Main
Cisco Systems, Inc. www.cisco.com
Cisco ASA Series Firewall CLI Configuration Guide
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
About This Guide
Document Objectives
Related Documentation
Conventions
Obtaining Documentation and Submitting a Service Request
Page
Page
Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies
Supported Features
Feature Directionality
Feature Matching Within a Service Policy
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Feature Matching for Multiple Service Policies
Licensing Requirements for Service Policies
Page
Default Configuration
Default Class Maps
Task Flows for Configuring Service Policies
Task Flow for Using the Modular Policy Framework
Page
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
Identifying Traffic (Layer 3/4 Class Maps)
Creating a Layer 3/4 Class Map for Through Traffic
Page
Creating a Layer 3/4 Class Map for Management Traffic
Defining Actions (Layer 3/4 Policy Map)
Page
Applying Actions to an Interface (Service Policy)
Monitoring Modular Policy Framework
Configuration Examples for Modular Policy Framework
1-19
Applying Inspection and QoS Policing to HTTP Traffic
Applying Inspection to HTTP Traffic Globally
1-20
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
port
1-21
Applying Inspection to HTTP Traffic with NAT
Feature History for Service Policies
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Information About Inspection Policy Maps
Page
Default Inspection Policy Maps
Defining Actions in an Inspection Policy Map
Identifying Traffic in an Inspection Class Map
Page
Feature History for Inspection Policy Maps
Page
Page
Page
Information About NAT
Why Use NAT?
NAT Terminology
NAT Types
NAT Types Overview
Static NAT
Information About Static NAT
Information About Static NAT with Port Translation
Information About Static NAT with Port Address Translation
Static NAT with Identity Port Translation
Static NAT with Port Translation for Non-Standard Ports
Static Interface NAT with Port Translation
Information About One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
Dynamic NAT
Information About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Per-Session PAT vs. Multi-Session PAT
Dynamic PAT Disadvantages and Advantages
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode
Page
NAT and IPv6
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
Page
Page
Page
NAT Rule Order
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Transparent Mode Routing Requirements for Remote Networks
Determining the Egress Interface
NAT for VPN
NAT and Remote Access VPN
3-24
See the following sample NAT configuration for the above network:
NAT and Site-to-Site VPN
3-25
See the following sample NAT configuration for ASA1 (Boulder):
3-26
See the following sample NAT configuration for ASA2 (San Jose):
NAT and VPN Management Access
Page
Troubleshooting NAT and VPN
DNS and NAT
Page
3-30
Page
3-32
Page
Page
Configuring Network Object NAT
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Page
Configuring Network Object NAT
Adding Network Objects for Mapped Addresses
Configuring Dynamic NAT
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Configuring Identity NAT
Example
Configuring Per-Session PAT Rules
Defaults
Monitoring Network Object NAT
Configuration Examples for Network Object NAT
Providing Access to an Inside Web Server (Static NAT)
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
4-20
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
4-24
4-25
4-26
is a one-to-one translation, configure the net-to-net method for NAT46.
Page
Feature History for Network Object NAT
Page
Page
Page
Page
Configuring Twice NAT
Information About Twice NAT
Licensing Requirements for Twice NAT Prerequisites for Twice NAT
Page
Configuring Twice NAT
Adding Network Objects for Real and Mapped Addresses
Page
(Optional) Adding Service Objects for Real and Mapped Ports
Configuring Dynamic NAT
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Page
Page
5-17
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Configuring Identity NAT
Page
Page
Configuring Per-Session PAT Rules
Monitoring Twice NAT
Configuration Examples for Twice NAT
Different Translation Depending on the Destination (Dynamic PAT)
Page
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
Page
Feature History for Twice NAT
Page
Page
Page
Page
Page
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About Interface Access Rules and Global Access Rules
Using Access Rules and EtherType Rules on the Same Interface
Implicit Deny
Inbound and Outbound Rules
Transactional-Commit Model
Guidelines and Limitations
Information About Extended Access Rules
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Management Access Rules
Information About EtherType Rules
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS
Licensing Requirements for Access Rules Prerequisites
Configuring Access Rules
Page
Monitoring Access Rules
Configuration Examples for Permitting or Denying Network Access
Feature History for Access Rules
Page
Configuring AAA Rules for Network Access
AAA Performance
Licensing Requirements for AAA Rules
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
AAA Prompts and Identity Firewall
AAA Rules as a Backup Authentication Method
Static PAT and HTTP
Page
Configuring Network Access Authentication
Page
Page
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating HTTP(S) Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Page
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Page
Page
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
About the Downloadable ACL Feature and Cisco Secure ACS
Page
Configuring Cisco Secure ACS for Downloadable ACLs
Configuring Any RADIUS Server for Downloadable ACLs
Converting Wildcard Netmask Expressions in Downloadable ACLs
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Page
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Page
Feature History for AAA Rules
Page
Page
Page
Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
Page
Default Settings and NAT Limitations
Page
Page
Configuring Application Layer Protocol Inspection
Page
Page
Page
Page
Page
Configuring Inspection of Basic Internet Protocols
DNS Inspection
Information About DNS Inspection
General Information About DNS
DNS Inspection Actions
Default Settings for DNS Inspection
(Optional) Configuring a DNS Inspection Policy Map and Class Map
Page
Page
Page
Page
Configuring DNS Inspection
Monitoring DNS Inspection
FTP Inspection
FTP Inspection Overview
Using the strict Option
Configuring an FTP Inspection Policy Map for Additional Inspection Control
Page
Page
Verifying and Monitoring FTP Inspection
HTTP Inspection
HTTP Inspection Overview
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
Page
Page
Page
ICMP Inspection
ICMP Error Inspection
Instant Messaging Inspection
IM Inspection Overview
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
Page
IP Options Inspection
IP Options Inspection Overview
Configuring an IP Options Inspection Policy Map for Additional Inspection Control
IPsec Pass Through Inspection
IPsec Pass Through Inspection Overview
Example for Defining an IPsec Pass Through Parameter Map
IPv6 Inspection
Information about IPv6 Inspection
Default Settings for IPv6 Inspection
(Optional) Configuring an IPv6 Inspection Policy Map
Page
Configuring IPv6 Inspection
NetBIOS Inspection
NetBIOS Inspection Overview
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
Page
PPTP Inspection
SMTP and Extended SMTP Inspection
SMTP and ESMTP Inspection Overview
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
Page
TFTP Inspection
Page
Configuring Inspection for Voice and Video Protocols
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
Verifying and Monitoring CTIQBE Inspection
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
H.239 Support in H.245 Messages
Limitations and Restrictions
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
Page
Page
Configuring H.323 and H.225 Timeout Values
Verifying and Monitoring H.323 Inspection
Monitoring H.225 Sessions
Monitoring H.245 Sessions
Monitoring H.323 RAS Sessions
MGCP Inspection
MGCP Inspection Overview
Configuring an MGCP Inspection Policy Map for Additional Inspection Control
Configuring MGCP Timeout Values
Verifying and Monitoring MGCP Inspection
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
Configuring an RTSP Inspection Policy Map for Additional Inspection Control
Page
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Configuring a SIP Inspection Policy Map for Additional Inspection Control
Page
Page
Page
Configuring SIP Timeout Values
Verifying and Monitoring SIP Inspection
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
Page
Verifying and Monitoring SCCP Inspection
Configuring Inspection of Database and Directory Protocols
ILS Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
Managing Sun RPC Services
Verifying and Monitoring Sun RPC Inspection
Page
Page
Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC Overview
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
GTP Inspection
GTP Inspection Overview
Configuring a GTP Inspection Policy Map for Additional Inspection Control
Page
Page
Verifying and Monitoring GTP Inspection
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
RSH Inspection
SNMP Inspection
SNMP Inspection Overview
Configuring an SNMP Inspection Policy Map for Additional Inspection Control
XDMCP Inspection
Page
Page
Page
Information About Cisco Unified Communications Proxy Features
Information About the Adaptive Security Appliance in Cisco Unified Communications
Page
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Page
Page
Using the Cisco Unified Communication Wizard
Information about the Cisco Unified Communication Wizard
Page
Licensing Requirements for the Unified Communication Wizard
Configuring the Phone Proxy by using the Unified
Configuring the Private Network for the Phone Proxy
Configuring Servers for the Phone Proxy
Page
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones
Configuring the Public IP Phone Network
Configuring the Media Termination Address for Unified Communication Proxies
Configuring the Mobility Advantage by using the Unified
Configuring the Topology for the Cisco Mobility Advantage Proxy
Configuring the Server-Side Certificates for the Cisco Mobility Advantage
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy
Configuring the Presence Federation Proxy by using the Unified Communication Wizard
Configuring the Topology for the Cisco Presence Federation Proxy
Configuring the Local-Side Certificates for the Cisco Presence Federation
Configuring the Remote-Side Certificates for the Cisco Presence Federation
Configuring the UC-IME by using the Unified Communication Wizard
Configuring the Topology for the Cisco Intercompany Media Engine Proxy
Configuring the Private Network Settings for the Cisco Intercompany Media
Page
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy
Configuring the Public Network Settings for the Cisco Intercompany Media
Configuring the Local-Side Certificates for the Cisco Intercompany Media
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Working with Certificates in the Unified Communication Wizard
Exporting an Identity Certificate
Installing a Certificate
Generating a Certificate Signing Request (CSR) for a Unified Communications
Saving the Identity Certificate Request
Installing the ASA Identity Certificate on the Mobility Advantage Server
Page
Page
Configuring the Cisco Phone Proxy
Information About the Cisco Phone Proxy
Phone Proxy Functionality
Page
Supported Cisco UCM and IP Phones for the Phone Proxy
Licensing Requirements for the Phone Proxy
Page
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
Cisco Unified Communications Manager Prerequisites
ACL Rules
NAT and PAT Prerequisites
Prerequisites for IP Phones on Multiple Interfaces
7960 and 7940 IP Phones Support
Cisco IP Communicator Prerequisites
Prerequisites for Rate Limiting TFTP Requests
Rate Limiting Configuration Example
About ICMP Traffic Destined for the Media Termination Address
End-User Phone Provisioning
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
Importing Certificates from the Cisco UCM
Page
Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
Creating the CTL File
Page
Using an Existing CTL File
Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
Page
Creating the Media Termination Instance
Creating the Phone Proxy Instance
Page
Enabling the Phone Proxy with SIP and Skinny Inspection
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
Configuring Your Router
Troubleshooting the Phone Proxy
Debugging Information from the Security Appliance
Page
Page
Page
Debugging Information from IP Phones
IP Phone Registration Failure
TFTP Auth Error Displays on IP Phone Console
Configuration File Parsing Error
Configuration File Parsing Error: Unable to Get DNS Response
Non-configuration File Parsing Error
Cisco UCM Does Not Respond to TFTP Request for Configuration File
IP Phone Does Not Respond After the Security Appliance Sends TFTP Data
IP Phone Requesting Unsigned File Error
IP Phone Unable to Download CTL File
IP Phone Registration Failure from Signaling Connections
Page
SSL Handshake Failure
Certificate Validation Errors
Media Termination Address Errors
Audio Problems with IP Phones
Media Failure for a Voice Call
Saving SAST Keys
Page
Configuration Examples for the Phone Proxy
Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
16-45
16-46
Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
16-47
Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
16-48
16-49
Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
16-51
Example 6: VLAN Transversal
16-53
Feature History for the Phone Proxy
Configuring the T
Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
Decryption and Inspection of Unified Communications Encrypted Signaling
Supported Cisco UCM and IP Phones for the TLS Proxy
CTL Client Overview
Page
Licensing for the TLS Proxy
Page
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
Page
Creating an Internal CA
Creating a CTL Provider Instance
Page
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
Page
17-15
Monitoring the TLS Proxy
The following is sample output reflecting a successful TLS proxy session setup for a SIP phone:
17-16
17-17
Feature History for the TLS Proxy for Encrypted Voice Inspection
Table17-2 lists the release history for this feature.
Table17-2 Feature History for Cisco Phone Proxy
Feature Name Releases Feature Information TLS Proxy 8.0(2) The TLS proxy feature was introduced.
Page
Configuring Cisco Mobility Advantage
Information about the Cisco Mobility Advantage Proxy Feature
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Page
18-4
Mobility Advantage Proxy Using NAT/PAT
versus
DMZ
Trust Relationships for Cisco UMA Deployments
Licensing for the Cisco Mobility Advantage Proxy Feature
Configuring Cisco Mobility Advantage
Task Flow for Configuring Cisco Mobility Advantage
Installing the Cisco UMA Server Certificate
Page
Enabling the TLS Proxy for MMP Inspection
Monitoring for Cisco Mobility Advantage
Configuration Examples for Cisco Mobility Advantage
Example 2: Cisco UMC/Cisco UMA Architecture Security Appliance as TLS Proxy Only
18-13
DMZ
Feature History for Cisco Mobility Advantage
Configuring Cisco Unified Presence
Information About Cisco Unified Presence
Architecture for Cisco Unified Presence for SIP Federation Deployments
19-2
Page
Trust Relationship in the Presence Federation
Security Certificate Exchange Between Cisco UP and the Security Appliance
XMPP Federation Deployments
Configuration Requirements for XMPP Federation
Licensing for Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
Installing Certificates
Page
Page
Enabling the TLS Proxy for SIP Inspection
Monitoring Cisco Unified Presence
Configuration Example for Cisco Unified Presence
Example Configuration for SIP Federation Deployments
19-16
19-17
Example ACL Configuration for XMPP Federation
command.
Example 1: This example ACL configuration allows from any address to any address on port 5269:
Example NAT Configuration for XMPP Federation
Page
Feature History for Cisco Unified Presence
Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
Features of Cisco Intercompany Media Engine Proxy
How the UC-IME Works with the PSTN and the Internet
Tickets and Passwords
M
Call Fallback to the PSTN
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
Architecture
20-6
Basic Deployment
V V
M
Internet
M
Licensing for Cisco Intercompany Media Engine
V
Page
Page
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
M
M
Configuring NAT for Cisco Intercompany Media Engine Proxy
M
M
Configuring PAT for the Cisco UCM Server
M
Page
Creating ACLs for Cisco Intercompany Media Engine Proxy
Creating the Media Termination Instance
Creating the Cisco Intercompany Media Engine Proxy
Page
Page
Page
Page
Page
Creating the TLS Proxy
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Page
(Optional) Configuring TLS within the Local Enterprise
Page
Page
(Optional) Configuring Off Path Signaling
M
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
Page
Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard
Troubleshooting Cisco Intercompany Media Engine Proxy
Page
Page
Feature History for Cisco Intercompany Media Engine Proxy
Page
Page
Configuring Connection Settings
Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
Dead Connection Detection (DCD)
TCP Sequence Randomization
TCP Normalization
TCP State Bypass
Licensing Requirements for Connection Settings
TCP State Bypass
Configuring Connection Settings
Task Flow For Configuring Connection Settings
Customizing the TCP Normalizer with a TCP Map
Page
Page
Page
Page
Configuring Connection Settings
Page
Page
Page
Monitoring Connection Settings
Configuration Examples for Connection Settings
Configuration Examples for Connection Limits and Timeouts
Configuration Examples for TCP State Bypass
Configuration Examples for TCP Normalization
Feature History for Connection Settings
Page
Configuring QoS
Information About QoS
Supported QoS Features
What is a Token Bucket?
Information About Policing
Information About Priority Queuing
Information About Traffic Shaping
How QoS Features Interact
DSCP and DiffServ Preservation
Licensing Requirements for QoS
Configuring QoS
Determining the Queue and TX Ring Limits for a Standard Priority Queue
Configuring the Standard Priority Queue for an Interface
Configuring a Service Rule for Standard Priority Queuing and Policing
Page
Page
Page
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
(Optional) Configuring the Hierarchical Priority Queuing Policy
Configuring the Service Rule
Page
23-16
Monitoring QoS
This section includes the following topics:
Viewing QoS Police Statistics
The following is sample output for the show service-policy police command:
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Queue Statistics
Feature History for QoS
Page
Troubleshooting Connections and Resources
Testing Your Configuration
Enabling ICMP Debugging Messages and Syslog Messages
Pinging ASA Interfaces
?
ASA
Appliance
Passing Traffic Through the ASA
Security Appliance
Disabling the Test Configuration
Determining Packet Routing with Traceroute
Tracing Packets with Packet Tracer
Monitoring Per-Process CPU Usage
Page
Page
Page
Configuring the ASA for Cisco Cloud Web Security
Information About Cisco Cloud Web Security
Redirection of Web Traffic to Cloud Web Security
User Authentication and Cloud Web Security
Authentication Keys
Company Authentication Key
Group Authentication Key
ScanCenter Policy
Directory Groups
Custom Groups
How Groups and the Authentication Key Interoperate
Cloud Web Security Actions
Bypassing Scanning with Whitelists
Licensing Requirements for Cisco Cloud Web Security
IPv4 and IPv6 Support
Failover from Primary to Backup Proxy Server
Prerequisites for Cloud Web Security
Configuring Cisco Cloud Web Security
Configuring Communication with the Cloud Web Security Proxy Server
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context
Configuring a Service Policy to Send Traffic to Cloud Web Security
Page
Page
Page
25-14
(Optional) Configuring Whitelisted Traffic
Example
(Optional) Configuring the User Identity Monitor
Configuring the Cloud Web Security Policy
Monitoring Cloud Web Security
Configuration Examples for Cisco Cloud Web Security
Single Mode Example
25-19
Multiple Mode Example
Whitelist Example
Configure what access-list traffic should be sent to Cloud Web Security:
To attach class-maps to the Cloud Web Security Policy map:
Directory Integration Examples
Configuring the Active Directory Server Using LDAP
Configuring the Active Directory Agent Using RADIUS
Creating the ASA as a Client on the AD Agent Server
Creating a Link Between the AD Agent and DCs
Testing the AD Agent
Configuring the Identity Options on the ASA
Cloud Web Security with Identity Firewall Example
25-23
25-24
25-25
Related Documents Feature History for Cisco Cloud Web Security
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
How the ASA Uses the Dynamic Database
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
26-5
How the Botnet Traffic Filter Works
Figure 26-2 shows how the Botnet Traffic Filter works with the static database.
Licensing Requirements for the Botnet Traffic Filter
Prerequisites for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling DNS Snooping
Default DNS Inspection Configuration and Recommended Configuration
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Recommended Configuration
Page
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Commands
Page
Configuration Examples for the Botnet Traffic Filter
Recommended Configuration Example
26-20
Example2 6-2 Multiple Mode Botnet Traffic Filter Recommended Example
Other Configuration Examples
26-21
To configure the syslog server, see Chapter41, Configuring Logging, in the general operations
To shun connections, see the Blocking Unwanted Connections section on page28-2.
configuration guide.
To configure an ACL to block traffic, see Chapter19, Adding an Extended Access Control List,
Feature History for the Botnet Traffic Filter
Configuring Threat Detection
Information About Threat Detection
Licensing Requirements for Threat Detection
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Page
Configuring Basic Threat Detection Statistics
Monitoring Basic Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Page
Monitoring Advanced Threat Detection Statistics
Page
Page
Page
Page
Feature History for Advanced Threat Detection Statistics
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
Page
Configuring Scanning Threat Detection
Monitoring Shunned Hosts, Attackers, and Targets
Feature History for Scanning Threat Detection
Configuration Examples for Threat Detection
Page
Using Protection Tools
Preventing IP Spoofing
Configuring the Fragment Size
Blocking Unwanted Connections
Configuring IP Audit for Basic IPS Support
Configuring IP Audit
IP Audit Signature List
Page
Page
Page
Page
Configuring Filtering Services
Information About Web Traffic Filtering
Configuring ActiveX Filtering
Information About ActiveX Filtering
Licensing Requirements for ActiveX Filtering
Guidelines and Limitations for ActiveX Filtering
Configuring ActiveX Filtering
Configuration Examples for ActiveX Filtering
Feature History for ActiveX Filtering
Configuring Java Applet Filtering
Information About Java Applet Filtering
Licensing Requirements for Java Applet Filtering
Guidelines and Limitations for Java Applet Filtering
Configuring Java Applet Filtering
Configuration Examples for Java Applet Filtering
Feature History for Java Applet Filtering
Filtering URLs and FTP Requests with an External Server
Information About URL Filtering
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
Identifying the Filtering Server
Page
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Caching Server Addresses
Filtering HTTP URLs
Enabling HTTP Filtering
Enabling Filtering of Long HTTP URLs
Truncating Long HTTP URLs
Exempting Traffic from Filtering
Filtering HTTPS URLs
Filtering FTP Requests
Monitoring Filtering Statistics
29-16
The following is sample output from the show url-block command:
The following is sample output from the show url-block block statistics command:
The following is sample output from the show url-cache stats command:
The following is sample output from the show perfmon command:
Feature History for URL Filtering
Page
Page
Page
Configuring the ASA CX Module
Information About the ASA CX Module
How the ASA CX Module Works with the ASA
Monitor-Only Mode
Service Policy in Monitor-Only Mode
Traffic-Forwarding Interface in Monitor-Only Mode
Information About ASA CX Management
Initial Configuration
Policy Configuration and Management
Information About Authentication Proxy
Information About VPN and the ASA CX Module
Compatibility with ASA Features
Licensing Requirements for the ASA CX Module
Prerequisites
Page
Configuring the ASA CX Module
Task Flow for the ASA CX Module
Connecting the ASA CX Management Interface
ASA 5585-X (Hardware Module)
SSP
ASA 5585-X
ASA Management 0/0
Page
ASA 5512-X through ASA 5555-X (Software Module)
ASA 5545-X ASA CX Management 0/0
ASA Management 0/0
(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module
Page
(ASA 5585-X) Changing the ASA CX Management IP Address
Configuring Basic ASA CX Settings at the ASA CX CLI
Configuring the Security Policy on the ASA CX Module Using PRSM
(Optional) Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Creating the ASA CX Service Policy
Page
Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode)
Managing the ASA CX Module
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image
(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA
Monitoring the ASA CX Module
Showing Module Status
Showing Module Statistics
Monitoring Module Connections
Page
30-29
The following is sample output from the show asp event dp-cp cxsc-msg command:
Capturing Module Traffic
Troubleshooting the ASA CX Module
Debugging the Module
Problems with the Authentication Proxy
Configuration Examples for the ASA CX Module
Feature History for the ASA CX Module
Page
Page
Page
Configuring the ASA IPS Module
Information About the ASA IPS Module
How the ASA IPS Module Works with the ASA
Operating Modes
Using Virtual Sensors (ASA 5510 and Higher)
Information About Management Access
Licensing Requirements for the ASA IPS module
Page
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
31-8
Cisco ASA Series Firewall CLI Configuration Guide
Management PC
Connecting the ASA IPS Management Interface
SSP
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module)
The IPS module includes a separate management interface from the ASA.
If you have an inside router
ASA 5512-X through ASA 5555-X (Software Module)
ASA 5545-X IPS Management 0/0
ASA Management 0/0
ASA 5505
Ports 1 7 VLAN 1
Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)
ASA 5505
Management PC (IP Address from DHCP)
Sessioning to the Module from the ASA
(ASA 5512-X through ASA 5555-X) Booting the Software Module
Configuring Basic IPS Module Network Settings
(ASA 5510 and Higher) Configuring Basic Network Settings
(ASA 5505) Configuring Basic Network Settings
Page
Configuring the Security Policy on the ASA IPS Module
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
Page
Diverting Traffic to the ASA IPS module
Page
Page
Managing the ASA IPS module
Installing and Booting an Image on the Module
Page
Shutting Down the Module
Uninstalling a Software Module Image
Resetting the Password
Reloading or Resetting the Module
Monitoring the ASA IPS module
31-26
Configuration Examples for the ASA IPS module
Feature History for the ASA IPS module
Page
Configuring the ASA CSC Module
Information About the CSC SSM
Page
Determining What Traffic to Scan
Page
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
Page
Configuring the CSC SSM
Before Configuring the CSC SSM
Connecting to the CSC SSM
Page
Diverting Traffic to the CSC SSM
Page
Page
Monitoring the CSC SSM
Troubleshooting the CSC Module
Installing an Image on the Module
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
Configuration Examples for the CSC SSM
Additional References
Feature History for the CSC SSM
Page
INDEX
A
B
C
D
E
F
G
H
J
L
M
N
O
P
Q
R
S
T
U
V
W