Software Version
Cisco ASA Series Firewall CLI Configuration Guide
Cisco ASA Series Firewall CLI Configuration Guide
Iii
N T E N T S
Guidelines and Limitations Default Inspection Policy Maps
NAT for VPN
Guidelines and Limitations
Vii
Rules
Viii
Getting Started with Application Layer Protocol Inspection
IPv6 Inspection
Verifying and Monitoring Sun RPC Inspection
Configuring Unified Communications
Xii
Installing a Certificate
Xiii
Enabling the Phone Proxy with SIP and Skinny Inspection
Xiv
CTL Client Overview
Architecture
Xvi
Configuring Connection Settings and QoS
Xvii
Configuring the Standard Priority Queue for an Interface
Xviii
Bypassing Scanning with Whitelists
Xix
Information About the Static Database
Configuring Java Applet Filtering
Xxi
Filtering URLs and FTP Requests with an External Server
30-15
Xxii
Xxiii
ASA 5505 Configuring Basic Network Settings
Xxiv
Related Documentation
Document Objectives
Conventions
Convention Indication
Xxvi
Obtaining Documentation and Submitting a Service Request
R T
Page
Information About Service Policies
Feature Directionality
Supported Features
Feature Traffic? See
For Through
Feature
Feature Matching Within a Service Policy
Global Direction
ASA IPS ASA CX
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Feature Matching for Multiple Service Policies
Licensing Requirements for Service Policies
Guidelines and Limitations
Class Map Guidelines
Service Policy Guidelines
Policy Map Guidelines
Default Configuration
Default Settings
Default Configuration, Default Class Maps,
Default Class Maps
Task Flows for Configuring Service Policies
Task Flow for Using the Modular Policy Framework
This section includes the following topics
See the Identifying Traffic Layer 3/4 Class Maps section on
Layer 3/4 Policy Map
Identifying Traffic Layer 3/4 Class Maps
Command Purpose
Creating a Layer 3/4 Class Map for Through Traffic
Example
Ports are included in the match default-inspection-traffic
See the Default Settings and NAT Limitations section on
Match default-inspection-traffic command to narrow
Match flow ip destination-address command to match flows
Except for the match any , match access-list , or match
Creating a Layer 3/4 Class Map for Management Traffic
Defining Actions Layer 3/4 Policy Map
Creates a management class map, where classmapname is a
See the Supported Features section on
Task Flow for Configuring Hierarchical Policy Maps for
Identifying Traffic Layer 3/4 Class Maps section on
QoS Traffic Shaping section on page 1-11 for more
Applying Actions to an Interface Service Policy
Displays the service policy statistics
Configuration Examples for Modular Policy Framework
Monitoring Modular Policy Framework
IPv6, see the IPv6 Guidelines section on
Ciscoasaconfig# class-map httptraffic
See the following commands for this example
Applying Inspection and QoS Policing to Http Traffic
Applying Inspection to Http Traffic Globally
Ciscoasaconfig# service-policy httptrafficpolicy global
Ciscoasaconfig# policy-map httptrafficpolicy
Applying Inspection to Http Traffic with NAT
Ciscoasaconfig# service-policy httpclient interface inside
Obj-192.168.1.1
Host
Feature Name Releases Feature Information
Feature History for Service Policies
Introduced class-map type management, and inspect
Radius-accounting
Information About Inspection Policy Maps
Guidelines and Limitations
Default Inspection Policy Maps
Identifying Traffic in an Inspection Class Map section on
Defining Actions in an Inspection Policy Map
Identifying Traffic in an Inspection Class Map
Getting Started with Application Layer Protocol Inspection
Feature History for Inspection Policy Maps
Where to Go Next
1lists the release history for this feature
Page
Configuring Network Address Translation
Page
Information About NAT
Why Use NAT?
NAT Terminology
NAT Types Overview
NAT Types
Static NAT
Information About Static NAT
Information About Static NAT with Port Address Translation
Information About Static NAT with Port Translation
Static NAT with Identity Port Translation
Information About One-to-Many Static NAT
4shows a typical few-to-many static NAT scenario
Information About Other Mapping Scenarios Not Recommended
Information About Dynamic NAT
Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Dynamic PAT Disadvantages and Advantages
Per-Session PAT vs. Multi-Session PAT
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode, NAT in Transparent Mode,
NAT in Transparent Mode
NAT in Routed Mode
10 NAT Example Transparent Mode
How NAT is Implemented
NAT and IPv6
Main Differences Between Network Object NAT and Twice NAT
Information About Twice NAT
Information About Network Object NAT
11 Twice NAT with Different Destination Addresses
12 Twice NAT with Different Destination Ports
13 Twice Static NAT with Destination Address Translation
Rule Type Order of Rules within the Section
NAT Rule Order
Routing NAT Packets
NAT Interfaces
Mapped Addresses and Routing
Too late
Transparent Mode Routing Requirements for Remote Networks
NAT for VPN
203.0.113.16075
NAT and Remote Access VPN
Same-security-traffic permit intra-interface
NAT and Site-to-Site VPN
19 Interface PAT and Identity NAT for Site-to-Site VPN
See the following sample NAT configuration for ASA1 Boulder
Subnet 10.2.2.0
NAT and VPN Management Access
Object network boulderinside Subnet 10.1.1.0
Object network vpnlocal Subnet 10.3.3.0
Subnet 10.1.1.0 Nat inside,outside dynamic interface
Management-access inside
Add the identity NAT configuration
Troubleshooting NAT and VPN
DNS and NAT
Enter show nat detail and show conn all
22 DNS Reply Modification, DNS Server on Outside
192.168.1.10
24 DNS Reply Modification, DNS Server on Host Network
2001DB8D1A5C8E1
26 PTR Modification, DNS Server on Host Network
Page
Information About Network Object NAT
Configuring Network Object NAT
Prerequisites for Network Object NAT
Licensing Requirements for Network Object NAT
Supports IPv6. See also the NAT and IPv6 section on
Additional Guidelines
Adding Network Objects for Mapped Addresses
Configuring Network Object NAT
Object
Configuring Dynamic NAT
Object network objname
DNS and NAT section on page 3-28 for more information
Additional Guidelines section on
Nat inside,outside dynamic nat-pat-grp interface
Configuring Dynamic PAT Hide
Optional Create a network object or group for
Configures a network object for which you want to configure
See the Adding Network Objects for Mapped Addresses section
Mapped addresses
Interface-Routed mode only The IP address
Configures dynamic PAT for the object IP addresses. You can
Used. For this option, you must configure a specific
When you want to use the interface IP address you
Ciscoasaconfig-network-object#nat inside,outside dynamic
Ciscoasaconfig# object network IPv4POOL
Configuring Static NAT or Static NAT-with-Port-Translation
Ciscoasaconfig# object network IPv6INSIDE
Addresses IPv4 or IPv6 that you want to translate
See the DNS and NAT section on page 3-28. This option is
Static NAT section on
See the Mapped Addresses and Routing section on
Translate. See the Adding Network Objects for Mapped
Configuring Identity NAT
Addresses section on
See the Additional Guidelines section on
NAT command. See the Determining the Egress Interface
Mapped Addresses and Routing section on
Section on page 3-22 for more information
By default, the following rules are installed
Configuring Per-Session PAT Rules
Shows NAT statistics, including hits for each NAT rule
Monitoring Network Object NAT
How many times they were allocated
Configuration Examples for Network Object NAT
Configure static NAT for the object
Providing Access to an Inside Web Server Static NAT
Ciscoasaconfig# object network myWebServ
Create a network object for the internal web server
Ciscoasaconfig-network-object#nat outside,inside static
Configure static NAT for the web server
Create a network object for the inside network
Create a network object for the outside web server
Ciscoasaconfig# object network myPublicIPs
Configure static NAT for the load balancer
Ciscoasaconfig# object network myLBHost
Create a network object for the load balancer
Ciscoasaconfig# object network Httpserver
Ciscoasaconfig# object network Ftpserver
Create a network object for the FTP server address
Create a network object for the Http server address
Create a network object for the Smtp server address
Ciscoasaconfig# object network Smtpserver
DNS Reply Modification
DNS Reply Modification Using Outside NAT
2001DB8D1A5C8E1
Ciscoasaconfig# object network Dnsserver
Platform Feature Name Releases Feature Information
Feature History for Network Object NAT
Pat-pool mappedobject extended
Pat-pool mappedobject flat include-reserve
Configuration mode, show nat, show nat pool, show xlate
General-attributes configuration mode
Nat-assigned-to-public-ip interface tunnel-group
Show nat pool
Page
Information About Twice NAT
Configuring Twice NAT
Prerequisites for Twice NAT
Licensing Requirements for Twice NAT
Supports IPv6
Configuring Twice NAT Guidelines and Limitations
Adding Network Objects for Real and Mapped Addresses
Configuring Twice NAT
Configuring Twice NAT
Configure service objects for
Optional Adding Service Objects for Real and Mapped Ports
Command Purpose
See the Adding Network Objects for Real and Mapped
See the Optional Adding Service Objects for Real and Mapped
Ports section on
Section and Line-Optional By default, the NAT rule is
Configure dynamic NAT. See the following guidelines
Anywhere in the applicable section using the line argument
You can optionally configure the following fallback
Command Purpose
Subnet 203.0.113.0
For a PAT pool
Subnet 2001DB8AAAA/96
Configuring Twice NAT
Detailed Steps
Mapped-Configure one of the following
Configures dynamic PAT hide. See the following guidelines
Interface-Routed mode only Specify the interface
Interface keyword enables interface PAT fallback. After
Command Purpose
Command Purpose
Subnet 192.168.1.0
Service tcp destination eq
Host 2001DB823
Source or Destination mapped ports
Source or Destination real ports
See the Static Interface NAT with Port Translation
Rule Order section on page 3-18for more information about
Examples
MAPPEDIPv6NW
Object
Subnet 2001DB8BBBB/96
OUTSIDEIPv6NW
Source real addresses you will typically use
Static Interface NAT with Port Translation section on
Monitoring Twice NAT
To monitor twice NAT, enter one of the following commands
Shows NAT statistics, including hits for each NAT rule
How many times they were allocated
Ciscoasaconfig# object network PATaddress1
Configuration Examples for Twice NAT
Add a network object for the inside network
Add a network object for the DMZ network
Configure the second twice NAT rule
Configure the first twice NAT rule
Add a service object for Telnet
Add a network object for the PAT address when using Telnet
Ciscoasaconfig# object network myInsideNetwork
Ciscoasaconfig# object network TelnetWebServer
Add a service object for Http
We modified the following command nat source static
Feature History for Twice NAT
Show nat, show xlate, show nat pool
Existing functionality. The unidirectional keyword is
Pat-pool mappedobject flat include-reserve
Nat-assigned-to-public-ip interface tunnel-group
Show nat pool
Configuring Access Control
Page
Information About Access Rules
Configuring Access Rules
Implicit Permits
General Information About Rules
Information About EtherType Rules,
Inbound and Outbound Rules
Implicit Deny
Outbound ACL
Transactional-Commit Model
Access Rules for Returning Traffic
Information About Extended Access Rules
Additional Guidelines and Limitations
Information About EtherType Rules
Management Access Rules
Supported EtherTypes and Other Traffic
Traffic Type Protocol or Port
Prerequisites
Licensing Requirements for Access Rules
Allowing Mpls
Supported in routed and transparent firewall modes
Configuring Access Rules
Default Settings
To apply an access rule, perform the following steps
Per-User ACL Guidelines
See Per-User ACL Guidelines,
Per-user-override option
To monitor network access, enter the following command
Monitoring Access Rules
Show running-config access-group
Hostname config# object-group service myaclog
Extended
Feature History for Access Rules
Permit deny is-is
Ipv6 access-list webtype, ipv6-vpn-filter
Extended, access-list webtype
Access-list extended, service-object, service
Transactional-commit,show running-config asp
Licensing Requirements for AAA Rules
AAA Performance
Information About Authentication
Configuring Authentication for Network Access
ASA Authentication Prompts
One-Time Authentication
AAA Prompts and Identity Firewall
Name name1@name2 Password password1@password2
Static PAT and Http
AAA Rules as a Backup Authentication Method
Nat inside,outside static 10.48.66.155 service tcp 111
Authentication include command which
Configuring Network Access Authentication
User-group any and user-group none can be
Lockout command
Ldap-over-ssl enable
Ldap-login-password
Aaa authentication match Auth inside Ldap
Protocol ldap
Enabling Secure Authentication of Web Clients
Authenticating Https Connections with a Virtual Server
Authenticating Directly with the ASA
Authenticating Telnet Connections with a Virtual Server
Authentication include command
Configuring TACACS+ Authorization
Configuring Authorization for Network Access
Authentication, while deny entries exclude matching
Authenticate. For details, see the general operations
Traffic from authentication. Be sure to include
FTP in the ACL, because the user must authenticate
Authorization include command which
Authentication match command
About the Downloadable ACL Feature and Cisco Secure ACS
Configuring Radius Authorization
ACSCiscoSecure-Defined-ACL=acl-set-name
Access-list aclname extended
Configuring Cisco Secure ACS for Downloadable ACLs
With the following text
Downloaded ACL on the ASA consists of the following lines
Ipinacl#nnn=
Filter-id=aclname
Configuring Accounting for Network Access
Authentication section on page 7-7. If you want
Information, see the Configuring Network Access
Access-list command
Accounting include command which
Configuring AAA Rules for Network Access
Mac-exempt match command
Feature History for AAA Rules
Page
Configuring Application Inspection
Page
How Inspection Engines Work
Getting Started with Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
Supports IPv6 for the following inspections
Failover Guidelines
323 H.225
Default Settings and NAT Limitations
IP Options
NetBIOS Name
Server over IP
SQL*Net
Smtp
Sun RPC over
Configuring Application Layer Protocol Inspection
View the entire class map using the following command
Ciscoasaconfig# policy-mapname ciscoasaconfig-pmap#
Keywords
Netbios mapname
Icmp Icmp error Ils
Ip-options mapname
Ipsec-pass-thru mapname
Sqlnet Sunrpc
Scansafe mapname
Tftp Waas Xdmcp
10-1
DNS Inspection
Information About DNS Inspection
Default Settings for DNS Inspection
General Information About DNS
DNS Inspection Actions
10-3
Do one of the following
Class-map type inspect dns match-all
10-4
Defining Actions in an Inspection Policy Map section on
Section the authority keyword specifies the Authority RR
Keyword specifies the question portion of a DNS message.
Section the additional keyword specifies the Additional RR
Section
10-6
Matches a DNS message domain name list. The regexname
Match not domain-name regex regexid
Message-length maximum length client length auto
Id-mismatch count number duration seconds action
Tsig enforced action drop log-Requires a Tsig
10-7
Layer 3/4 Class Maps section on page 1-12 for more
Configuring DNS Inspection
10-8
Dynamic-filter-snoop keyword, see the Enabling DNS
Monitoring DNS Inspection
10-9
FTP Inspection
Ciscoasa# show service-policy
FTP Inspection Overview
10-10
10-11
Using the strict Option
10-12
10-13
10-14
Ciscoasaconfig# policy-map type inspect ftp mymap
Http Inspection
Ciscoasaconfig# service-policy ftp-policy interface inside
Verifying and Monitoring FTP Inspection
Http Inspection Overview
10-16
10-17
Ciscoasaconfig-cmap#match not req-resp content-type mismatch
10-18
Ciscoasaconfig# policy-map type inspect http policymapname
10-19
Icmp Inspection
Icmp Error Inspection
Instant Messaging Inspection
IM Inspection Overview
10-21
Ciscoasaconfig-cmap#match not protocol im-yahoo im-msn
Conference games
10-22
Ciscoasaconfig# policy-map type inspect im policymapname
10-23
IP Options Inspection
10-24
IP Options Inspection Overview
IPsec Pass Through Inspection
Ciscoasaconfig-pmap-p#router-alert action allow clear
10-25
IPsec Pass Through Inspection Overview
IPv6 Inspection
Example for Defining an IPsec Pass Through Parameter Map
10-26
Optional Configuring an IPv6 Inspection Policy Map
Default Settings for IPv6 Inspection
Information about IPv6 Inspection
10-27
10-28
Routing-address count gt number -Sets the maximum
To enable IPv6 inspection, perform the following steps
Configuring IPv6 Inspection
10-29
NetBIOS Inspection Overview
NetBIOS Inspection
10-30
10-31
Smtp and Extended Smtp Inspection
Pptp Inspection
Smtp and Esmtp Inspection Overview
10-32
10-33
10-34
Ciscoasaconfig# policy-map type inspect esmtp policymapname
10-35
Tftp Inspection
10-36
Ctiqbe Inspection Overview
Ctiqbe Inspection
11-1
Verifying and Monitoring Ctiqbe Inspection
Limitations and Restrictions
11-2
11-3
Inspection
How H.323 Works
Inspection Overview
11-4
11-5
Support in H.245 Messages
11-6
Ciscoasaconfig# policy-map type inspect h323 policymapname
Ciscoasaconfig-cmap#match not media-type audio data video
11-7
Ciscoasaconfig-pmap-p#rtp-conformance enforce-payloadtype
Ciscoasaconfig# ras-rcf-pinholes enable
Ciscoasaconfig-pmap-p#state-checking h225 ras
11-8
Verifying and Monitoring H.323 Inspection
Configuring H.323 and H.225 Timeout Values
Monitoring H.225 Sessions
11-9
Monitoring H.323 RAS Sessions
Monitoring H.245 Sessions
11-10
Ciscoasa# show h323-ras
Mgcp Inspection Overview
Mgcp Inspection
11-11
11-12
Ciscoasaconfig# policy-map type inspect mgcp mapname
Following example shows how to define an Mgcp map
Configuring Mgcp Timeout Values
11-13
Verifying and Monitoring Mgcp Inspection
Rtsp Inspection
11-14
Rtsp Inspection Overview
Using RealPlayer
Restrictions and Limitations
11-15
11-16
Ciscoasaconfig-cmap#match not request-method method
11-17
Ciscoasaconfig# policy-map type inspect rtsp policymapname
SIP Inspection Overview
SIP Inspection
11-18
11-19
SIP Instant Messaging
11-20
11-21
Ciscoasaconfig-cmap#match not content length gt length
Ciscoasaconfig# policy-map type inspect sip policymapname
Ciscoasaconfig-cmap#match not uri sip tel length gt length
11-22
Ciscoasaconfig-pmap-p#uri-non-sip action mask log log
Ciscoasaconfig-pmap-p#software-version action mask log log
11-23
Skinny Sccp Inspection
Configuring SIP Timeout Values
Verifying and Monitoring SIP Inspection
11-24
Supporting Cisco IP Phones
Sccp Inspection Overview
11-25
11-26
Ciscoasaconfig# policy-map type inspect skinny policymapname
11-27
Ciscoasaconfig-pmap-p#sccp-prefix-len max min valuelength
11-28
Verifying and Monitoring Sccp Inspection
ILS Inspection, SQL*Net Inspection, Sun RPC Inspection,
ILS Inspection
12-1
12-2
SQL*Net Inspection
Sun RPC Inspection Overview
Sun RPC Inspection
12-3
Verifying and Monitoring Sun RPC Inspection
Managing Sun RPC Services
12-4
Ciscoasa# show sunrpc-server active
12-5
12-6
Dcerpc Overview
Dcerpc Inspection
13-1
13-2
Ciscoasaconfig# policy-map type inspect dcerpc policymapname
GTP Inspection Overview
GTP Inspection
13-3
13-4
Ciscoasaconfig# policy-map type inspect gtp policymapname
Ciscoasaconfig-network#network-object host
Ciscoasaconfig# object-group network GSN-pool-name
13-5
Ciscoasaconfig# object-group network sgsn32
Ciscoasaconfig# object-group network SGSN-name
13-6
Ciscoasa# show service-policy inspect gtp statistics
Ciscoasaconfig# service-policy globalpolicy global
Verifying and Monitoring GTP Inspection
13-7
Radius Accounting Inspection
Ciscoasa# show service-policy gtp statistics grep gsn
13-8
Radius Accounting Inspection Overview
Configure the service policy
13-9
Inspect radius-accounting radiusaccountingmap
Snmp Inspection
RSH Inspection
Snmp Inspection Overview
13-10
13-11
Xdmcp Inspection
13-12
Configuring Unified Communications
Page
14-1
14-2
Certificate for
Might not need
Phone proxy
Application
ASA Base License and Security Plus License 2 sessions
Model License Requirement1
ASA Base License 2 sessions
14-4
ASA 5585-X with Base License 2 sessions SSP-20, -40, or
ASA 5585-X with Base License 2 sessions SSP-10
14-5
14-6
IME
Cisco Presence Federation Proxy
Cisco Mobility Advantage Proxy
Cisco Intercompany Media Engine Proxy
15-1
15-2
15-3
Licensing Requirements for the Unified Communication Wizard
15-4
Supports IPv6 addresses
15-5
Configuring the Private Network for the Phone Proxy
Click the Generate and Export LDC Certificate button
Configuring Servers for the Phone Proxy
15-6
15-7
Address Default Port Description
15-8
15-9
Configuring the Public IP Phone Network
15-10
15-11
15-12
15-13
15-14
Certificate,
Dialog box. See Installing a Certificate,
15-15
15-16
15-17
Off-path Deployment
Basic Deployment
15-18
15-19
15-20
Cisco UCMs need to be installed on the security appliance
Wizard supports using self-signed certificates only
Supports installing self-signed certificates
Other, respectively, during TLS handshakes
15-22
Exporting an Identity Certificate
Installing a Certificate
15-23
15-24
Click Install Certificate
15-25
Saving the Identity Certificate Request
15-26
15-27
15-28
Phone Proxy Functionality
Information About the Cisco Phone Proxy
16-1
TCP/RTP TLS/SRTP
16-2
Cisco Unified Communications Manager
Supported Cisco UCM and IP Phones for the Phone Proxy
Cisco Unified IP Phones
16-3
16-4
Licensing Requirements for the Phone Proxy
16-5
Media Termination Instance Prerequisites
Prerequisites for the Phone Proxy
This section contains the following topics
16-6
DNS Lookup Prerequisites
Certificates from the Cisco UCM
Cisco Unified Communications Manager Prerequisites
ACL Rules
Address Port Protocol Description
NAT and PAT Prerequisites
NAT Prerequisites
PAT Prerequisites
7940 IP Phones Support
Prerequisites for IP Phones on Multiple Interfaces
There must be two CTL file record entries for the Cisco UCM
16-9
Cisco IP Communicator Prerequisites
Cipc security-mode authenticated
16-10
Prerequisites for Rate Limiting Tftp Requests
Rate Limiting Configuration Example
Icmp deny any outside
16-11
End-User Phone Provisioning
Phone Proxy Guidelines and Limitations
Ways to Deploy IP Phones to End Users
16-12
16-13
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
16-14
Choose Security Certificate Management
Importing Certificates from the Cisco UCM
16-15
Hostnameconfig# crypto ca trustpoint trustpointname
Authenticating IP phones with an LSC
Hostnameconfig# crypto ca authenticate trustpoint
Certificate Name Required for
16-17
Creating Trustpoints and Generating Certificates
Prerequisites
Creating the CTL File
What to Do Next
16-18
16-19
16-20
Using an Existing CTL File
16-21
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
16-22
Cucm/cucos/504/iptpch6.html#wp1040848
Creating the Media Termination Instance
Cucm/cucos/504/iptpch6.html#wp1040354
16-23
See Media Termination Instance Prerequisites
Creating the Phone Proxy Instance
16-24
16-25
See Creating the Media Termination Instance
See Cisco IP Communicator Prerequisites
Enabling the Phone Proxy with SIP and Skinny Inspection
16-26
16-27
Configuring Your Router
Troubleshooting the Phone Proxy
Debugging Information from the Security Appliance
16-28
16-29
Use the Command
16-30
Debugging Information from IP Phones
Show asp drop
Show asp table classify domain
Show conn all
16-32
Debugging Information from IP Phones
Problem The IP phone displays the following Status message
Tftp Auth Error Displays on IP Phone Console
IP Phone Registration Failure
16-33
Configuration File Parsing Error Unable to Get DNS Response
Configuration File Parsing Error
Ciscoasa# show running-config all ctl-file ctlname
16-34
Phone-proxy tftp
Non-configuration File Parsing Error
16-35
Hostname# debug phone-proxy tftp
Hostname# capture out interface outside
16-36
Hostnameconfig# show running-config all phone-proxy
IP Phone Requesting Unsigned File Error
IP Phone Unable to Download CTL File
16-37
16-38
IP Phone Registration Failure from Signaling Connections
Debug sip Debug skinny
To add the required ciphers, enter the following command
16-39
Hostname# show run all ssl
16-40
SSL Handshake Failure
Certificate Validation Errors
Media Termination Address Errors
16-41
Saving Sast Keys
Audio Problems with IP Phones
16-42
16-43
16-44
Configuration Examples for the Phone Proxy
Record-entry cucm trustpoint trustpoint address address
Record-entry capf trustpoint trustpoint address address
Corporate Network
16-45
Fqdn my-ldc-ca.exmaple.com
16-46
Phone a 10.10.0.24
16-47
16-48
ASA Outside Interface Phone a 10.10.0.24
16-49
16-50
16-51
Enroll terminal crypto ca authenticate capf ctl-file myctl
16-52
Example 6 Vlan Transversal
ASA Inside Interface 10.130.50.24
16-53
16-54
Feature History for the Phone Proxy
17-1
17-2
Supported Cisco UCM and IP Phones for the TLS Proxy
17-3
CTL Client Overview
17-4
CTL Client TLS Proxy Features ASA IP Address or Domain Name
17-5
Licensing for the TLS Proxy
17-6
17-7
Configuring the TLS Proxy for Encrypted Voice Inspection
Ciscoasaconfig# show crypto ca server certificate
Ciscoasaconfig# tls-proxy maximum-sessions
17-8
17-9
17-10
Creating an Internal CA
17-11
Creating a CTL Provider Instance
17-12
Creating the TLS Proxy Instance
17-13
Crypto ca trustpoint command
17-14
17-15
Monitoring the TLS Proxy
AES128-SHA
17-16
TLS Proxy TLS proxy feature was introduced
2lists the release history for this feature
17-17
17-18
18-1
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Hostnameconfig-tlsp#no server authenticate-client
18-2
TLS
18-3
Versus
Mobility Advantage Proxy Using NAT/PAT
18-4
18-5
Trust Relationships for Cisco UMA Deployments
Longer requires a Unified Communications Proxy license
Configuring Cisco Mobility Advantage
18-6
Installing the Cisco UMA Server Certificate
Task Flow for Configuring Cisco Mobility Advantage
Enabling the TLS Proxy for MMP Inspection,
18-7
18-8
18-9
Enabling the TLS Proxy for MMP Inspection
Enables the service policy on all interfaces
Exits from the Policy Map configuration mode
Monitoring for Cisco Mobility Advantage
18-10
18-11
Configuration Examples for Cisco Mobility Advantage
18-12
18-13
18-14
Feature History for Cisco Mobility Advantage
19-1
Information About Cisco Unified Presence
19-2
Ciscoasaconfig# object network obj-10.0.0.2-01
19-3
19-4
Trust Relationship in the Presence Federation
19-5
Xmpp Federation Deployments
Configure the following NAT commands
Configuration Requirements for Xmpp Federation
Allow traffic from any address to any single node on port
19-6
19-7
Licensing for Cisco Unified Presence
19-8
Configuring Cisco Unified Presence Proxy for SIP Federation
19-9
Install the certificates. See Installing Certificates,
Trustpoint for the remote entity
Installing Certificates
19-10
19-11
19-12
Enabling the TLS Proxy for SIP Inspection
Trust-pointcommand is the remote entity proxy
19-13
Example Configuration for SIP Federation Deployments,
Configuration Example for Cisco Unified Presence
Monitoring Cisco Unified Presence
19-14
19-15
Example Configuration for SIP Federation Deployments
19-16
19-17
Example ACL Configuration for Xmpp Federation
19-18
Example NAT Configuration for Xmpp Federation
19-19
19-20
Feature History for Cisco Unified Presence
20-1
Features of Cisco Intercompany Media Engine Proxy
20-2
How the UC-IME Works with the Pstn and the Internet
20-3
Tickets and Passwords
20-4
Call Fallback to the Pstn
Architecture, Basic Deployment, Off Path Deployment,
Architecture
20-5
20-6
Basic Deployment
Off Path Deployment
Licensing for Cisco Intercompany Media Engine
20-7
Supported in routed firewall mode only
Supported in single context mode only
Does not support IPv6 addresses
20-8
20-9
Task Flow for Configuring Cisco Intercompany Media Engine
Configuring Cisco Intercompany Media Engine Proxy
20-10
Create the TLS proxy. See Creating the TLS Proxy,
Configuring NAT for Cisco Intercompany Media Engine Proxy
20-11
20-12
Cisco UCM that you want to translate
20-13
Configuring PAT for the Cisco UCM Server
20-14
20-15
Creating ACLs for Cisco Intercompany Media Engine Proxy
Guidelines
Procedure
20-16
See Creating the Cisco Intercompany Media Engine
Creating the Cisco Intercompany Media Engine Proxy
20-17
20-18
20-19
Show running-config uc-ime command
20-20
20-21
Prerequisites for Installing Certificates
20-22
Creating Trustpoints and Generating
Creating the TLS Proxy
Certificates section on
20-23
20-24
ACLs for Cisco Intercompany Media Engine Proxy
Created in , page 20-15of the task Creating
20-25
Where policymapname is the name of the policy
Optional Configuring TLS within the Local Enterprise
Map you created in of this task
20-26
20-27
Commands Purpose
Where proxytrustpoint for the client trust-point
Where proxytrustpoint for the server trust-point
20-28
20-29
Optional Configuring Off Path Signaling
Creating the Cisco Intercompany Media
Intercompany Media Engine Proxy,
Engine Proxy,
20-30
20-31
20-32
20-33
Show uc-ime signaling-sessions
Show uc-ime media-sessions detail
Show uc-ime signaling-sessions statistics
20-34
Show uc-ime mapping-service-sessions statistics
Show uc-ime mapping-service-sessions
Show uc-ime fallback-notification statistics
20-35
20-36
Configuring Connection Settings and QoS
Page
22-1
Information About Connection Settings
Dead Connection Detection DCD
TCP Intercept and Limiting Embryonic Connections
22-2
TCP Normalization
TCP Sequence Randomization
TCP State Bypass
22-3
22-4
Licensing Requirements for Connection Settings
Maximum Concurrent and Embryonic Connection Guidelines
TCP State Bypass Unsupported Features
TCP State Bypass
TCP Normalizer
Task Flow For Configuring Connection Settings
Configuring Connection Settings
For each TCP map, you can customize one or more settings
Customizing the TCP Normalizer with a TCP Map
22-7
22-8
Command
22-9
Command
22-10
Urgent-flag allow clear
Configuring Connection Settings
Window-variation allow drop
22-11
22-12
TCP Sequence Randomization section on page 22-3 section for
Random-sequence-number enable disable keyword
Embryonic-conn-max keywords
22-13
Embryonic hh mm ss keyword sets the timeout period until a
Command in the command reference
Idle hh mm ss keyword sets the idle timeout period after
To 0, which means the connection never times out
Configuration Examples for Connection Settings
Monitoring Connection Settings
Configuration Examples for Connection Limits and Timeouts
22-15
Configuration Examples for TCP Normalization
Configuration Examples for TCP State Bypass
Following is a sample configuration for TCP state bypass
22-16
22-17
Feature History for Connection Settings
Conn-max,set connection embryonic-conn-max,set
Timeout half-closed,timeout half-closed
Connection per-client-embryonic-max,set connection
Per-client-max
23-1
Information About QoS
What is a Token Bucket?
Supported QoS Features
23-2
Information About Priority Queuing
Information About Policing
23-3
Information About Traffic Shaping
How QoS Features Interact
23-4
Dscp and DiffServ Preservation
Licensing Requirements for QoS
Does not support IPv6
Model Guidelines
23-6
Configuring QoS
125
Mbps
Kbps
23-7
Priority queue, or for the ASA 5505 or ASASM, the Vlan
Configuring the Standard Priority Queue for an Interface
Interface name
23-8
23-9
23-10
23-11
Step
23-12
23-13
23-14
Configuring the Service Rule
Priority Queuing Policy section on
Multiple of 8000. See the Information About Traffic Shaping
23-15
Monitoring QoS
Ciscoasa# show service-policy police
Viewing QoS Police Statistics
23-16
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Statistics
23-17
23-18
Viewing QoS Standard Priority Queue Statistics
Ciscoasa# show priority-queue statistics test
23-19
Feature History for QoS
23-20
Testing Your Configuration
Troubleshooting Connections and Resources
24-1
24-2
Enabling Icmp Debugging Messages and Syslog Messages
24-3
Pinging ASA Interfaces
24-4
ASA
24-5
Passing Traffic Through the ASA
24-6
Disabling the Test Configuration
Determining Packet Routing with Traceroute
Monitoring Per-Process CPU Usage
Tracing Packets with Packet Tracer
24-7
24-8
Configuring Advanced Network Protection
Page
25-1
Configuring the ASA for Cisco Cloud Web Security
Information About Cisco Cloud Web Security
User Authentication and Cloud Web Security
Redirection of Web Traffic to Cloud Web Security
25-2
Company Authentication Key Group Authentication Key
Authentication Keys
Company Authentication Key, Group Authentication Key,
25-3
Directory Groups
ScanCenter Policy
Custom Groups
25-4
Cloud Web Security Actions
How Groups and the Authentication Key Interoperate
25-5
Licensing Requirements for Cisco Cloud Web Security
Failover from Primary to Backup Proxy Server
Bypassing Scanning with Whitelists
IPv4 and IPv6 Support
Prerequisites for Cloud Web Security
Optional User Authentication Prerequisites
Optional Fully Qualified Domain Name Prerequisites
25-7
By default, Cisco Cloud Web Security is not enabled
Configuring Cisco Cloud Web Security
25-8
25-9
See the Authentication Keys section on
25-10
Config-url disk0/onectx.cfg Context two
25-11
Optional Configuring Whitelisted Traffic section on
25-12
Adding an Extended Access Control List,
25-13
Policy section on page 1-17for more information
25-14
25-15
Optional Configuring Whitelisted Traffic
Configuring the Cloud Web Security Policy
Optional Configuring the User Identity Monitor
Object-group-user-Specifies an object-group user name
25-16
Http//Whoami.scansafe.net
Monitoring Cloud Web Security
25-17
Single Mode Example
Configuration Examples for Cisco Cloud Web Security
25-18
Whitelist Example
Multiple Mode Example
To attach class-maps to the Cloud Web Security Policy map
25-19
Directory Integration Examples
Configuring the Active Directory Server Using Ldap
25-20
Testing the AD Agent
Configuring the Active Directory Agent Using Radius
Configuring the Identity Options on the ASA
Creating the ASA as a Client on the AD Agent Server
Monitoring the Active Directory Groups
Cloud Web Security with Identity Firewall Example
Downloading the Database from the AD Agent
Showing a List of Active Users
25-23
Aaa-server AD inside host 192.168.116.220 server-port
25-24
No call-home reporting anonymous call-home
25-25
Related Documents
Feature History for Cisco Cloud Web Security
Related Documents
25-26
Botnet Traffic Filter Address Types,
Information About the Botnet Traffic Filter
26-1
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Address Types
Botnet Traffic Filter Databases
Information About the Dynamic Database
26-3
Information About the Static Database
26-4
26-5
How the Botnet Traffic Filter Works
Prerequisites for the Botnet Traffic Filter
Licensing Requirements for the Botnet Traffic Filter
26-6
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
26-7
26-8
Configuring the Dynamic Database
See the Adding Entries to the Static Database section on
Adding Entries to the Static Database
26-9
See the Enabling DNS Snooping section on
Enabling DNS Snooping
TCP DNS traffic is not supported
26-10
26-11
26-12
Inspection section on page 10-1 for more information about
26-13
Recommended Configuration
See the Blocking Botnet Traffic Manually section on
Subset of the dynamic-filter enable ACL
Threat-level range moderate very-high
Very-low Low Moderate High Very-high
Blocking Botnet Traffic Manually
For dropping purposes. If you do not enable this command
About the greylist
26-15
26-16
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Commands
Botnet Traffic Filter Syslog Messaging
26-17
Dns-snoop command
Infected-hosts command
26-18
Recommended Configuration Example
Configuration Examples for the Botnet Traffic Filter
26-19
Ciscoasa# show dynamic-filter reports top malware-ports
26-20
Other Configuration Examples
Outside
26-21
26-22
Feature History for the Botnet Traffic Filter
Information About Threat Detection
Configuring Threat Detection
Licensing Requirements for Threat Detection
27-1
Information About Basic Threat Detection Statistics
Configuring Basic Threat Detection Statistics
27-2
Guidelines and Limitations
Trigger Settings Packet Drop Reason Average Rate Burst Rate
Security Context Guidelines
Types of Traffic Monitored
27-4
Configuring Basic Threat Detection Statistics
Threat Detection Statistics section on
Monitoring Basic Threat Detection Statistics
27-5
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
27-6
27-7
Configuring Advanced Threat Detection Statistics
27-8
27-9
Monitoring Advanced Threat Detection Statistics
27-10
27-11
Using the show threat-detection rate acl-drop command
Statistics
Protocolnumber argument is an integer between 0
Field
27-12
27-13
Field Description
27-14
Feature History for Advanced Threat Detection Statistics
Information About Scanning Threat Detection
Configuring Scanning Threat Detection
27-15
27-16
Average Rate Burst Rate
Configuration see the Configuring Basic Threat Detection
Configuring Scanning Threat Detection
Monitoring Shunned Hosts, Attackers, and Targets
Displays the hosts that are currently shunned
27-18
Feature History for Scanning Threat Detection
27-19
Configuration Examples for Threat Detection
27-20
28-1
Preventing IP Spoofing
Blocking Unwanted Connections
Configuring the Fragment Size
28-2
Configuring IP Audit
Configuring IP Audit for Basic IPS Support
Configuring IP Audit, IP Audit Signature List,
28-3
1lists supported signatures and system message numbers
IP Audit Signature List
Signature Message Number Signature Title
28-4
28-5
28-6
28-7
28-8
29-1
Information About Web Traffic Filtering
Licensing Requirements for ActiveX Filtering
Configuring ActiveX Filtering
Information About ActiveX Filtering
29-2
Configuration Examples for ActiveX Filtering
Configuring ActiveX Filtering
Guidelines and Limitations for ActiveX Filtering
29-3
Feature History for ActiveX Filtering
Configuring Java Applet Filtering
Information About Java Applet Filtering
Licensing Requirements for Java Applet Filtering
Configuration Examples for Java Applet Filtering
Configuring Java Applet Filtering
Guidelines and Limitations for Java Applet Filtering
29-5
Filtering URLs and FTP Requests with an External Server
Feature History for Java Applet Filtering
Information About URL Filtering
29-6
Guidelines and Limitations for URL Filtering
Licensing Requirements for URL Filtering
29-7
Choose from the following options
Identifying the Filtering Server
29-8
29-9
Buffering the Content Server Response
Configuring Additional URL Filtering Settings
Replaces block-buffer with the maximum number of Http
Maximum memory allocation of 2 KB to 10 MB
Filtering Http URLs
Caching Server Addresses
On the Websense server
Websense server
29-12
29-13
Filtering Https URLs
Might enter cd ./files instead of cd /public/files
Filtering FTP Requests
29-14
Monitoring Filtering Statistics
Following is sample output from the show url-servercommand
29-15
Ciscoasa# show url-server
Following is sample output from the show perfmon command
Following is sample output from the show url-blockcommand
Following is sample output from the show filter command
29-16
29-17
Feature History for URL Filtering
29-18
Configuring Modules
Page
30-1
Information About the ASA CX Module
30-2
How the ASA CX Module Works with the ASA
Service Policy in Monitor-Only Mode
Monitor-Only Mode
Traffic-Forwarding Interface in Monitor-Only Mode
30-3
Initial Configuration, Policy Configuration and Management,
Initial Configuration
Information About ASA CX Management
30-4
Compatibility with ASA Features
Information About Authentication Proxy
Policy Configuration and Management
Information About VPN and the ASA CX Module
30-6
Licensing Requirements for the ASA CX Module
ASA Clustering Guidelines
Monitor-Only Mode Guidelines
Does not support clustering
30-7
See the Compatibility with ASA Features section on
Configuring the ASA CX Module
Parameters Default
Task Flow for the ASA CX Module
ASA 5585-X Hardware Module
Connecting the ASA CX Management Interface
30-9
If you do not have an inside router
If you have an inside router
30-10
30-11
ASA 5512-X through ASA 5555-X Software Module
30-12
Partition the SSD
Example
30-13
ASA 5585-X Changing the ASA CX Management IP Address
Session 1 do setup host ip
Sets the ASA CX management IP address, mask, and gateway
30-14
30-15
Configuring Basic ASA CX Settings at the ASA CX CLI
Ciscoasa# session cxsc console
Enter an IPv6 address 2001DB80CD301234/64
Asacx config passwd
Change the admin password by entering the following command
30-16
30-17
Optional Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Creating the ASA CX Service Policy
30-18
30-19
See the Monitor-Only Mode section on page 30-3 for more
See the Feature Matching Within a Service Policy section on
Configuring Traffic-Forwarding Interfaces Monitor-Only Mode
30-20
30-21
Managing the ASA CX Module
Reloading or Resetting the Module
Resetting the Password
For a software module ASA 5512-X through ASA
30-22
30-23
Shutting Down the Module
New module type
Sw-module module cxsc uninstall
30-24
Reload
Monitoring the ASA CX Module
Admin123
Showing Module Status
30-25
30-26
Showing Module Statistics
30-27
Monitoring Module Connections
‘X’ flag
Dp-cp
30-28
Show asp event dp-cp cxsc-msg
Ciscoasa# show asp drop
30-29
Ciscoasa# show asp event dp-cp cxsc-msg
Capturing Module Traffic
Troubleshooting the ASA CX Module
Debugging the Module
30-30
30-31
Problems with the Authentication Proxy
Check the authentication proxy port
Configuration Examples for the ASA CX Module
Check the authentication proxy rules
30-32
30-33
Feature History for the ASA CX Module
Fail-close fail-openmonitor-only,traffic-forward
We modified or introduced the following commands cxsc
Cxsc monitor-only
30-34
Asadataplane
Capture interface asadataplane command
30-35
30-36
31-1
Information About the ASA IPS Module
31-2
How the ASA IPS Module Works with the ASA
Operating Modes
Using Virtual Sensors ASA 5510 and Higher
31-3
31-4
Information About Management Access
31-5
Licensing Requirements for the ASA IPS module
Management Vlan ASA 5505 only
1lists the default settings for the ASA IPS module
31-6
Task Flow for the ASA IPS Module
Configuring the ASA IPS module
31-7
31-8
Connecting the ASA IPS Management Interface
31-9
31-10
ASA
Sessioning to the Module from the ASA
ASA 5512-X through ASA 5555-X Booting the Software Module
31-11
For example, using the filename in the example in , enter
Configuring Basic IPS Module Network Settings
Ciscoasa# sw-module module ips recover boot
31-12
ASA 5505 Configuring Basic Network Settings
ASA 5510 and Higher Configuring Basic Network Settings
Connecting the ASA IPS Management Interface section on
Sessioning to the Module from the ASA Section on
31-14
Details command
Configuring the Security Policy on the ASA IPS Module
31-15
31-16
31-17
31-18
Diverting Traffic to the ASA IPS module
31-19
31-20
Managing the ASA IPS module
Installing and Booting an Image on the Module
IPS module
31-21
31-22
Sw-module module ips uninstall
Uninstalling a Software Module Image
For a software module for example, the ASA 5545-X
31-23
For a software module for example, the ASA
Sw-module module ips password-reset
31-24
Ips for a software module
Monitoring the ASA IPS module
31-25
31-26
Configuration Examples for the ASA IPS module
Ciscoasa# show module ips
Allow-ssc-mgmt,hw-module module ip, and hw-module
Feature History for the ASA IPS module
Module allow-ip
31-27
Session, show module, sw-module
Inventory, show environment
31-28
32-1
Information About the CSC SSM
32-2
ASA
32-3
Determining What Traffic to Scan
32-4
Common Network Configuration for CSC SSM Scanning
Prerequisites for the CSC SSM
Licensing Requirements for the CSC SSM
32-5
Parameter Default
1lists the default settings for the CSC SSM
Supported in single and multiple context modes
32-6
Before Configuring the CSC SSM
Configuring the CSC SSM
32-7
See the Connecting to the CSC SSM section on
Connecting to the CSC SSM
32-8
32-9
See the Diverting Traffic to the CSC SSM section on
Diverting Traffic to the CSC SSM
Determining What Traffic to Scan section on
32-10
32-11
32-12
Guidelines and Limitations section on
See the Monitoring the CSC SSM section on
Monitoring the CSC SSM
Displays the status
Displays additional status information
Installing an Image on the Module
Troubleshooting the CSC Module
32-14
Recover command
Resetting the Password
32-15
32-16
Reloading or Resetting the Module
Ciscoasaconfig-cmap#policy-map cscinpolicy
Configuration Examples for the CSC SSM
Shutting Down the Module
Shuts down the module
Related Topic Document Title
Additional References
Instructions on use of the CSC SSM GUI
Assistance with the Startup Wizard
Feature Name Platform Releases Feature Information
Feature History for the CSC SSM
Details recover
32-19
32-20
IN-1
IN-2
IN-3
IN-4
IN-5
LDP 6-7router-id 6-7TDP Multi-session PAT
See also policy map
RPC not supported with
IN-6
IN-7
IN-8
IN-9
IN-10
