Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Getting Started with Application Layer Protocol Inspection

CHAPTE R

9-1

Cisco ASA Series Firewall CLI Configuration Guide

9

Getting Started with Application Layer Protocol Inspection

This chapter describes how to configure application layer protocol inspection. Inspection engines are

required for services that embed IP addressing information in the user data packet or that open secondary

channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection

instead of passing the packet through the fast path (see the general operations configuration guide for

more information about the fast path). As a result, inspection engines can affect overall throughput.

Several common inspection engines are enabled on the ASA by default, but you might need to enable

others depending on your network.

This chapter includes the following sections:

•Information about Application Layer Protocol Inspection, page9-1

•Guidelines and Limitations, page9-3

•Default Settings and NAT Limitations, page9-4

•Configuring Application Layer Protocol Inspection, page9-7

Information about Application Layer Protocol Inspection

This section includes the following topics:

•How Inspection Engines Work, page9-1

•When to Use Application Protocol Inspection, page 9-2

How Inspection Engines Work

As illustrated in Figure 9-1, the ASA uses three databases for its basic operation:

•ACLs—Used for authentication and authorization of connections based on specific networks, hosts,

and services (TCP/UDP port numbers).

•Inspections—Contains a static, predefined set of application-level inspection functions.

•Connections (XLATE and CONN tables)—Maintains state and other information about each

established connection. This information is used by the Adaptive Security Algorithm and

cut-through proxy to efficiently forward traffic within established sessions.

Contents

Main Cisco Systems, Inc. www.cisco.com Cisco ASA Series Firewall CLI Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This Guide Document Objectives Related Documentation Conventions Obtaining Documentation and Submitting a Service Request Page Page Configuring a Service Policy Using the Modular Policy Framework Information About Service Policies Supported Features Feature Directionality Feature Matching Within a Service Policy Order in Which Multiple Feature Actions are Applied Incompatibility of Certain Feature Actions Feature Matching for Multiple Service Policies Licensing Requirements for Service Policies Page Default Configuration Default Class Maps Task Flows for Configuring Service Policies Task Flow for Using the Modular Policy Framework Page Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping Identifying Traffic (Layer 3/4 Class Maps) Creating a Layer 3/4 Class Map for Through Traffic Page Creating a Layer 3/4 Class Map for Management Traffic Defining Actions (Layer 3/4 Policy Map) Page Applying Actions to an Interface (Service Policy) Monitoring Modular Policy Framework Configuration Examples for Modular Policy Framework 1-19 Applying Inspection and QoS Policing to HTTP Traffic Applying Inspection to HTTP Traffic Globally 1-20 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers port 1-21 Applying Inspection to HTTP Traffic with NAT Feature History for Service Policies Configuring Special Actions for Application Inspections (Inspection Policy Map) Information About Inspection Policy Maps Page Default Inspection Policy Maps Defining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class Map Page Feature History for Inspection Policy Maps Page Page Page Information About NAT Why Use NAT? NAT Terminology NAT Types NAT Types Overview Static NAT Information About Static NAT Information About Static NAT with Port Translation Information About Static NAT with Port Address Translation Static NAT with Identity Port Translation Static NAT with Port Translation for Non-Standard Ports Static Interface NAT with Port Translation Information About One-to-Many Static NAT Information About Other Mapping Scenarios (Not Recommended) Dynamic NAT Information About Dynamic NAT Dynamic NAT Disadvantages and Advantages Dynamic PAT Information About Dynamic PAT Per-Session PAT vs. Multi-Session PAT Dynamic PAT Disadvantages and Advantages Identity NAT NAT in Routed and Transparent Mode NAT in Routed Mode NAT in Transparent Mode Page NAT and IPv6 How NAT is Implemented Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT Page Page Page NAT Rule Order NAT Interfaces Routing NAT Packets Mapped Addresses and Routing Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface NAT for VPN NAT and Remote Access VPN 3-24 See the following sample NAT configuration for the above network: NAT and Site-to-Site VPN 3-25 See the following sample NAT configuration for ASA1 (Boulder): 3-26 See the following sample NAT configuration for ASA2 (San Jose): NAT and VPN Management Access Page Troubleshooting NAT and VPN DNS and NAT Page 3-30 Page 3-32 Page Page Configuring Network Object NAT Information About Network Object NAT Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Page Configuring Network Object NAT Adding Network Objects for Mapped Addresses Configuring Dynamic NAT Page Configuring Dynamic PAT (Hide) Page Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Configuring Identity NAT Example Configuring Per-Session PAT Rules Defaults Monitoring Network Object NAT Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) 4-20 Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) 4-24 4-25 4-26 is a one-to-one translation, configure the net-to-net method for NAT46. Page Feature History for Network Object NAT Page Page Page Page Configuring Twice NAT Information About Twice NAT Licensing Requirements for Twice NAT Prerequisites for Twice NAT Page Configuring Twice NAT Adding Network Objects for Real and Mapped Addresses Page (Optional) Adding Service Objects for Real and Mapped Ports Configuring Dynamic NAT Page Page Page Configuring Dynamic PAT (Hide) Page Page Page Page Page 5-17 Configuring Static NAT or Static NAT-with-Port-Translation Page Page Configuring Identity NAT Page Page Configuring Per-Session PAT Rules Monitoring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the Destination (Dynamic PAT) Page Different Translation Depending on the Destination Address and Port (Dynamic PAT) Page Feature History for Twice NAT Page Page Page Page Page Configuring Access Rules Information About Access Rules General Information About Rules Implicit Permits Information About Interface Access Rules and Global Access Rules Using Access Rules and EtherType Rules on the Same Interface Implicit Deny Inbound and Outbound Rules Transactional-Commit Model Guidelines and Limitations Information About Extended Access Rules Access Rules for Returning Traffic Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules Management Access Rules Information About EtherType Rules Supported EtherTypes and Other Traffic Access Rules for Returning Traffic Allowing MPLS Licensing Requirements for Access Rules Prerequisites Configuring Access Rules Page Monitoring Access Rules Configuration Examples for Permitting or Denying Network Access Feature History for Access Rules Page Configuring AAA Rules for Network Access AAA Performance Licensing Requirements for AAA Rules Configuring Authentication for Network Access Information About Authentication One-Time Authentication Applications Required to Receive an Authentication Challenge ASA Authentication Prompts AAA Prompts and Identity Firewall AAA Rules as a Backup Authentication Method Static PAT and HTTP Page Configuring Network Access Authentication Page Page Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating HTTP(S) Connections with a Virtual Server Authenticating Telnet Connections with a Virtual Server Page Configuring Authorization for Network Access Configuring TACACS+ Authorization Page Page Configuring RADIUS Authorization Configuring a RADIUS Server to Send Downloadable Access Control Lists About the Downloadable ACL Feature and Cisco Secure ACS Page Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any RADIUS Server for Downloadable ACLs Converting Wildcard Netmask Expressions in Downloadable ACLs Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access Page Using MAC Addresses to Exempt Traffic from Authentication and Authorization Page Feature History for AAA Rules Page Page Page Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work When to Use Application Protocol Inspection Page Default Settings and NAT Limitations Page Page Configuring Application Layer Protocol Inspection Page Page Page Page Page Configuring Inspection of Basic Internet Protocols DNS Inspection Information About DNS Inspection General Information About DNS DNS Inspection Actions Default Settings for DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map Page Page Page Page Configuring DNS Inspection Monitoring DNS Inspection FTP Inspection FTP Inspection Overview Using the strict Option Configuring an FTP Inspection Policy Map for Additional Inspection Control Page Page Verifying and Monitoring FTP Inspection HTTP Inspection HTTP Inspection Overview Configuring an HTTP Inspection Policy Map for Additional Inspection Control Page Page Page ICMP Inspection ICMP Error Inspection Instant Messaging Inspection IM Inspection Overview Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control Page IP Options Inspection IP Options Inspection Overview Configuring an IP Options Inspection Policy Map for Additional Inspection Control IPsec Pass Through Inspection IPsec Pass Through Inspection Overview Example for Defining an IPsec Pass Through Parameter Map IPv6 Inspection Information about IPv6 Inspection Default Settings for IPv6 Inspection (Optional) Configuring an IPv6 Inspection Policy Map Page Configuring IPv6 Inspection NetBIOS Inspection NetBIOS Inspection Overview Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control Page PPTP Inspection SMTP and Extended SMTP Inspection SMTP and ESMTP Inspection Overview Configuring an ESMTP Inspection Policy Map for Additional Inspection Control Page TFTP Inspection Page Configuring Inspection for Voice and Video Protocols CTIQBE Inspection CTIQBE Inspection Overview Limitations and Restrictions Verifying and Monitoring CTIQBE Inspection H.323 Inspection H.323 Inspection Overview How H.323 Works H.239 Support in H.245 Messages Limitations and Restrictions Configuring an H.323 Inspection Policy Map for Additional Inspection Control Page Page Configuring H.323 and H.225 Timeout Values Verifying and Monitoring H.323 Inspection Monitoring H.225 Sessions Monitoring H.245 Sessions Monitoring H.323 RAS Sessions MGCP Inspection MGCP Inspection Overview Configuring an MGCP Inspection Policy Map for Additional Inspection Control Configuring MGCP Timeout Values Verifying and Monitoring MGCP Inspection RTSP Inspection RTSP Inspection Overview Using RealPlayer Restrictions and Limitations Configuring an RTSP Inspection Policy Map for Additional Inspection Control Page SIP Inspection SIP Inspection Overview SIP Instant Messaging Configuring a SIP Inspection Policy Map for Additional Inspection Control Page Page Page Configuring SIP Timeout Values Verifying and Monitoring SIP Inspection Skinny (SCCP) Inspection SCCP Inspection Overview Supporting Cisco IP Phones Restrictions and Limitations Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control Page Verifying and Monitoring SCCP Inspection Configuring Inspection of Database and Directory Protocols ILS Inspection SQL*Net Inspection Sun RPC Inspection Sun RPC Inspection Overview Managing Sun RPC Services Verifying and Monitoring Sun RPC Inspection Page Page Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC Overview Configuring a DCERPC Inspection Policy Map for Additional Inspection Control GTP Inspection GTP Inspection Overview Configuring a GTP Inspection Policy Map for Additional Inspection Control Page Page Verifying and Monitoring GTP Inspection RADIUS Accounting Inspection RADIUS Accounting Inspection Overview Configuring a RADIUS Inspection Policy Map for Additional Inspection Control RSH Inspection SNMP Inspection SNMP Inspection Overview Configuring an SNMP Inspection Policy Map for Additional Inspection Control XDMCP Inspection Page Page Page Information About Cisco Unified Communications Proxy Features Information About the Adaptive Security Appliance in Cisco Unified Communications Page TLS Proxy Applications in Cisco Unified Communications Licensing for Cisco Unified Communications Proxy Features Page Page Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard Page Licensing Requirements for the Unified Communication Wizard Configuring the Phone Proxy by using the Unified Configuring the Private Network for the Phone Proxy Configuring Servers for the Phone Proxy Page Enabling Certificate Authority Proxy Function (CAPF) for IP Phones Configuring the Public IP Phone Network Configuring the Media Termination Address for Unified Communication Proxies Configuring the Mobility Advantage by using the Unified Configuring the Topology for the Cisco Mobility Advantage Proxy Configuring the Server-Side Certificates for the Cisco Mobility Advantage Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy Configuring the Presence Federation Proxy by using the Unified Communication Wizard Configuring the Topology for the Cisco Presence Federation Proxy Configuring the Local-Side Certificates for the Cisco Presence Federation Configuring the Remote-Side Certificates for the Cisco Presence Federation Configuring the UC-IME by using the Unified Communication Wizard Configuring the Topology for the Cisco Intercompany Media Engine Proxy Configuring the Private Network Settings for the Cisco Intercompany Media Page Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Configuring the Public Network Settings for the Cisco Intercompany Media Configuring the Local-Side Certificates for the Cisco Intercompany Media Configuring the Remote-Side Certificates for the Cisco Intercompany Media Working with Certificates in the Unified Communication Wizard Exporting an Identity Certificate Installing a Certificate Generating a Certificate Signing Request (CSR) for a Unified Communications Saving the Identity Certificate Request Installing the ASA Identity Certificate on the Mobility Advantage Server Page Page Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Phone Proxy Functionality Page Supported Cisco UCM and IP Phones for the Phone Proxy Licensing Requirements for the Phone Proxy Page Prerequisites for the Phone Proxy Media Termination Instance Prerequisites Certificates from the Cisco UCM DNS Lookup Prerequisites Cisco Unified Communications Manager Prerequisites ACL Rules NAT and PAT Prerequisites Prerequisites for IP Phones on Multiple Interfaces 7960 and 7940 IP Phones Support Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting TFTP Requests Rate Limiting Configuration Example About ICMP Traffic Destined for the Media Termination Address End-User Phone Provisioning Ways to Deploy IP Phones to End Users Phone Proxy Guidelines and Limitations General Guidelines and Limitations Media Termination Address Guidelines and Limitations Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster Importing Certificates from the Cisco UCM Page Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster Creating the CTL File Page Using an Existing CTL File Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster Page Creating the Media Termination Instance Creating the Phone Proxy Instance Page Enabling the Phone Proxy with SIP and Skinny Inspection Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy Configuring Your Router Troubleshooting the Phone Proxy Debugging Information from the Security Appliance Page Page Page Debugging Information from IP Phones IP Phone Registration Failure TFTP Auth Error Displays on IP Phone Console Configuration File Parsing Error Configuration File Parsing Error: Unable to Get DNS Response Non-configuration File Parsing Error Cisco UCM Does Not Respond to TFTP Request for Configuration File IP Phone Does Not Respond After the Security Appliance Sends TFTP Data IP Phone Requesting Unsigned File Error IP Phone Unable to Download CTL File IP Phone Registration Failure from Signaling Connections Page SSL Handshake Failure Certificate Validation Errors Media Termination Address Errors Audio Problems with IP Phones Media Failure for a Voice Call Saving SAST Keys Page Configuration Examples for the Phone Proxy Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher 16-45 16-46 Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher 16-47 Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers 16-48 16-49 Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher 16-51 Example 6: VLAN Transversal 16-53 Feature History for the Phone Proxy Configuring the T Inspection Information about the TLS Proxy for Encrypted Voice Inspection Decryption and Inspection of Unified Communications Encrypted Signaling Supported Cisco UCM and IP Phones for the TLS Proxy CTL Client Overview Page Licensing for the TLS Proxy Page Prerequisites for the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection Page Creating an Internal CA Creating a CTL Provider Instance Page Enabling the TLS Proxy Instance for Skinny or SIP Inspection Page 17-15 Monitoring the TLS Proxy The following is sample output reflecting a successful TLS proxy session setup for a SIP phone: 17-16 17-17 Feature History for the TLS Proxy for Encrypted Voice Inspection Table17-2 lists the release history for this feature. Table17-2 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced. Page Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Cisco Mobility Advantage Proxy Functionality Mobility Advantage Proxy Deployment Scenarios Page 18-4 Mobility Advantage Proxy Using NAT/PAT versus DMZ Trust Relationships for Cisco UMA Deployments Licensing for the Cisco Mobility Advantage Proxy Feature Configuring Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage Installing the Cisco UMA Server Certificate Page Enabling the TLS Proxy for MMP Inspection Monitoring for Cisco Mobility Advantage Configuration Examples for Cisco Mobility Advantage Example 2: Cisco UMC/Cisco UMA Architecture Security Appliance as TLS Proxy Only 18-13 DMZ Feature History for Cisco Mobility Advantage Configuring Cisco Unified Presence Information About Cisco Unified Presence Architecture for Cisco Unified Presence for SIP Federation Deployments 19-2 Page Trust Relationship in the Presence Federation Security Certificate Exchange Between Cisco UP and the Security Appliance XMPP Federation Deployments Configuration Requirements for XMPP Federation Licensing for Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Installing Certificates Page Page Enabling the TLS Proxy for SIP Inspection Monitoring Cisco Unified Presence Configuration Example for Cisco Unified Presence Example Configuration for SIP Federation Deployments 19-16 19-17 Example ACL Configuration for XMPP Federation command. Example 1: This example ACL configuration allows from any address to any address on port 5269: Example NAT Configuration for XMPP Federation Page Feature History for Cisco Unified Presence Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy How the UC-IME Works with the PSTN and the Internet Tickets and Passwords M Call Fallback to the PSTN Architecture and Deployment Scenarios for Cisco Intercompany Media Engine Architecture 20-6 Basic Deployment V V M Internet M Licensing for Cisco Intercompany Media Engine V Page Page Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine M M Configuring NAT for Cisco Intercompany Media Engine Proxy M M Configuring PAT for the Cisco UCM Server M Page Creating ACLs for Cisco Intercompany Media Engine Proxy Creating the Media Termination Instance Creating the Cisco Intercompany Media Engine Proxy Page Page Page Page Page Creating the TLS Proxy Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Page (Optional) Configuring TLS within the Local Enterprise Page Page (Optional) Configuring Off Path Signaling M Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane Page Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard Troubleshooting Cisco Intercompany Media Engine Proxy Page Page Feature History for Cisco Intercompany Media Engine Proxy Page Page Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility Dead Connection Detection (DCD) TCP Sequence Randomization TCP Normalization TCP State Bypass Licensing Requirements for Connection Settings TCP State Bypass Configuring Connection Settings Task Flow For Configuring Connection Settings Customizing the TCP Normalizer with a TCP Map Page Page Page Page Configuring Connection Settings Page Page Page Monitoring Connection Settings Configuration Examples for Connection Settings Configuration Examples for Connection Limits and Timeouts Configuration Examples for TCP State Bypass Configuration Examples for TCP Normalization Feature History for Connection Settings Page Configuring QoS Information About QoS Supported QoS Features What is a Token Bucket? Information About Policing Information About Priority Queuing Information About Traffic Shaping How QoS Features Interact DSCP and DiffServ Preservation Licensing Requirements for QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue Configuring the Standard Priority Queue for an Interface Configuring a Service Rule for Standard Priority Queuing and Policing Page Page Page Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing (Optional) Configuring the Hierarchical Priority Queuing Policy Configuring the Service Rule Page 23-16 Monitoring QoS This section includes the following topics: Viewing QoS Police Statistics The following is sample output for the show service-policy police command: Viewing QoS Standard Priority Statistics Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics Feature History for QoS Page Troubleshooting Connections and Resources Testing Your Configuration Enabling ICMP Debugging Messages and Syslog Messages Pinging ASA Interfaces ? ASA Appliance Passing Traffic Through the ASA Security Appliance Disabling the Test Configuration Determining Packet Routing with Traceroute Tracing Packets with Packet Tracer Monitoring Per-Process CPU Usage Page Page Page Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security Redirection of Web Traffic to Cloud Web Security User Authentication and Cloud Web Security Authentication Keys Company Authentication Key Group Authentication Key ScanCenter Policy Directory Groups Custom Groups How Groups and the Authentication Key Interoperate Cloud Web Security Actions Bypassing Scanning with Whitelists Licensing Requirements for Cisco Cloud Web Security IPv4 and IPv6 Support Failover from Primary to Backup Proxy Server Prerequisites for Cloud Web Security Configuring Cisco Cloud Web Security Configuring Communication with the Cloud Web Security Proxy Server (Multiple Context Mode) Allowing Cloud Web Security Per Security Context Configuring a Service Policy to Send Traffic to Cloud Web Security Page Page Page 25-14 (Optional) Configuring Whitelisted Traffic Example (Optional) Configuring the User Identity Monitor Configuring the Cloud Web Security Policy Monitoring Cloud Web Security Configuration Examples for Cisco Cloud Web Security Single Mode Example 25-19 Multiple Mode Example Whitelist Example Configure what access-list traffic should be sent to Cloud Web Security: To attach class-maps to the Cloud Web Security Policy map: Directory Integration Examples Configuring the Active Directory Server Using LDAP Configuring the Active Directory Agent Using RADIUS Creating the ASA as a Client on the AD Agent Server Creating a Link Between the AD Agent and DCs Testing the AD Agent Configuring the Identity Options on the ASA Cloud Web Security with Identity Firewall Example 25-23 25-24 25-25 Related Documents Feature History for Cisco Cloud Web Security Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases Information About the Dynamic Database How the ASA Uses the Dynamic Database Information About the Static Database Information About the DNS Reverse Lookup Cache and DNS Host Cache 26-5 How the Botnet Traffic Filter Works Figure 26-2 shows how the Botnet Traffic Filter works with the static database. Licensing Requirements for the Botnet Traffic Filter Prerequisites for the Botnet Traffic Filter Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database Adding Entries to the Static Database Enabling DNS Snooping Default DNS Inspection Configuration and Recommended Configuration Enabling Traffic Classification and Actions for the Botnet Traffic Filter Recommended Configuration Page Blocking Botnet Traffic Manually Searching the Dynamic Database Monitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging Botnet Traffic Filter Commands Page Configuration Examples for the Botnet Traffic Filter Recommended Configuration Example 26-20 Example2 6-2 Multiple Mode Botnet Traffic Filter Recommended Example Other Configuration Examples 26-21 To configure the syslog server, see Chapter41, Configuring Logging, in the general operations To shun connections, see the Blocking Unwanted Connections section on page28-2. configuration guide. To configure an ACL to block traffic, see Chapter19, Adding an Extended Access Control List, Feature History for the Botnet Traffic Filter Configuring Threat Detection Information About Threat Detection Licensing Requirements for Threat Detection Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics Page Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics Feature History for Basic Threat Detection Statistics Configuring Advanced Threat Detection Statistics Information About Advanced Threat Detection Statistics Configuring Advanced Threat Detection Statistics Page Monitoring Advanced Threat Detection Statistics Page Page Page Page Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection Information About Scanning Threat Detection Page Configuring Scanning Threat Detection Monitoring Shunned Hosts, Attackers, and Targets Feature History for Scanning Threat Detection Configuration Examples for Threat Detection Page Using Protection Tools Preventing IP Spoofing Configuring the Fragment Size Blocking Unwanted Connections Configuring IP Audit for Basic IPS Support Configuring IP Audit IP Audit Signature List Page Page Page Page Configuring Filtering Services Information About Web Traffic Filtering Configuring ActiveX Filtering Information About ActiveX Filtering Licensing Requirements for ActiveX Filtering Guidelines and Limitations for ActiveX Filtering Configuring ActiveX Filtering Configuration Examples for ActiveX Filtering Feature History for ActiveX Filtering Configuring Java Applet Filtering Information About Java Applet Filtering Licensing Requirements for Java Applet Filtering Guidelines and Limitations for Java Applet Filtering Configuring Java Applet Filtering Configuration Examples for Java Applet Filtering Feature History for Java Applet Filtering Filtering URLs and FTP Requests with an External Server Information About URL Filtering Licensing Requirements for URL Filtering Guidelines and Limitations for URL Filtering Identifying the Filtering Server Page Configuring Additional URL Filtering Settings Buffering the Content Server Response Caching Server Addresses Filtering HTTP URLs Enabling HTTP Filtering Enabling Filtering of Long HTTP URLs Truncating Long HTTP URLs Exempting Traffic from Filtering Filtering HTTPS URLs Filtering FTP Requests Monitoring Filtering Statistics 29-16 The following is sample output from the show url-block command: The following is sample output from the show url-block block statistics command: The following is sample output from the show url-cache stats command: The following is sample output from the show perfmon command: Feature History for URL Filtering Page Page Page Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA Monitor-Only Mode Service Policy in Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only Mode Information About ASA CX Management Initial Configuration Policy Configuration and Management Information About Authentication Proxy Information About VPN and the ASA CX Module Compatibility with ASA Features Licensing Requirements for the ASA CX Module Prerequisites Page Configuring the ASA CX Module Task Flow for the ASA CX Module Connecting the ASA CX Management Interface ASA 5585-X (Hardware Module) SSP ASA 5585-X ASA Management 0/0 Page ASA 5512-X through ASA 5555-X (Software Module) ASA 5545-X ASA CX Management 0/0 ASA Management 0/0 (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module Page (ASA 5585-X) Changing the ASA CX Management IP Address Configuring Basic ASA CX Settings at the ASA CX CLI Configuring the Security Policy on the ASA CX Module Using PRSM (Optional) Configuring the Authentication Proxy Port Redirecting Traffic to the ASA CX Module Creating the ASA CX Service Policy Page Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) Managing the ASA CX Module Resetting the Password Reloading or Resetting the Module Shutting Down the Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image (ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA Monitoring the ASA CX Module Showing Module Status Showing Module Statistics Monitoring Module Connections Page 30-29 The following is sample output from the show asp event dp-cp cxsc-msg command: Capturing Module Traffic Troubleshooting the ASA CX Module Debugging the Module Problems with the Authentication Proxy Configuration Examples for the ASA CX Module Feature History for the ASA CX Module Page Page Page Configuring the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA Operating Modes Using Virtual Sensors (ASA 5510 and Higher) Information About Management Access Licensing Requirements for the ASA IPS module Page Configuring the ASA IPS module Task Flow for the ASA IPS Module 31-8 Cisco ASA Series Firewall CLI Configuration Guide Management PC Connecting the ASA IPS Management Interface SSP ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module) The IPS module includes a separate management interface from the ASA. If you have an inside router ASA 5512-X through ASA 5555-X (Software Module) ASA 5545-X IPS Management 0/0 ASA Management 0/0 ASA 5505 Ports 1 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA) ASA 5505 Management PC (IP Address from DHCP) Sessioning to the Module from the ASA (ASA 5512-X through ASA 5555-X) Booting the Software Module Configuring Basic IPS Module Network Settings (ASA 5510 and Higher) Configuring Basic Network Settings (ASA 5505) Configuring Basic Network Settings Page Configuring the Security Policy on the ASA IPS Module Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) Page Diverting Traffic to the ASA IPS module Page Page Managing the ASA IPS module Installing and Booting an Image on the Module Page Shutting Down the Module Uninstalling a Software Module Image Resetting the Password Reloading or Resetting the Module Monitoring the ASA IPS module 31-26 Configuration Examples for the ASA IPS module Feature History for the ASA IPS module Page Configuring the ASA CSC Module Information About the CSC SSM Page Determining What Traffic to Scan Page Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM Page Configuring the CSC SSM Before Configuring the CSC SSM Connecting to the CSC SSM Page Diverting Traffic to the CSC SSM Page Page Monitoring the CSC SSM Troubleshooting the CSC Module Installing an Image on the Module Resetting the Password Reloading or Resetting the Module Shutting Down the Module Configuration Examples for the CSC SSM Additional References Feature History for the CSC SSM Page INDEX A B C D E F G H J L M N O P Q R S T U V W