode) Page Page Page Enabling the Physical Interface and Configuring Ethernet Parameters Page Page Configuring a Redundant Interface Configuring a Redundant Interface Page Changing the Active Interface Configuring an EtherChannel Adding Interfaces to the EtherChannel Page Customizing the EtherChannel Configuring VLAN Subinterfaces and 802.1Q Trunking Page Enabling Jumbo Frame Support (Supported Models) Configuration Examples for ASA 5510 and Higher Interfaces Physical Interface Parameters Example Subinterface Parameters Example Multiple Context Mode Example EtherChannel Example Feature History for ASA 5510 and Higher Interfaces Page Starting Interface Configuration (ASA 5505) Information About ASA 5505 Interfaces Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Page VLAN MAC Addresses Licensing Requirements for ASA 5505 Interfaces Power over Ethernet Monitoring Traffic Using SPAN Auto-MDI/MDIX Feature Page Starting ASA 5505 Interface Configuration Task Flow for Starting Interface Configuration Configuring VLAN Interfaces Configuring and Enabling Switch Ports as Access Ports Page Configuring and Enabling Switch Ports as Trunk Ports Page Configuration Examples for ASA 5505 Interfaces Access Port Example 7-12 Trunk Port Example Feature History for ASA 5505 Interfaces Page Completing Interface Configuration (Routed Mode) Information About Completing Interface Configuration in Routed Mode Security Levels Dual IP Stack (IPv4 and IPv6) Licensing Requirements for Completing Interface Configuration in Routed Mode Page Page Completing Interface Configuration in Routed Mode Task Flow for Completing Interface Configuration Configuring General Interface Parameters Page Page Configuring the MAC Address and MTU Information About MAC Addresses Information About the MTU Page Configuring IPv6 Addressing Information About IPv6 IPv6 Addressing Duplicate Address Detection Modified EUI-64 Interface IDs Configuring a Global IPv6 Address and Other Options Page Allowing Same Security Level Communication Information About Inter-Interface Communication Information About Intra-Interface Communication Configuration Examples for Interfaces in Routed Mode ASA 5505 Example Feature History for Interfaces in Routed Mode Page Completing Interface Configuration (Transparent Mode) Information About Completing Interface Configuration in Transparent Mode Bridge Groups in Transparent Mode Security Levels Licensing Requirements for Completing Interface Configuration in Transparent Mode Page Page Page Completing Interface Configuration in Transparent Mode Task Flow for Completing Interface Configuration Configuring Bridge Groups Configuring General Interface Parameters Page Page Configuring a Management Interface (ASA 5510 and Higher) Configuring the MAC Address and MTU Information About MAC Addresses Information About the MTU Page Configuring IPv6 Addressing Information About IPv6 IPv6 Addressing Duplicate Address Detection Modified EUI-64 Interface IDs Unsupported Commands Configuring a Global IPv6 Address and Other Options Allowing Same Security Level Communication Information About Inter-Interface Communication Configuration Examples for Interfaces in Transparent Mode Feature History for Interfaces in Transparent Mode Page Page Page Page Configuring Basic Settings Configuring the Hostname, Domain Name, and Passwords Changing the Login Password Changing the Enable Password Setting the Hostname Setting the Domain Name Setting the Date and Time Setting the Time Zone and Daylight Saving Time Date Range Setting the Date and Time Using an NTP Server Page Setting the Date and Time Manually Configuring the Master Passphrase Information About the Master Passphrase Licensing Requirements for the Master Passphrase Adding or Changing the Master Passphrase Page Disabling the Master Passphrase Recovering the Master Passphrase Feature History for the Master Passphrase Configuring the DNS Server Monitoring DNS Cache DNS Cache Monitoring Commands Feature History for DNS Cache Configuring DHCP Information About DHCP Licensing Requirements for DHCP Configuring a DHCP Server Enabling the DHCP Server Configuring DHCP Options Options that Return an IP Address Options that Return a Text String Options that Return a Hexadecimal Value Using Cisco IP Phones with a DHCP Server Configuring DHCP Relay Services DHCP Monitoring Commands Feature History for DHCP Configuring Dynamic DNS Information About DDNS Licensing Requirements for DDNS Configuring DDNS Configuration Examples for DDNS Example 1: Client Updates Both A and PTR RRs for Static IP Addresses Page Example 5: Client Updates A RR; Server Updates PTR RR DDNS Monitoring Commands Feature History for DDNS Page Page Configuring Objects Configuring Objects and Groups Information About Objects and Groups Information About Objects Information About Object Groups Licensing Requirements for Objects and Groups Guidelines and Limitations for Objects and Groups Configuring Objects Configuring a Network Object Configuring a Service Object Page Configuring Object Groups Adding a Protocol Object Group Adding a Network Object Group Adding a Service Object Group Adding an ICMP Type Object Group Nesting Object Groups Removing Object Groups Detailed Step Monitoring Objects and Groups Feature History for Objects and Groups Configuring Regular Expressions Creating a Regular Expression Page Page Creating a Regular Expression Class Map Scheduling Extended Access List Activation Information About Scheduling Access List Activation Licensing Requirements for Scheduling Access List Activation Guidelines and Limitations for Scheduling Access List Activation Configuring and Applying Time Ranges Configuration Examples for Scheduling Access List Activation Feature History for Scheduling Access List Activation Page Page Information About Access Lists Access List Types Access Control Entry Order Access Control Implicit Deny IP Addresses Used for Access Lists When You Use NAT Page Adding an Extended Access List Information About Extended Access Lists Licensing Requirements for Extended Access Lists Configuring Extended Access Lists Adding an Extended Access List Page Monitoring Extended Access Lists Configuration Examples for Extended Access Lists Configuration Examples for Extended Access Lists (No Objects) Configuration Examples for Extended Access Lists (Using Objects) Feature History for Extended Access Lists Page Adding an EtherType Access List Information About EtherType Access Lists Licensing Requirements for EtherType Access Lists Configuring EtherType Access Lists Task Flow for Configuring EtherType Access Lists Adding EtherType Access Lists Monitoring EtherType Access Lists Configuration Examples for EtherType Access Lists Feature History for EtherType Access Lists Page Adding a Standard Access List Information About Standard Access Lists Licensing Requirements for Standard Access Lists Page Adding Standard Access Lists Task Flow for Configuring Extended Access Lists Adding a Standard Access List Monitoring Access Lists Configuration Examples for Standard Access Lists Feature History for Standard Access Lists Page Adding a Webtype Access List Licensing Requirements for Webtype Access Lists Using Webtype Access Lists Task Flow for Configuring Webtype Access Lists Adding Webtype Access Lists with a URL String Adding Webtype Access Lists with an IP Address Monitoring Webtype Access Lists Configuration Examples for Webtype Access Lists Page Feature History for Webtype Access Lists Page Page Page Adding an IPv6 Access List Information About IPv6 Access Lists Licensing Requirements for IPv6 Access Lists Prerequisites for Adding IPv6 Access Lists Page Configuring IPv6 Access Lists Task Flow for Configuring IPv6 Access Lists Adding IPv6 Access Lists Page Monitoring IPv6 Access Lists Configuration Examples for IPv6 Access Lists Feature History for IPv6 Access Lists Page Configuring Logging for Access Lists Configuring Logging for Access Lists Information About Logging Access List Activity Licensing Requirements for Access List Logging Configuring Access List Logging Monitoring Access Lists Configuration Examples for Access List Logging Feature History for Access List Logging Managing Deny Flows Information About Managing Deny Flows Licensing Requirements for Managing Deny Flows Managing Deny Flows Monitoring Deny Flows Feature History for Managing Deny Flows Page Page Routing Overview Information About Routing Switching Path Determination Supported Route Types Static Versus Dynamic Single-Path Versus Multipath Flat Versus Hierarchical Link-State Versus Distance Vector How Routing Behaves Within the ASA Egress Interface Selection Process Next Hop Selection Process Supported Internet Protocols for Routing Information About the Routing Table Displaying the Routing Table How the Routing Table Is Populated Page Backup Routes How Forwarding Decisions Are Made Dynamic Routing and Failover Information About IPv6 Support Features That Support IPv6 IPv6-Enabled Commands Entering IPv6 Addresses in Commands Disabling Proxy ARPs Page Configuring Static and Default Routes Information About Static and Default Routes Licensing Requirements for Static and Default Routes Configuring Static and Default Routes Configuring a Static Route Adding or Editing a Static Route Configuring a Default Static Route Limitations on Configuring a Default Static Route Configuring IPv6 Default and Static Routes Monitoring a Static or Default Route Page Configuration Examples for Static or Default Routes Feature History for Static and Default Routes Page Page Defining Route Maps Information About Route Maps Permit and Deny Clauses Match and Set Clause Values Licensing Requirements for Route Maps Defining a Route Map Customizing a Route Map Defining a Route to Match a Specific Destination Address Configuring the Metric Values for a Route Action Configuration Example for Route Maps Feature History for Route Maps Configuring OSPF Information About OSPF Licensing Requirements for OSPF Configuring OSPF Customizing OSPF Redistributing Routes Into OSPF Page Configuring Route Summarization When Redistributing Routes Into OSPF Configuring Route Summarization Between OSPF Areas Configuring OSPF Interface Parameters Page Configuring OSPF Area Parameters Configuring OSPF NSSA Defining Static OSPF Neighbors Configuring Route Calculation Timers Logging Neighbors Going Up or Down Restarting the OSPF Process Configuration Example for OSPF 24-15 Step3 (Optional) To configure OSPF interface parameters, enter the following commands: Step4 (Optional) To configure OSPF area parameters, enter the following commands: enter the following commands: Step6 To restart the OSPF process, enter the following commands: Monitoring OSPF Feature History for OSPF Page Configuring RIP Information About RIP Routing Update Process RIP Routing Metric RIP Stability Features RIP Timers Licensing Requirements for RIP Configuring RIP Enabling RIP Customizing RIP Configuring the RIP Version Configuring Interfaces for RIP Configuring the RIP Send and Receive Version on an Interface Configuring Route Summarization Filtering Networks in RIP Redistributing Routes into the RIP Routing Process Enabling RIP Authentication Page Monitoring RIP Configuration Example for RIP Feature History for RIP Page Configuring Multicast Routing Information About Multicast Routing Stub Multicast Routing PIM Multicast Routing Multicast Group Concept Licensing Requirements for Multicast Routing Enabling Multicast Routing Customizing Multicast Routing Configuring Stub Multicast Routing and Forwarding IGMP Messages Configuring a Static Multicast Route Configuring IGMP Features Disabling IGMP on an Interface Configuring IGMP Group Membership Configuring a Statically Joined IGMP Group Controlling Access to Multicast Groups Limiting the Number of IGMP States on an Interface Modifying the Query Messages to Multicast Groups Changing the IGMP Version Configuring PIM Features Enabling and Disabling PIM on an Interface Configuring a Static Rendezvous Point Address Configuring the Designated Router Priority Configuring and Filtering PIM Register Messages Configuring PIM Message Intervals Filtering PIM Neighbors Configuring a Bidirectional Neighbor Filter Configuring a Multicast Boundary Configuration Example for Multicast Routing Related Documents Feature History for Multicast Routing Page Configuring EIGRP Information About EIGRP Licensing Requirements for EIGRP Configuring EIGRP Enabling EIGRP Enabling EIGRP Stub Routing Customizing EIGRP Defining a Network for an EIGRP Routing Process Configuring Interfaces for EIGRP Configuring Passive Interfaces Configuring the Summary Aggregate Addresses on Interfaces Changing the Interface Delay Value Enabling EIGRP Authentication on an Interface Defining an EIGRP Neighbor Redistributing Routes Into EIGRP Filtering Networks in EIGRP Customizing the EIGRP Hello Interval and Hold Time Disabling Automatic Route Summarization Configuring Default Information in EIGRP Disabling EIGRP Split Horizon Restarting the EIGRP Process Monitoring EIGRP Configuration Example for EIGRP Feature History for EIGRP Page Page Page Page Page Page Page Page Page Page Page Configuring IPv6 Neighbor Discovery Information About IPv6 Neighbor Discovery Neighbor Solicitation Messages Neighbor Reachable Time Router Advertisement Messages Static IPv6 Neighbors Licensing Requirements for IPv6 Neighbor Discovery Guidelines and Limitations Page Default Settings for IPv6 Neighbor Discovery Configuring the Neighbor Solicitation Message Interval Configuring the Neighbor Reachable Time Configuring the Router Advertisement Transmission Interval Configuring the Router Lifetime Value Configuring DAD Settings Configuring IPv6 Addresses on an Interface Suppressing Router Advertisement Messages Configuring the IPv6 Prefix Configuring a Static IPv6 Neighbor Monitoring IPv6 Neighbor Discovery Related Documents for IPv6 Prefixes RFCs for IPv6 Prefixes and Documentation Feature History for IPv6 Neighbor Discovery Page Page Information About NAT Why Use NAT? NAT Terminology NAT Types NAT Types Overview Static NAT Information About Static NAT Information About Static NAT with Port Translation Information About Static NAT with Port Address Translation Static NAT with Identity Port Translation Static NAT with Port Translation for Non-Standard Ports Static Interface NAT with Port Translation Information About One-to-Many Static NAT Information About Other Mapping Scenarios (Not Recommended) Dynamic NAT Information About Dynamic NAT Dynamic NAT Disadvantages and Advantages Dynamic PAT Information About Dynamic PAT Dynamic PAT Disadvantages and Advantages Identity NAT NAT in Routed and Transparent Mode NAT in Routed Mode NAT in Transparent Mode NAT for VPN 29-15 How NAT is Implemented Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT 29-18 Page NAT Rule Order NAT Interfaces Routing NAT Packets Mapped Addresses and Routing Page Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface DNS and NAT Page 29-26 29-27 Page Configuring Network Object NAT Information About Network Object NAT Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Configuring Network Object NAT Configuring Dynamic NAT Page Configuring Dynamic PAT (Hide) Page Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Configuring Identity NAT Page Monitoring Network Object NAT Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) 30-20 30-21 Feature History for Network Object NAT Page Page Configuring Twice NAT Information About Twice NAT Licensing Requirements for Twice NAT Prerequisites for Twice NAT Configuring Twice NAT Configuring Dynamic NAT Page Page Page Configuring Dynamic PAT (Hide) Page Page Page Page Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Page Page Configuring Identity NAT Page Page Page Monitoring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the Destination (Dynamic PAT) Page Different Translation Depending on the Destination Address and Port (Dynamic PAT) Page Feature History for Twice NAT Page Page Page Page Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Supported Features for Through Traffic Supported Features for Management Traffic Feature Directionality Feature Matching Within a Service Policy Order in Which Multiple Feature Actions are Applied Incompatibility of Certain Feature Actions Feature Matching for Multiple Service Policies Licensing Requirements for Service Policies Default Configuration Default Class Maps Task Flows for Configuring Service Policies Task Flow for Using the Modular Policy Framework Page Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping Identifying Traffic (Layer 3/4 Class Maps) Creating a Layer 3/4 Class Map for Through Traffic Page Creating a Layer 3/4 Class Map for Management Traffic Defining Actions (Layer 3/4 Policy Map) Page Applying Actions to an Interface (Service Policy) Monitoring Modular Policy Framework Configuration Examples for Modular Policy Framework 32-19 Applying Inspection and QoS Policing to HTTP Traffic Applying Inspection to HTTP Traffic Globally 32-20 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers port Applying Inspection to HTTP Traffic with NAT Feature History for Service Policies Page Configuring Special Actions for Application Inspections (Inspection Policy Map) Information About Inspection Policy Maps Default Inspection Policy Maps Defining Actions in an Inspection Policy Map Page Page Page Identifying Traffic in an Inspection Class Map Page Page Page Page Configuring Access Rules Information About Access Rules General Information About Rules Implicit Permits Information About Interface Access Rules and Global Access Rules Using Access Rules and EtherType Rules on the Same Interface Implicit Deny Inbound and Outbound Rules Information About Extended Access Rules Access Rules for Returning Traffic Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules Management Access Rules Information About EtherType Rules Supported EtherTypes and Other Traffic Access Rules for Returning Traffic Allowing MPLS Licensing Requirements for Access Rules Prerequisites Configuring Access Rules Monitoring Access Rules Configuration Examples for Permitting or Denying Network Access Feature History for Access Rules Configuring AAA Servers and the Local Database Information About AAA Information About Authentication Information About Authorization Information About Accounting Summary of Server Support RADIUS Server Support Authentication Methods Attribute Support RADIUS Authorization Functions TACACS+ Server Support RSA/SDI Server Support RSA/SDI Version Support Two-step Authentication Process RSA/SDI Primary and Replica Servers NT Server Support Kerberos Server Support LDAP Server Support Authentication with LDAP LDAP Server Types HTTP Forms Authentication for Clientless SSL VPN Local Database Support, Including as a Falback Method How Fallback Works with Multiple Servers in a Group Using Certificates and User Login Credentials Using User Login Credentials Using Certificates Licensing Requirements for AAA Servers Configuring AAA Task Flow for Configuring AAA Configuring AAA Server Groups Page Page Page Page Configuring Authorization with LDAP for VPN Page Configuring LDAP Attribute Maps Page Adding a User Account to the Local Database Guidelines Page Page Page Page Managing User Passwords Page Page Authenticating Users with a Public Key for SSH Differentiating User Roles Using AAA Using Local Authentication Using RADIUS Authentication Using LDAP Authentication Using TACACS+ Authentication Monitoring AAA Servers Feature History for AAA Servers Page Configuring the Identity Firewall Information About the Identity Firewall Overview of the Identity Firewall Architecture for Identity Firewall Deployments Features of the Identity Firewall LAN Deployment Scenarios 36-5 Figure36-2 Deployment Scenario without Redundancy No Redundancy Figure36-3 Deployment Scenario with Redundant Components LAN Page Cut-through Proxy and VPN Authentication Licensing for the Identity Firewall Prerequisites Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Configuring the Active Directory Domain Page Configuring Active Directory Agents Configuring Identity Options Page Page Page Page Page Configuring Identity-based Access Rules Page Configuring Cut-through Proxy Authentication Page Configuring VPN Authentication Monitoring the Identity Firewall Monitoring AD Agents Monitoring Groups Monitoring Memory Usage for the Identity Firewall Monitoring Users for the Identity Firewall Feature History for the Identity Firewall Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Licensing Requirements for ASA Access for ASDM, Telnet, or SSH Configuring Telnet Access Using a Telnet Client Configuring SSH Access Using an SSH Client Configuring HTTPS Access for ASDM Configuring CLI Parameters Licensing Requirements for CLI Parameters Configuring a Login Banner Customizing a CLI Prompt Changing the Console Timeout Configuring ICMP Access Information About ICMP Access Licensing Requirements for ICMP Access Configuring ICMP Access Configuring Management Access Over a VPN Tunnel Licensing Requirements for a Management Interface Configuring a Management Interface Configuring AAA for System Administrators Information About AAA for System Administrators Information About Management Authentication Comparing CLI Access with and without Authentication Comparing ASDM Access with and without Authentication Information About Command Authorization Supported Command Authorization Methods About Preserving User Credentials Security Contexts and Command Authorization Licensing Requirements for AAA for System Administrators Prerequisites Page Configuring Authentication for CLI and ASDM Access Configuring Authentication to Access Privileged EXEC Mode (the enable Command) Configuring Authentication for the enable Command Authenticating Users with the login Command Limiting User CLI and ASDM Access with Management Authorization Configuring Command Authorization Configuring Local Command Authorization Page Page Viewing Local Command Privilege Levels Configuring Commands on the TACACS+ Server Page Page Configuring TACACS+ Command Authorization Configuring Management Access Accounting Viewing the Currently Logged-In User Recovering from a Lockout Setting a Management Session Quota Feature History for Management Access Page Configuring AAA Rules for Network Access AAA Performance Licensing Requirements for AAA Rules Configuring Authentication for Network Access Information About Authentication One-Time Authentication Applications Required to Receive an Authentication Challenge ASA Authentication Prompts Static PAT and HTTP Configuring Network Access Authentication Page Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating HTTP(S) Connections with a Virtual Server Authenticating Telnet Connections with a Virtual Server Page Configuring Authorization for Network Access Configuring TACACS+ Authorization Page Page Configuring RADIUS Authorization Configuring a RADIUS Server to Send Downloadable Access Control Lists About the Downloadable Access List Feature and Cisco Secure ACS Page Configuring Cisco Secure ACS for Downloadable Access Lists Configuring Any RADIUS Server for Downloadable Access Lists Converting Wildcard Netmask Expressions in Downloadable Access Lists Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access Page Using MAC Addresses to Exempt Traffic from Authentication and Authorization Feature History for AAA Rules Page Configuring Filtering Services Information About Web Traffic Filtering Configuring ActiveX Filtering Information About ActiveX Filtering Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering Configuring ActiveX Filtering Configuration Examples for ActiveX Filtering Feature History for ActiveX Filtering Configuring Java Applet Filtering Information About Java Applet Filtering Licensing Requirements for Java Applet Filtering Guidelines and Limitations for Java Applet Filtering Configuring Java Applet Filtering Configuration Examples for Java Applet Filtering Feature History for Java Applet Filtering Filtering URLs and FTP Requests with an External Server Information About URL Filtering Licensing Requirements for URL Filtering Guidelines and Limitations for URL Filtering Identifying the Filtering Server Page Configuring Additional URL Filtering Settings Buffering the Content Server Response Caching Server Addresses Filtering HTTP URLs Enabling HTTP Filtering Enabling Filtering of Long HTTP URLs Truncating Long HTTP URLs Exempting Traffic from Filtering Filtering HTTPS URLs Filtering FTP Requests Monitoring Filtering Statistics 39-16 The following is sample output from the show url-block command: The following is sample output from the show url-block block statistics command: The following is sample output from the show url-cache stats command: The following is sample output from the show perfmon command: Feature History for URL Filtering Page Configuring Web Cache Services Using WCCP Information About WCCP Licensing Requirements for WCCP Enabling WCCP Redirection WCCP Monitoring Commands Feature History for WCCP Configuring Digital Certificates Information About Digital Certificates Public Key Cryptography Certificate Scalability Key Pairs Trustpoints Certificate Enrollment Proxy for SCEP Requests Revocation Checking Supported CA Servers CRLs OCSP The Local CA Storage for Local CA Files The Local CA Server Licensing Requirements for Digital Certificates Prerequisites for Local Certificates Prerequisites for SCEP Proxy Support Page Configuring Digital Certificates Configuring Key Pairs Removing Key Pairs Configuring Trustpoints Page Page Configuring CRLs for a Trustpoint Page Exporting a Trustpoint Configuration Importing a Trustpoint Configuration Configuring CA Certificate Map Rules Obtaining Certificates Manually Page Obtaining Certificates Automatically with SCEP Configuring Proxy Support for SCEP Requests Enabling the Local CA Server Configuring the Local CA Server Page Customizing the Local CA Server Debugging the Local CA Server Disabling the Local CA Server Deleting the Local CA Server Configuring Local CA Certificate Characteristics Configuring the Issuer Name Configuring the CA Certificate Lifetime Configuring the User Certificate Lifetime Configuring the CRL Lifetime Configuring the Server Keysize Setting Up External Local CA File Storage Page Downloading CRLs Storing CRLs Setting Up Enrollment Parameters Adding and Enrolling Users Page Renewing Users Restoring Users Removing Users Revoking Certificates Maintaining the Local CA Certificate Database Rolling Over Local CA Certificates Archiving the Local CA Server Certificate and Keypair Monitoring Digital Certificates 41-42 The following example shows an RSA general-purpose key: The following example shows the local CA CRL: The following example shows one user on-hold: Feature History for Certificate Management Page Page Page Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work When to Use Application Protocol Inspection 3 4 Page Page Page Configuring Application Layer Protocol Inspection Page Page Page Page Page Page Configuring Inspection of Basic Internet Protocols DNS Inspection How DNS Application Inspection Works How DNS Rewrite Works Configuring DNS Rewrite Configuring DNS Rewrite with Two NAT Zones Overview of DNS Rewrite with Three NAT Zones Page Configuring DNS Rewrite with Three NAT Zones Configuring a DNS Inspection Policy Map for Additional Inspection Control Page Page Verifying and Monitoring DNS Inspection FTP Inspection FTP Inspection Overview Using the strict Option Configuring an FTP Inspection Policy Map for Additional Inspection Control Page Page Page Verifying and Monitoring FTP Inspection HTTP Inspection HTTP Inspection Overview Configuring an HTTP Inspection Policy Map for Additional Inspection Control Page Page ICMP Inspection ICMP Error Inspection Instant Messaging Inspection IM Inspection Overview Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control Page Page 43-24 IP Options Inspection This section describes the IP Options inspection engine. This section includes the following topics: IP Options Inspection Overview Configuring an IP Options Inspection Policy Map for Additional Inspection Control IPsec Pass Through Inspection IPsec Pass Through Inspection Overview Example for Defining an IPsec Pass Through Parameter Map IPv6 Inspection Configuring an IPv6 Inspection Policy Map NetBIOS Inspection NetBIOS Inspection Overview Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control PPTP Inspection SMTP and Extended SMTP Inspection SMTP and ESMTP Inspection Overview Configuring an ESMTP Inspection Policy Map for Additional Inspection Control Page TFTP Inspection Configuring Inspection for Voice and Video Protocols CTIQBE Inspection CTIQBE Inspection Overview Limitations and Restrictions Verifying and Monitoring CTIQBE Inspection H.323 Inspection H.323 Inspection Overview How H.323 Works H.239 Support in H.245 Messages Limitations and Restrictions Configuring an H.323 Inspection Policy Map for Additional Inspection Control Page Page Configuring H.323 and H.225 Timeout Values Verifying and Monitoring H.323 Inspection Monitoring H.225 Sessions Monitoring H.245 Sessions Monitoring H.323 RAS Sessions MGCP Inspection MGCP Inspection Overview Page Configuring an MGCP Inspection Policy Map for Additional Inspection Control Configuring MGCP Timeout Values Verifying and Monitoring MGCP Inspection RTSP Inspection RTSP Inspection Overview Using RealPlayer Restrictions and Limitations Configuring an RTSP Inspection Policy Map for Additional Inspection Control Page Page SIP Inspection SIP Inspection Overview SIP Instant Messaging Configuring a SIP Inspection Policy Map for Additional Inspection Control Page Page Page Configuring SIP Timeout Values Verifying and Monitoring SIP Inspection Skinny (SCCP) Inspection SCCP Inspection Overview Supporting Cisco IP Phones Restrictions and Limitations Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control Page Verifying and Monitoring SCCP Inspection Page Page Configuring Inspection of Database and Directory Protocols ILS Inspection SQL*Net Inspection Sun RPC Inspection Sun RPC Inspection Overview Managing Sun RPC Services Verifying and Monitoring Sun RPC Inspection Page Page Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC Overview Configuring a DCERPC Inspection Policy Map for Additional Inspection Control GTP Inspection GTP Inspection Overview Configuring a GTP Inspection Policy Map for Additional Inspection Control Page Page Page Verifying and Monitoring GTP Inspection RADIUS Accounting Inspection RADIUS Accounting Inspection Overview Configuring a RADIUS Inspection Policy Map for Additional Inspection Control RSH Inspection SNMP Inspection SNMP Inspection Overview Configuring an SNMP Inspection Policy Map for Additional Inspection Control XDMCP Inspection Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Information About Cisco Unified Communications Proxy Features Information About the Adaptive Security Appliance in Cisco Unified Communications Page TLS Proxy Applications in Cisco Unified Communications Licensing for Cisco Unified Communications Proxy Features Page Page Page Page Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Phone Proxy Functionality Page Supported Cisco UCM and IP Phones for the Phone Proxy Licensing Requirements for the Phone Proxy Page Prerequisites for the Phone Proxy Media Termination Instance Prerequisites Certificates from the Cisco UCM DNS Lookup Prerequisites Cisco Unified Communications Manager Prerequisites Access List Rules NAT and PAT Prerequisites Prerequisites for IP Phones on Multiple Interfaces 7960 and 7940 IP Phones Support Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting TFTP Requests Rate Limiting Configuration Example About ICMP Traffic Destined for the Media Termination Address End-User Phone Provisioning Ways to Deploy IP Phones to End Users Phone Proxy Guidelines and Limitations General Guidelines and Limitations Media Termination Address Guidelines and Limitations Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster Importing Certificates from the Cisco UCM Page Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Creating the CTL File Page Using an Existing CTL File Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster Creating the Media Termination Instance Creating the Phone Proxy Instance Page Enabling the Phone Proxy with SIP and Skinny Inspection Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy Configuring Your Router Troubleshooting the Phone Proxy Debugging Information from the Security Appliance Page Page Page Debugging Information from IP Phones IP Phone Registration Failure TFTP Auth Error Displays on IP Phone Console Configuration File Parsing Error Configuration File Parsing Error: Unable to Get DNS Response Non-configuration File Parsing Error Cisco UCM Does Not Respond to TFTP Request for Configuration File IP Phone Does Not Respond After the Security Appliance Sends TFTP Data IP Phone Requesting Unsigned File Error IP Phone Unable to Download CTL File IP Phone Registration Failure from Signaling Connections Page SSL Handshake Failure Certificate Validation Errors Media Termination Address Errors Audio Problems with IP Phones Media Failure for a Voice Call Saving SAST Keys Page Configuration Examples for the Phone Proxy Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher 48-44 48-45 Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher 48-46 Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers 48-47 48-48 Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher 48-50 Example 6: VLAN Transversal 48-52 Feature History for the Phone Proxy Page Configuring the T Inspection Information about the TLS Proxy for Encrypted Voice Inspection Decryption and Inspection of Unified Communications Encrypted Signaling CTL Client Overview Page Licensing for the TLS Proxy Page Prerequisites for the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection Page Creating an Internal CA Creating a CTL Provider Instance Page Enabling the TLS Proxy Instance for Skinny or SIP Inspection Page 49-15 Monitoring the TLS Proxy The following is sample output reflecting a successful TLS proxy session setup for a SIP phone: 49-16 49-17 Feature History for the TLS Proxy for Encrypted Voice Inspection Table49-2 lists the release history for this feature. Table49-2 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced. Page Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Cisco Mobility Advantage Proxy Functionality Mobility Advantage Proxy Deployment Scenarios Page Mobility Advantage Proxy Using NAT/PAT Trust Relationships for Cisco UMA Deployments Licensing for the Cisco Mobility Advantage Proxy Feature Configuring Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage Installing the Cisco UMA Server Certificate Page Enabling the TLS Proxy for MMP Inspection Monitoring for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Example 2: Cisco UMC/Cisco UMA Architecture Security Appliance as TLS Proxy Only 50-13 DMZ Feature History for Cisco Mobility Advantage Configuring Cisco Unified Presence Information About Cisco Unified Presence Architecture for Cisco Unified Presence for SIP Federation Deployments 51-2 Page Trust Relationship in the Presence Federation Security Certificate Exchange Between Cisco UP and the Security Appliance XMPP Federation Deployments Configuration Requirements for XMPP Federation Licensing for Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Installing Certificates Page Page Enabling the TLS Proxy for SIP Inspection Monitoring Cisco Unified Presence Configuration Example for Cisco Unified Presence Example Configuration for SIP Federation Deployments 51-16 51-17 Example Access List Configuration for XMPP Federation command. Example NAT Configuration for XMPP Federation Page Feature History for Cisco Unified Presence Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy How the UC-IME Works with the PSTN and the Internet Tickets and Passwords M Call Fallback to the PSTN Architecture and Deployment Scenarios for Cisco Intercompany Media Engine Architecture Basic Deployment Off Path Deployment M V V Internet M Licensing for Cisco Intercompany Media Engine V Page Page Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine M M Configuring NAT for Cisco Intercompany Media Engine Proxy M M Configuring PAT for the Cisco UCM Server M Page Creating Access Lists for Cisco Intercompany Media Engine Proxy Creating the Media Termination Instance Creating the Cisco Intercompany Media Engine Proxy Page Page Page Page Page Creating the TLS Proxy Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Page (Optional) Configuring TLS within the Local Enterprise Page Page (Optional) Configuring Off Path Signaling M Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane Page Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard Troubleshooting Cisco Intercompany Media Engine Proxy Page Page Feature History for Cisco Intercompany Media Engine Proxy Page Page Page Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility Dead Connection Detection (DCD) TCP Sequence Randomization TCP Normalization TCP State Bypass Licensing Requirements for Connection Settings TCP State Bypass Guidelines and Limitations Configuring Connection Settings Task Flow For Configuring Configuration Settings (Except Global Timeouts) Customizing the TCP Normalizer with a TCP Map Page Page Page Configuring Connection Settings Page Page Page Monitoring Connection Settings Monitoring TCP State Bypass Configuration Examples for Connection Settings Configuration Examples for Connection Limits and Timeouts Configuration Examples for TCP State Bypass Configuration Examples for TCP Normalization Feature History for Connection Settings Configuring QoS Information About QoS Supported QoS Features What is a Token Bucket? Information About Policing Information About Priority Queuing Information About Traffic Shaping How QoS Features Interact DSCP and DiffServ Preservation Licensing Requirements for QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue Configuring the Standard Priority Queue for an Interface Page Configuring a Service Rule for Standard Priority Queuing and Policing Page Page Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing (Optional) Configuring the Hierarchical Priority Queuing Policy Configuring the Service Rule Page Monitoring QoS Viewing QoS Police Statistics Viewing QoS Standard Priority Statistics Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics Feature History for QoS Page Page Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases Information About the Dynamic Database How the ASA Uses the Dynamic Database Information About the Static Database Information About the DNS Reverse Lookup Cache and DNS Host Cache 55-5 How the Botnet Traffic Filter Works Figure 55-2 shows how the Botnet Traffic Filter works with the static database. Licensing Requirements for the Botnet Traffic Filter Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database Page Adding Entries to the Static Database Enabling DNS Snooping Default DNS Inspection Configuration and Recommended Configuration Enabling Traffic Classification and Actions for the Botnet Traffic Filter Recommended Configuration Page Blocking Botnet Traffic Manually Searching the Dynamic Database Monitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging Botnet Traffic Filter Commands Page Configuration Examples for the Botnet Traffic Filter Recommended Configuration Example 55-20 Example5 5-2 Multiple Mode Botnet Traffic Filter Recommended Example Other Configuration Examples 55-21 To shun connections, see the Blocking Unwanted Connections section on page57-2. Feature History for the Botnet Traffic Filter Configuring Threat Detection Information About Threat Detection Licensing Requirements for Threat Detection Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics Page Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics Feature History for Basic Threat Detection Statistics Configuring Advanced Threat Detection Statistics Information About Advanced Threat Detection Statistics Configuring Advanced Threat Detection Statistics Page Monitoring Advanced Threat Detection Statistics Page Page Page Page Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection Information About Scanning Threat Detection Page Configuring Scanning Threat Detection Monitoring Shunned Hosts, Attackers, and Targets Feature History for Scanning Threat Detection Configuration Examples for Threat Detection Page Using Protection Tools Preventing IP Spoofing Configuring the Fragment Size Blocking Unwanted Connections Configuring IP Audit for Basic IPS Support Configuring IP Audit IP Audit Signature List Page Page Page Page Page Page Page Page Page Page Configuring the ASA IPS Module Information About the ASA IPS module How the ASA IPS module Works with the ASA Operating Modes Using Virtual Sensors (ASA 5510 and Higher) Information About Management Access Licensing Requirements for the ASA IPS module Configuring the ASA IPS module Task Flow for the ASA IPS Module Connecting Management Interface Cables Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA) 58-9 Cisco ASA 5500 Series Configuration Guide using the CLI Chapter58 Configuring the ASA IPS Module Configuring the ASA IPS module ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module) Sessioning to the Module from the ASA SSP ASA 5585-X Switch PC (IP Address from DHCP) Configuring Basic IPS Module Network Settings (ASA 5510 and Higher) Configuring Basic Network Settings (ASA 5505) Configuring Basic Network Settings Page Page (ASA 5512-X through ASA 5555-X) Installing the Software Module Configuring the Security Policy on the ASA IPS module Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) Page Diverting Traffic to the ASA IPS module Page Page Monitoring the ASA IPS module Troubleshooting the ASA IPS module Installing an Image on the Module Page Uninstalling a Software Module Image Page Configuration Examples for the ASA IPS module Feature History for the ASA IPS module Page Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA Information About ASA CX Management Initial Configuration Policy Configuration and Management Information About Authentication Proxy Information About VPN and the ASA CX Module Compatibility with ASA Features Licensing Requirements for the ASA CX Module Configuring the ASA CX Module Task Flow for the ASA CX Module Connecting Management Interface Cables 59-7 Cisco ASA 5500 Series Configuration Guide using the CLI Chapter59 Configuring the ASA CX Module Configuring the ASA CX Module Configuring the ASA CX Management IP Address Configuring Basic ASA CX Settings at the ASA CX CLI ASA 5585-X SSP ASA Management 0/0 Page Configuring the Security Policy on the ASA CX Module Using PRSM (Optional) Configuring the Authentication Proxy Port Redirecting Traffic to the ASA CX Module Monitoring the ASA CX Module Showing Module Status Showing Module Statistics Monitoring Module Connections 59-15 59-16 The following is sample output from the show asp event dp-cp cxsc-msg command: The following is sample output from the show conn detail command: Capturing Module Traffic Troubleshooting the ASA CX Module General Recovery Procedures Page Debugging the Module Problems with the Authentication Proxy 59-21 3. In the packet captures, the redirect request should be going to destination port 2000. Configuration Examples for the ASA CX Module Feature History for the ASA CX Module Configuring the ASA CSC Module Information About the CSC SSM Page Determining What Traffic to Scan Page Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM Page Configuring the CSC SSM Before Configuring the CSC SSM Connecting to the CSC SSM Page Diverting Traffic to the CSC SSM Page Page Monitoring the CSC SSM Troubleshooting the CSC Module Installing an Image on the Module Page Configuration Examples for the CSC SSM Page Feature History for the CSC SSM Page Page Information About High Availability Introduction to Failover and High Availability Failover System Requirements Hardware Requirements Software Requirements License Requirements Failover and Stateful Failover Links Failover Link Stateful Failover Link Failover Interface Speed for Stateful Links Avoiding Interrupted Failover Links Page 61-7 Scenario 3Recommended Scenario 4Recommended Active/Active and Active/Standby Failover Determining Which Type of Failover to Use Stateless (Regular) and Stateful Failover Stateless (Regular) Failover Stateful Failover Transparent Firewall Mode Requirements Auto Update Server Support in Failover Configurations Auto Update Process Overview Monitoring the Auto Update Process Failover Health Monitoring Unit Health Monitoring Interface Monitoring Failover Times Failover Messages Failover System Messages Debug Messages SNMP Page Configuring Active/Standby Failover Information About Active/Standby Failover Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers Failover Actions Page Optional Active/Standby Failover Settings Licensing Requirements for Active/Standby Failover Prerequisites for Active/Standby Failover Configuring Active/Standby Failover Task Flow for Configuring Active/Standby Failover Configuring the Primary Unit Page Page Configuring the Secondary Unit Configuring Optional Active/Standby Failover Settings Enabling HTTP Replication with Stateful Failover Disabling and Enabling Interface Monitoring Configuring Failover Criteria Configuring the Unit and Interface Health Poll Times Configuring Virtual MAC Addresses Controlling Failover Forcing Failover Disabling Failover Restoring a Failed Unit Testing the Failover Functionality Monitoring Active/Standby Failover Feature History for Active/Standby Failover Configuring Active/Active Failover Information About Active/Active Failover Active/Active Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers Failover Actions Optional Active/Active Failover Settings Licensing Requirements for Active/Active Failover Prerequisites for Active/Active Failover Configuring Active/Active Failover Task Flow for Configuring Active/Active Failover Configuring the Primary Failover Unit Page Page Configuring the Secondary Failover Unit Configuring Optional Active/Active Failover Settings Configuring Failover Group Preemption Page Enabling HTTP Replication with Stateful Failover Disabling and Enabling Interface Monitoring Configuring Interface Health Monitoring Configuring Failover Criteria Configuring Virtual MAC Addresses Page Configuring Support for Asymmetrically Routed Packets Page 63-20 Example63-2 admin Context Configuration through the interface outsideISP-B (192.168.2.2) on ASA SecAppB. Example6 3-3 ctx1 Context Configuration Figure 63-1 shows the ASR support working as follows: Remote Command Execution Changing Command Modes Security Considerations Limitations of Remote Command Execution Controlling Failover Forcing Failover Disabling Failover Restoring a Failed Unit or Failover Group Testing the Failover Functionality Monitoring Active/Active Failover Feature History for Active/Active Failover Page Page Page Configuring IPsec and ISAKMP Information About Tunneling, IPsec, and ISAKMP IPsec Overview ISAKMP and IKE Overview Licensing Requirements for Remote Access IPsec VPNs Page Page Page Page Configuring ISAKMP Configuring IKEv1 and IKEv2 Policies Page Page Page Enabling IKE on the Outside Interface Disabling IKEv1 Aggressive Mode Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers Enabling IPsec over NAT-T Using NAT-T Enabling IPsec with IKEv1 over TCP Waiting for Active Sessions to Terminate Before Rebooting Alerting Peers Before Disconnecting Configuring Certificate Group Matching for IKEv1 Creating a Certificate Group Matching Rule and Policy Page Using the Tunnel-group-map default-group Command Configuring IPsec Understanding IPsec Tunnels Understanding IKEv1 Transform Sets and IKEv2 Proposals Defining Crypto Maps Page Page Page Page Page Applying Crypto Maps to Interfaces Using Interface Access Lists Page Page Changing IPsec SA Lifetimes Creating a Basic IPsec Configuration Page Using Dynamic Crypto Maps Page Page Providing Site-to-Site Redundancy Viewing an IPsec Configuration Clearing Security Associations Clearing Crypto Map Configurations Supporting the Nokia VPN Client Page Page Page Configuring L2TP over IPsec Information About L2TP over IPsec/IKEv1 IPsec Transport and Tunnel Modes Tunnel mode Transport mode Licensing Requirements for L2TP over IPsec Page Page Page Prerequisites for Configuring L2TP over IPsec Configuring L2TP over IPsec Detailed CLI Configuration Steps Page Page Creating IKE Policies to Respond to Windows 7 Proposals Detailed CLI Configuration Steps Page Page Creating IKE Policies to Respond to Windows 7 Proposals 65-17 Configuration Example for L2TP over IPsec Using ASA 8.2.5 Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later Feature History for L2TP over IPsec Setting General VPN Parameters Configuring VPNs in Single, Routed Mode Configuring IPsec to Bypass ACLs Permitting Intra-Interface Traffic (Hairpinning) NAT Considerations for Intra-Interface Traffic Setting Maximum Active IPsec or SSL VPN Sessions Using Client Update to Ensure Acceptable IPsec Client Revision Levels Page Understanding Load Balancing Comparing Load Balancing to Failover Load Balancing Failover Implementing Load Balancing Prerequisites Eligible Platforms Eligible Clients VPN Load-Balancing Algorithm VPN Load-Balancing Cluster Configurations Some Typical Mixed Cluster Scenarios Scenario 1: Mixed Cluster with No SSL VPN Connections Scenario 2: Mixed Cluster Handling SSL VPN Connections Configuring Load Balancing Configuring the Public and Private Interfaces for Load Balancing Configuring the Load Balancing Cluster Attributes Enabling Redirection Using a Fully Qualified Domain Name Frequently Asked Questions About Load Balancing IP Address Pool Exhaustion Unique IP Address Pools Using Load Balancing and Failover on the Same Device Load Balancing on Multiple Interfaces Viewing Load Balancing 66-16 Configuring VPN Session Limits Page Page Configuring Connection Profiles, Group Policies, and Users Overview of Connection Profiles, Group Policies, and Users Connection Profiles General Connection Profile Connection Parameters IPsec Tunnel-Group Connection Parameters Connection Profile Connection Parameters for SSL VPN Sessions Configuring Connection Profiles Maximum Connection Profiles Default IPsec Remote Access Connection Profile Configuration Configuring IPsec Tunnel-Group General Attributes Configuring Remote-Access Connection Profiles Specifying a Name and Type for the Remote Access Connection Profile Configuring Remote-Access Connection Profile General Attributes Page Page Page Configuring Double Authentication Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes Page Configuring IPsec Remote-Access Connection Profile PPP Attributes Page Configuring LAN-to-LAN Connection Profiles Default LAN-to-LAN Connection Profile Configuration Specifying a Name and Type for a LAN-to-LAN Connection Profile Configuring LAN-to-LAN Connection Profile General Attributes Configuring LAN-to-LAN IPsec IKEv1 Attributes Page Configuring Connection Profiles for Clientless SSL VPN Sessions Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions Page Page Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions Page Page Page Customizing Login Windows for Users of Clientless SSL VPN sessions Configuring Microsoft Active Directory Settings for Password Management Using Active Directory to Force the User to Change Password at Next Logon Using Active Directory to Specify Maximum Password Age Using Active Directory to Override an Account Disabled AAA Indicator Using Active Directory to Enforce Minimum Password Length Using Active Directory to Enforce Password Complexity Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client AnyConnect Client and RADIUS/SDI Server Interaction Configuring the Security Appliance to Support RADIUS/SDI Messages Group Policies Default Group Policy 67-38 Configuring Group Policies Configuring an External Group Policy Configuring an Internal Group Policy Configuring Group Policy Attributes Configuring WINS and DNS Servers Page Configuring VPN-Specific Attributes Page Page Page Configuring Security Attributes Page Configuring the Banner Message Configuring IPsec-UDP Attributes for IKEv1 Configuring Split-Tunneling Attributes Differences in Client Split Tunneling Behavior for Traffic within the Subnet Setting the Split-Tunneling Policy Creating a Network List for Split-Tunneling Configuring Domain Attributes for Tunneling Defining a Default Domain Name for Tunneled Packets Defining a List of Domains for Split Tunneling Configuring DHCP Intercept Configuring Attributes for VPN Hardware Clients Configuring Secure Unit Authentication Configuring User Authentication Configuring an Idle Timeout Configuring IP Phone Bypass Configuring LEAP Bypass Enabling Network Extension Mode Configuring Backup Server Attributes Configuring Browser Client Parameters Page Configuring Network Admission Control Parameters Page os name. Configuring Address Pools Configuring Firewall Policies Supporting a Zone Labs Integrity Server Overview of the Integrity Server and ASA Interaction Configuring Integrity Server Support Setting Client Firewall Parameters Cisco Integrated Firewall Cisco Security Agent No Firewall Custom Firewall Zone Labs Firewalls Sygate Personal Firewalls Network Ice, Black Ice Firewall: Configuring Client Access Rules Page Configuring Group-Policy Attributes for Clientless SSL VPN Sessions Applying Customization Specifying a Deny Message Configuring Group-Policy Filter Attributes for Clientless SSL VPN Sessions Specifying the User Home Page Configuring Auto-Signon Specifying the Access List for Clientless SSL VPN Sessions Applying a URL List Enabling ActiveX Relay for a Group Policy Enabling Application Access on Clientless SSL VPN Sessions for a Group Policy Configuring the Port-Forwarding Display Name Configuring the Maximum Object Size to Ignore for Updating the Session Timer Specifying HTTP Compression Specifying the SSO Server Configuring Group-Policy Attributes for AnyConnect Secure Mobility Client Connections Page Configuring User Attributes Viewing the Username Configuration Configuring Attributes for Specific Users Setting a User Password and Privilege Level Configuring User Attributes Configuring VPN User Attributes Configuring Inheritance Configuring Access Hours Configuring Maximum Simultaneous Logins Configuring the Idle Timeout Configuring the Maximum Connect Time Applying an ACL Filter Specifying the IP Address and Netmask Specifying the Tunnel Protocol Restricting Remote User Access Enabling Password Storage for Software Client Users Configuring Clientless SSL VPN Access for Specific Users Specifying the Content/Objects to Filter from the HTML Specifying the User Home Page Applying Customization Specifying a Deny Message Specifying the Access List for Clientless SSL VPN Sessions Applying a URL List Enabling ActiveX Relay for a User Enabling Application Access for Clientless SSL VPN Sessions Configuring the Port-Forwarding Display Name Configuring the Maximum Object Size to Ignore for Updating the Session Timer Configuring Auto-Signon Specifying HTTP Compression Specifying the SSO Server Configuring IP Addresses for VPNs Configuring an IP Address Assignment Method Configuring Local IP Address Pools Configuring AAA Addressing Configuring DHCP Addressing Page Page Page Configuring Remote Access IPsec VPNs Information About Remote Access IPsec VPNs Licensing Requirements for Remote Access IPsec VPNs Page Page Page Page Configuring Remote Access IPsec VPNs Configuring Interfaces Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface Configuring an Address Pool Adding a User Creating an IKEv1 Transform Set or IKEv2 Proposal Defining a Tunnel Group Creating a Dynamic Crypto Map Creating a Crypto Map Entry to Use the Dynamic Crypto Map 69-14 Saving the Security Appliance Configuration Saves the changes to the configuration. Configuration Examples for Remote Access IPsec VPNs The following example shows how to configure a remote access IPsec/IKEv1 VPN: Step1 Creates a crypto map entry that uses a dynamic crypto map. Step2 Feature History for Remote Access VPNs Table69-1 lists the release history for this feature. Table69-1 Feature History for Feature-1 Page Configuring Network Admission Control Information about Network Admission Control Licensing Requirements Page Prerequisites for NAC Viewing the NAC Policies on the Security Appliance Detailed Steps. Adding, Accessing, or Removing a NAC Policy Configuring a NAC Policy Specifying the Access Control Server Group Setting the Query-for-Posture-Changes Timer Setting the Revalidation Timer Configuring the Default ACL for NAC Configuring Exemptions from NAC Page Assigning a NAC Policy to a Group Policy Changing Global NAC Framework Settings Changing Clientless Authentication Settings Enabling and Disabling Clientless Authentication Changing the Login Credentials Used for Clientless Authentication Changing NAC Framework Session Attributes Page Page Page Configuring Easy VPN Services on the ASA 5505 Specifying the Client/Server Role of the Cisco ASA 5505 Specifying the Primary and Secondary Servers Specifying the Mode NEM with Multiple Interfaces Configuring Automatic Xauth Authentication Configuring IPsec Over TCP Comparing Tunneling Options Specifying the Tunnel Group or Trustpoint Specifying the Tunnel Group Specifying the Trustpoint Configuring Split Tunneling Configuring Device Pass-Through Configuring Remote Management Guidelines for Configuring the Easy VPN Server Group Policy and User Attributes Pushed to the Client Page Authentication Options Configuring the PPPoE Client PPPoE Client Overview Configuring the PPPoE Client Username and Password Enabling PPPoE Using PPPoE with a Fixed IP Address Monitoring and Debugging the PPPoE Client Clearing the Configuration Using Related Commands Page Configuring LAN-to-LAN IPsec VPNs Summary of the Configuration Configuring Interfaces Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface Configuring ISAKMP Policies for IKEv1 Connections Configuring ISAKMP Policies for IKEv2 Connections Creating an IKEv1 Transform Set Creating an IKEv2 Proposal Configuring an ACL Defining a Tunnel Group Page Creating a Crypto Map and Applying It To an Interface Applying Crypto Maps to Interfaces Configuring Clientless SSL VPN Information About Clientless SSL VPN Licensing Requirements Page Prerequisites for Clientless SSL VPN Observing Clientless SSL VPN Security Precautions Disabling URL on the Portal Page Using SSL to Access the Central Site Using HTTPS for Clientless SSL VPN Sessions Configuring Clientless SSL VPN and ASDM Ports Configuring Support for Proxy Servers Page Configuring SSL/TLS Encryption Protocols Authenticating with Digital Certificates Enabling Cookies on Browsers for Clientless SSL VPN Configuring Application Helper Managing Passwords Using Single Sign-on with Clientless SSL VPN Configuring SSO with HTTP Basic or NTLM Authentication Configuring SSO Authentication Using SiteMinder Adding the Cisco Authentication Scheme to SiteMinder Configuring SSO Authentication Using SAML Browser Post Profile Page Configuring the SAML POST SSO Server Configuring SSO with the HTTP Form Protocol 1 4 5 3 5 2 Page Page Gathering HTTP Form Data Page Page Page Configuring SSO for Plug-ins Configuring SSO with Macro Substitution Encoding Page Authenticating with Digital Certificates Creating and Applying Clientless SSL VPN Policies for Accessing Resources Assigning Users to Group Policies Using the Security Appliance Authentication Server Using a RADIUS Server Using an LDAP Server Configuring Connection Profile Attributes for Clientless SSL VPN Configuring Group Policy and User Attributes for Clientless SSL VPN Configuring Browser Access to Plug-ins Page Preparing the Security Appliance for a Plug-in Installing Plug-ins Redistributed By Cisco Page Providing Access to Third-Party Plug-ins Configuring and Applying the POST URL Providing Access to a Citrix Java Presentation Server Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access Creating and Installing the Citrix Plug-in Viewing the Plug-ins Installed on the Security Appliance Why a Microsoft Kerberos Constrained Delegation Solution Understanding How KCD Works Authentication Flow with KCD Before Configuring KCD Configuring KCD Showing KCD Status Information 74-47 Showing Cached Kerberos Tickets Shows sample output returned from this command. To display all Kerberos tickets cached on the ASA, enter the following commands: Command Function userUsed to view the Kerberos tickets of a specific user Configuring Application Access About Smart Tunnels Why Smart Tunnels? Page Adding Applications to Be Eligible for Smart Tunnel Access Page Page Page Assigning a Smart Tunnel List Configuring and Applying Smart Tunnel Policy Configuring and Applying a Smart Tunnel Tunnel Policy Specifying Servers for Smart Tunnel Auto Sign-on Page Adding or Editing a Smart Tunnel Auto Sign-on Server Entry Automating Smart Tunnel Access Enabling and Disabling Smart Tunnel Access Logging Off Smart Tunnel When Its Parent Process Terminates With A Notification Icon Configuring Port Forwarding Information About Port Forwarding Configuring DNS for Port Forwarding Adding Applications to Be Eligible for Port Forwarding Page Assigning a Port Forwarding List Automating Port Forwarding Enabling and Disabling Port Forwarding Application Access User Notes Using Application Access on Vista Closing Application Access to Prevent hosts File Errors Recovering from hosts File Errors When Using Application Access Understanding the hosts File Stopping Application Access Improperly Reconfiguring a Hosts File Automatically Using Clientless SSL VPN Reconfiguring hosts File Manually Configuring File Access CIFS File Access Requirement and Limitation Adding Support for File Access Page Page Ensuring Clock Accuracy for SharePoint Access Using Clientless SSL VPN with PDAs Using E-Mail over Clientless SSL VPN Configuring E-mail Proxies Configuring Web E-mail: MS Outlook Web App Configuring Portal Access Rules Optimizing Clientless SSL VPN Performance Configuring Caching Configuring Content Transformation Configuring a Certificate for Signing Rewritten Java Content Disabling Content Rewrite Using Proxy Bypass Configuring Application Profile Customization Framework APCF Syntax Configuration Examples for APCF Clientless SSL VPN End User Setup Defining the End User Interface Viewing the Clientless SSL VPN Home Page Viewing the Clientless SSL VPN Application Access Panel Viewing the Floating Toolbar Customizing Clientless SSL VPN Pages Information About Customization Exporting a Customization Template Editing the Customization Template 74-92 74-93 74-94 74-95 74-96 Importing a Customization Object Applying Customizations to Connection Profiles, Group Policies and Users Page Login Screen Advanced Customization Page Modifying Your HTML File Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins RDP Plug-in ActiveX Debug Quick Reference Preparing the Security Appliance for a Plug-in Configuring the ASA to Use the New HTML File Customizing Help Customizing a Help File Provided By Cisco Creating Help Files for Languages Not Provided by Cisco Importing a Help File to Flash Memory Exporting a Previously Imported Help File from Flash Memory Requiring Usernames and Passwords Communicating Security Tips Configuring Remote Systems to Use Clientless SSL VPN Features Starting Clientless SSL VPN Using the Clientless SSL VPN Floating Toolbar Browsing the Web Browsing the Network (File Management) Using Port Forwarding Using E-mail Via Port Forwarding Using E-mail Via Web Access Using E-mail Via E-mail Proxy Using Smart Tunnel Translating the Language of User Messages Understanding Language Translation Creating Translation Tables Page Referencing the Language in a Customization Object Page Changing a Group Policy or User Attributes to Use the Customization Object Capturing Data Creating a Capture File Using a Browser to Display Capture Data Page Page Configuring AnyConnect VPN Client Connections Information About AnyConnect VPN Client Connections Licensing Requirements for AnyConnect Connections Page Page Remote PC System Requirements Remote HTTPS Certificates Limitation Configuring AnyConnect Connections Configuring the ASA to Web-Deploy the Client Enabling Permanent Client Installation Configuring DTLS Prompting Remote Users Page Enabling AnyConnect Client Profile Downloads Enabling Additional AnyConnect Client Features Enabling Start Before Logon Translating Languages for AnyConnect User Messages Understanding Language Translation Creating Translation Tables Page Configuring Advanced AnyConnect Features Enabling Rekey Enabling and Adjusting Dead Peer Detection Enabling Keepalive Using Compression Adjusting MTU Size Configuring Session Timeouts Updating AnyConnect Client Images Enabling IPv6 VPN Access Monitoring AnyConnect Connections Logging Off AnyConnect VPN Sessions Configuration Examples for Enabling AnyConnect Connections Feature History for AnyConnect Connections Page Configuring AnyConnect Host Scan Host Scan Dependencies and System Requirements Dependencies System Requirements Licensing Host Scan Packaging Installing and Enabling Host Scan on the ASA Installing or Upgrading Host Scan Enabling or Disabling a Host Scan Detailed Steps for Enabling Host Scan Detailed Steps for Disabling Host Scan Viewing the Host Scan Version Enabled on the ASA Uninstalling Host Scan Assigning AnyConnect Feature Modules to Group Policies Other Important Documentation Addressing Host Scan Page Page Page Configuring Logging Information About Logging Logging in Multiple Context Mode Analyzing Syslog Messages Syslog Message Format Severity Levels Message Classes and Range of Syslog IDs Filtering Syslog Messages Using Custom Message Lists Licensing Requirements for Logging Prerequisites for Logging Configuring Logging Enabling Logging Configuring an Output Destination Page Sending Syslog Messages to an External Syslog Server Sending Syslog Messages to the Internal Log Buffer Sending Syslog Messages to an E-mail Address Sending Syslog Messages to ASDM Sending Syslog Messages to the Console Port Sending Syslog Messages to an SNMP Server Sending Syslog Messages to a Telnet or SSH Session Creating a Custom Event List Generating Syslog Messages in EMBLEM Format to a Syslog Server Changing the Amount of Internal Flash Memory Available for Logs Configuring the Logging Queue Sending All Syslog Messages in a Class to a Specified Output Destination Enabling Secure Logging Including the Device ID in Non-EMBLEM Format Syslog Messages Including the Date and Time in Syslog Messages Disabling a Syslog Message Changing the Severity Level of a Syslog Message Limiting the Rate of Syslog Message Generation Monitoring the Logs Configuration Examples for Logging Feature History for Logging Page Page Configuring Information About NSEL Using NSEL and Syslog Messages Licensing Requirements for NSEL Prerequisites for NSEL Configuring NSEL Configuring NSEL Collectors Configuring Flow-Export Actions Through Modular Policy Framework Page Configuring Template Timeout Intervals Changing the Time Interval for Sending Flow-Update Events to a Collector Delaying Flow-Create Events Disabling and Reenabling NetFlow-related Syslog Messages Clearing Runtime Counters Monitoring NSEL NSEL Monitoring Commands 78-11 The following example shows how to display the flow-export active configuration: The following example shows how to display the flow-export delay configuration: The following example shows how to display the flow-export destination configurations: The following example shows how to display the flow-export template configuration: Configuration Examples for NSEL Page Related Documents Feature History for NSEL Page Page Configuring SNMP Information About SNMP Information About SNMP Terminology Information About MIBs and Traps SNMP Object Identifiers Page SNMP Physical Vendor Type Values Page Page Page Page Page Supported Tables in MIBs Supported Traps (Notifications) Page Page SNMP Version 3 SNMP Version 3 Overview Security Models SNMP Groups SNMP Users SNMP Hosts Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software Licensing Requirements for SNMP Prerequisites for SNMP Configuring SNMP Enabling SNMP Page Configuring SNMP Traps Configuring a CPU Usage Threshold Configuring a Physical Interface Threshold Using SNMP Version 1 or 2c Using SNMP Version 3 Troubleshooting Tips Interface Types and Examples Monitoring SNMP SNMP Syslog Messaging SNMP Monitoring Configuration Examples for SNMP Configuration Example for SNMP Versions 1 and 2c Configuration Example for SNMP Version 3 RFCs for SNMP Version 3 MIBs 79-30 Application Services and Third-Party Tools Feature History for SNMP Page Configuring Anonymous Reporting and Smart Call Home Information About Anonymous Reporting and Smart Call Home Information About Anonymous Reporting What is Sent to Cisco? DNS Requirement Anonymous Reporting and Smart Call Home Prompt Information About Smart Call Home Licensing Requirements for Anonymous Reporting and Smart Call Home Prerequisites for Smart Call Home and Anonymous Reporting Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting Configuring Smart Call Home Enabling Smart Call Home Declaring and Authenticating a CA Trust Point Configuring DNS Subscribing to Alert Groups Configuring Periodic Notification Information about the Message Severity Threshold Configuring Alert Group Subscription Testing Call Home Communications Sending a Smart Call Home Test Message Manually Sending a Smart Call Home Alert Group Message Manually Sending the Output of a Command Optional Configuration Procedures Configuring Smart Call Home Customer Contact Information Page Configuring the Mail Server Configuring Call Home Traffic Rate Limiting Destination Profile Management Page Page Monitoring Smart Call Home Configuration Example for Smart Call Home Feature History for Anonymous Reporting and Smart Call Home Page Page Managing Software and Configurations Managing the Flash File System Viewing Files in Flash Memory Deleting Files from Flash Memory Downloading Software or Configuration Files to Flash Memory Downloading a File to a Specific Location Downloading a File to the Startup or Running Configuration Configuring the Application Image and ASDM Image to Boot Configuring the File to Boot as the Startup Configuration Deleting Files from a USB Drive on the ASA 5500-X Series Performing Zero Downtime Upgrades for Failover Pairs Upgrading an Active/Standby Failover Configuration Upgrading an Active/Active Failover Configuration Backing Up Configuration Files or Other Files Backing up the Single Mode Configuration or Multiple Mode System Configuration Backing Up a Context Configuration or Other File in Flash Memory Backing Up a Context Configuration within a Context Copying the Configuration from the Terminal Display Backing Up Additional Files Using the Export and Import Commands Using a Script to Back Up and Restore Files Prerequisites Running the Script 81-11 Sample Script 81-12 81-13 81-14 81-15 Configuring Auto Update Support Configuring Communication with an Auto Update Server Page Configuring Client Updates as an Auto Update Server Viewing Auto Update Status Downgrading Your Software Information About Activation Key Compatibility Performing the Downgrade Page Page Troubleshooting Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Pinging ASA Interfaces 82-4 If the ping reaches the ASA, and it responds, debugging messages similar to the following appear: Passing Traffic Through the ASA ? Page Disabling the Test Configuration Determining Packet Routing with Traceroute Tracing Packets with Packet Tracer Handling TCP Packet Loss Reloading the ASA Performing Password Recovery Recovering Passwords for the ASA Disabling Password Recovery Resetting the Password on the SSM Hardware Module Using the ROM Monitor to Load a Software Image Erasing the Flash File System Other Troubleshooting Tools Viewing Debugging Messages Capturing Packets Viewing the Crash Dump Coredump Common Problems Page Page Page Page A Using the Command-Line Interface Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting Abbreviating Commands Command-Line Editing Command Completion Command Help Filtering show Command Output Command Output Paging Adding Comments Text Configuration Files How Commands Correspond with Lines in the Text File Command-Specific Configuration Mode Commands Automatic Text Entries Line Order Commands Not Included in the Text Configuration Passwords Multiple Security Context Files Supported Character Sets B Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Classes Private Networks Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask Class C-Size Network Address Class B-Size Network Address IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Global Address Site-Local Address Link-Local Address IPv4-Compatible IPv6 Addresses Unspecified Address Multicast Address Anycast Address Required Addresses IPv6 Address Prefixes Protocols and Applications TCP and UDP Ports Page Page Local Ports and Protocols ICMP Types Page C Configuring an External Server for Authorization and Authentication Understanding Policy Enforcement of Permissions and Attributes Configuring an External LDAP Server Organizing the ASA for LDAP Operations Searching the LDAP Hierarchy Binding the ASA to the LDAP Server Defining the ASA LDAP Configuration Supported Cisco Attributes for LDAP Authorization Page Page Page Page Page Page Page Cisco AV Pair Attribute Syntax Cisco AV Pairs ACL Examples URL Types Supported in ACLs Guidelines for Using Cisco-AV Pairs (ACLs) Active Directory/LDAP VPN Remote Access Authorization Examples User-Based Attributes Policy Enforcement Page Placing LDAP Users in a Specific Group Policy Page Enforcing Static IP Address Assignment for AnyConnect Tunnels Page Enforcing Dial-in Allow or Deny Access Page Page Enforcing Logon Hours and Time-of-Day Rules Page Configuring an External RADIUS Server Reviewing the RADIUS Configuration Procedure ASA RADIUS Authorization Attributes Page Page Page Page Page Page Page Page ASA IETF RADIUS Authorization Attributes RADIUS Accounting Disconnect Reason Codes Configuring an External TACACS+ Server Page Page GLOSSARY Numerics A B C D Page E F G H I Page J K L M N O P Page Page Q R S Page T Page U V W X Page Page INDEX Symbols Numerics A Page Page B C Page D Page E F G H I Page J K L M Page N O P proxy ARP Q R S Page Page Page T Page U V W X Z