Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems and the ASA Services Module, ASA 5505, ASA 5545-X, ASA 5555-X, ASA 5585-X Step, 23-11

Models: ASA 5555-X and the ASA Services Module ASA 5545-X ASA 5585-X ASA 5580 ASA 5505

1 712

Download 712 pages 25.77 Kb

Page 503

Image 503

Chapter 23 Configuring QoS

Configuring QoS

	Command	Purpose
Step 6
Step 6	class priority_map_name	Identifies the class map you created for prioritized traffic in
		Step 1.
	Example:
	ciscoasa(config-pmap)# class
	priority_class
Step 7
Step 7	priority	Configures priority queuing for the class.
	Example:
	ciscoasa(config-pmap-c)# priority
Step 8
Step 8	class policing_map_name	Identifies the class map you created for policed traffic in Step 3.
	Example:
	ciscoasa(config-pmap)# class
	policing_class
Step 9
Step 9	police {output input} conform-rate	Configures policing for the class. See the followingoptions:
	[conform-burst][conform-action [drop	• conform-burstargument—Specifies the maximum number of
	transmit]] [exceed-action [drop	• conform-burstargument—Specifies the maximum number of
	transmit]]	instantaneous bytes allowed in a sustained burst before
		throttling to the conforming rate value, between 1000 and
	Example:	512000000 bytes.
	Example:	• conform-action—Sets the action to take when the rate is less
	ciscoasa(config-pmap-c)# police output
	56000 10500	than the conform_burst value.
		• conform-rate—Sets the rate limit for this traffic flow;
		between 8000 and 2000000000 bits per second.]
		• drop—Drops the packet.
		• exceed-action—Sets the action to take when the rate is
		between the conform-ratevalue and the conform-burstvalue.
		• input—Enables policing of traffic flowing in the input
		direction.
		• output—Enables policing of traffic flowing in the output
		direction.
		• transmit—Transmits the packet.
Step 10
Step 10	service-policy policymap_name {global	Activates the policy map on one or more interfaces. global applies
	interface interface_name}	the policy map to all interfaces, and interface applies the policy
		to one interface. Only one global policy is allowed. You can
	Example:	override the global policy on an interface by applying a service
	Example:	policy to that interface. You can only apply one policy map to
	ciscoasa(config)# service-policy
	QoS_policy interface inside	each interface.

Examples

Example 23-1 Class Map Examples for VPN Traffic

In the following example, the class-mapcommand classifies all non-tunneled TCP traffic, using an ACL named tcp_traffic:

ciscoasa(config)# access-list tcp_traffic permit tcp any any

Cisco ASA Series Firewall CLI Configuration Guide

23-11

Page 503

Image 503

Cisco Systems and the ASA Services Module, ASA 5505, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA 5580 manual Step, 23-11

Contents

Software Version Cisco ASA Series Firewall CLI Configuration GuideCisco ASA Series Firewall CLI Configuration Guide Iii N T E N T SGuidelines and Limitations Default Inspection Policy Maps NAT for VPN Guidelines and Limitations Vii RulesViii Getting Started with Application Layer Protocol InspectionIPv6 Inspection Verifying and Monitoring Sun RPC Inspection Configuring Unified Communications Xii Installing a CertificateXiii Enabling the Phone Proxy with SIP and Skinny InspectionXiv CTL Client OverviewArchitecture Xvi Configuring Connection Settings and QoSXvii Configuring the Standard Priority Queue for an InterfaceXviii Bypassing Scanning with WhitelistsXix Information About the Static DatabaseConfiguring Java Applet Filtering Xxi Filtering URLs and FTP Requests with an External Server30-15 XxiiXxiii ASA 5505 Configuring Basic Network SettingsXxiv Convention Indication Document ObjectivesRelated Documentation ConventionsXxvi Obtaining Documentation and Submitting a Service RequestR T Page Information About Service Policies For Through Supported FeaturesFeature Directionality Feature Traffic? SeeGlobal Direction Feature Matching Within a Service PolicyFeature ASA IPS ASA CX Order in Which Multiple Feature Actions are AppliedIncompatibility of Certain Feature Actions Guidelines and Limitations Licensing Requirements for Service PoliciesFeature Matching for Multiple Service Policies Policy Map Guidelines Service Policy GuidelinesClass Map Guidelines Default Configuration, Default Class Maps, Default SettingsDefault Configuration This section includes the following topics Task Flows for Configuring Service PoliciesDefault Class Maps Task Flow for Using the Modular Policy FrameworkSee the Identifying Traffic Layer 3/4 Class Maps section on Layer 3/4 Policy Map Example Command PurposeIdentifying Traffic Layer 3/4 Class Maps Creating a Layer 3/4 Class Map for Through TrafficMatch default-inspection-traffic command to narrow See the Default Settings and NAT Limitations section onPorts are included in the match default-inspection-traffic Creating a Layer 3/4 Class Map for Management Traffic Except for the match any , match access-list , or matchMatch flow ip destination-address command to match flows Defining Actions Layer 3/4 Policy Map Creates a management class map, where classmapname is aQoS Traffic Shaping section on page 1-11 for more Task Flow for Configuring Hierarchical Policy Maps forSee the Supported Features section on Identifying Traffic Layer 3/4 Class Maps section onApplying Actions to an Interface Service Policy IPv6, see the IPv6 Guidelines section on Configuration Examples for Modular Policy FrameworkDisplays the service policy statistics Monitoring Modular Policy FrameworkApplying Inspection to Http Traffic Globally See the following commands for this exampleCiscoasaconfig# class-map httptraffic Applying Inspection and QoS Policing to Http TrafficCiscoasaconfig# service-policy httptrafficpolicy global Ciscoasaconfig# policy-map httptrafficpolicyHost Ciscoasaconfig# service-policy httpclient interface insideApplying Inspection to Http Traffic with NAT Obj-192.168.1.1Radius-accounting Feature History for Service PoliciesFeature Name Releases Feature Information Introduced class-map type management, and inspectInformation About Inspection Policy Maps Guidelines and Limitations Default Inspection Policy Maps Identifying Traffic in an Inspection Class Map section on Defining Actions in an Inspection Policy MapIdentifying Traffic in an Inspection Class Map Getting Started with Application Layer Protocol Inspection 1lists the release history for this feature Where to Go NextFeature History for Inspection Policy Maps Page Configuring Network Address Translation Page Information About NAT Why Use NAT?NAT Terminology Information About Static NAT NAT TypesNAT Types Overview Static NATInformation About Static NAT with Port Address Translation Information About Static NAT with Port TranslationStatic NAT with Identity Port Translation Information About One-to-Many Static NAT4shows a typical few-to-many static NAT scenario Information About Other Mapping Scenarios Not RecommendedInformation About Dynamic NAT Dynamic NATInformation About Dynamic PAT Dynamic PATDynamic NAT Disadvantages and Advantages Dynamic PAT Disadvantages and Advantages Per-Session PAT vs. Multi-Session PATNAT in Routed Mode, NAT in Transparent Mode, NAT in Routed and Transparent ModeIdentity NAT NAT in Transparent Mode NAT in Routed Mode10 NAT Example Transparent Mode Main Differences Between Network Object NAT and Twice NAT NAT and IPv6How NAT is Implemented Information About Twice NAT Information About Network Object NAT11 Twice NAT with Different Destination Addresses 12 Twice NAT with Different Destination Ports 13 Twice Static NAT with Destination Address Translation Rule Type Order of Rules within the Section NAT Rule OrderRouting NAT Packets NAT InterfacesMapped Addresses and Routing Too late Transparent Mode Routing Requirements for Remote NetworksNAT for VPN 203.0.113.16075 NAT and Remote Access VPNSame-security-traffic permit intra-interface NAT and Site-to-Site VPN19 Interface PAT and Identity NAT for Site-to-Site VPN See the following sample NAT configuration for ASA1 BoulderObject network vpnlocal Subnet 10.3.3.0 NAT and VPN Management AccessSubnet 10.2.2.0 Object network boulderinside Subnet 10.1.1.0Subnet 10.1.1.0 Nat inside,outside dynamic interface Management-access insideEnter show nat detail and show conn all Troubleshooting NAT and VPNAdd the identity NAT configuration DNS and NAT22 DNS Reply Modification, DNS Server on Outside 192.168.1.10 24 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 26 PTR Modification, DNS Server on Host Network Page Information About Network Object NAT Configuring Network Object NATSupports IPv6. See also the NAT and IPv6 section on Licensing Requirements for Network Object NATPrerequisites for Network Object NAT Additional Guidelines Adding Network Objects for Mapped Addresses Configuring Network Object NATObject network objname Configuring Dynamic NATObject DNS and NAT section on page 3-28 for more information Additional Guidelines section onNat inside,outside dynamic nat-pat-grp interface Configuring Dynamic PAT HideMapped addresses Configures a network object for which you want to configureOptional Create a network object or group for See the Adding Network Objects for Mapped Addresses sectionWhen you want to use the interface IP address you Configures dynamic PAT for the object IP addresses. You canInterface-Routed mode only The IP address Used. For this option, you must configure a specificCiscoasaconfig-network-object#nat inside,outside dynamic Ciscoasaconfig# object network IPv6INSIDE Configuring Static NAT or Static NAT-with-Port-TranslationCiscoasaconfig# object network IPv4POOL Addresses IPv4 or IPv6 that you want to translate See the Mapped Addresses and Routing section on Static NAT section onSee the DNS and NAT section on page 3-28. This option is Addresses section on Configuring Identity NATTranslate. See the Adding Network Objects for Mapped Section on page 3-22 for more information NAT command. See the Determining the Egress InterfaceSee the Additional Guidelines section on Mapped Addresses and Routing section onBy default, the following rules are installed Configuring Per-Session PAT RulesHow many times they were allocated Monitoring Network Object NATShows NAT statistics, including hits for each NAT rule Configuration Examples for Network Object NAT Create a network object for the internal web server Providing Access to an Inside Web Server Static NATConfigure static NAT for the object Ciscoasaconfig# object network myWebServCreate a network object for the outside web server Configure static NAT for the web serverCiscoasaconfig-network-object#nat outside,inside static Create a network object for the inside networkCreate a network object for the load balancer Configure static NAT for the load balancerCiscoasaconfig# object network myPublicIPs Ciscoasaconfig# object network myLBHostCreate a network object for the Http server address Ciscoasaconfig# object network FtpserverCiscoasaconfig# object network Httpserver Create a network object for the FTP server addressCreate a network object for the Smtp server address Ciscoasaconfig# object network SmtpserverDNS Reply Modification DNS Reply Modification Using Outside NAT 2001DB8D1A5C8E1 Ciscoasaconfig# object network Dnsserver Platform Feature Name Releases Feature Information Feature History for Network Object NATPat-pool mappedobject extended Pat-pool mappedobject flat include-reserveNat-assigned-to-public-ip interface tunnel-group General-attributes configuration modeConfiguration mode, show nat, show nat pool, show xlate Show nat pool Page Information About Twice NAT Configuring Twice NATSupports IPv6 Licensing Requirements for Twice NATPrerequisites for Twice NAT Configuring Twice NAT Guidelines and Limitations Adding Network Objects for Real and Mapped Addresses Configuring Twice NATConfiguring Twice NAT Configure service objects for Optional Adding Service Objects for Real and Mapped PortsCommand Purpose Ports section on See the Optional Adding Service Objects for Real and MappedSee the Adding Network Objects for Real and Mapped You can optionally configure the following fallback Configure dynamic NAT. See the following guidelinesSection and Line-Optional By default, the NAT rule is Anywhere in the applicable section using the line argumentCommand Purpose Subnet 2001DB8AAAA/96 For a PAT poolSubnet 203.0.113.0 Configuring Twice NAT Detailed Steps Interface keyword enables interface PAT fallback. After Configures dynamic PAT hide. See the following guidelinesMapped-Configure one of the following Interface-Routed mode only Specify the interfaceCommand Purpose Command Purpose Host 2001DB823 Service tcp destination eqSubnet 192.168.1.0 Source or Destination mapped ports Source or Destination real portsSee the Static Interface NAT with Port Translation Rule Order section on page 3-18for more information aboutExamples OUTSIDEIPv6NW ObjectMAPPEDIPv6NW Subnet 2001DB8BBBB/96Source real addresses you will typically use Static Interface NAT with Port Translation section on How many times they were allocated To monitor twice NAT, enter one of the following commandsMonitoring Twice NAT Shows NAT statistics, including hits for each NAT ruleAdd a network object for the DMZ network Configuration Examples for Twice NATCiscoasaconfig# object network PATaddress1 Add a network object for the inside networkConfigure the second twice NAT rule Configure the first twice NAT ruleCiscoasaconfig# object network TelnetWebServer Add a network object for the PAT address when using TelnetAdd a service object for Telnet Ciscoasaconfig# object network myInsideNetworkAdd a service object for Http Existing functionality. The unidirectional keyword is Feature History for Twice NATWe modified the following command nat source static Show nat, show xlate, show nat poolPat-pool mappedobject flat include-reserve Nat-assigned-to-public-ip interface tunnel-group Show nat pool Configuring Access Control Page Information About Access Rules Configuring Access RulesInformation About EtherType Rules, General Information About RulesImplicit Permits Inbound and Outbound Rules Implicit DenyOutbound ACL Transactional-Commit ModelAdditional Guidelines and Limitations Information About Extended Access RulesAccess Rules for Returning Traffic Traffic Type Protocol or Port Management Access RulesInformation About EtherType Rules Supported EtherTypes and Other TrafficSupported in routed and transparent firewall modes Licensing Requirements for Access RulesPrerequisites Allowing MplsPer-User ACL Guidelines Default SettingsConfiguring Access Rules To apply an access rule, perform the following stepsSee Per-User ACL Guidelines, Per-user-override optionHostname config# object-group service myaclog Monitoring Access RulesTo monitor network access, enter the following command Show running-config access-groupPermit deny is-is Feature History for Access RulesExtended Transactional-commit,show running-config asp Extended, access-list webtypeIpv6 access-list webtype, ipv6-vpn-filter Access-list extended, service-object, serviceLicensing Requirements for AAA Rules AAA PerformanceInformation About Authentication Configuring Authentication for Network AccessASA Authentication Prompts One-Time AuthenticationAAA Prompts and Identity Firewall Name name1@name2 Password password1@password2Static PAT and Http AAA Rules as a Backup Authentication MethodNat inside,outside static 10.48.66.155 service tcp 111 User-group any and user-group none can be Configuring Network Access AuthenticationAuthentication include command which Lockout command Protocol ldap Ldap-login-passwordLdap-over-ssl enable Aaa authentication match Auth inside LdapEnabling Secure Authentication of Web Clients Authenticating Https Connections with a Virtual Server Authenticating Directly with the ASAAuthenticating Telnet Connections with a Virtual Server Authentication include command Configuring TACACS+ Authorization Configuring Authorization for Network AccessFTP in the ACL, because the user must authenticate Authenticate. For details, see the general operationsAuthentication, while deny entries exclude matching Traffic from authentication. Be sure to includeAuthorization include command which Authentication match commandAbout the Downloadable ACL Feature and Cisco Secure ACS Configuring Radius AuthorizationACSCiscoSecure-Defined-ACL=acl-set-name Access-list aclname extended Configuring Cisco Secure ACS for Downloadable ACLsIpinacl#nnn= Downloaded ACL on the ASA consists of the following linesWith the following text Filter-id=aclname Configuring Accounting for Network AccessAccounting include command which Information, see the Configuring Network AccessAuthentication section on page 7-7. If you want Access-list commandConfiguring AAA Rules for Network Access Mac-exempt match command Feature History for AAA Rules Page Configuring Application Inspection Page How Inspection Engines Work Getting Started with Application Layer Protocol InspectionHow Inspection Engines Work When to Use Application Protocol InspectionSupports IPv6 for the following inspections Failover Guidelines323 H.225 Default Settings and NAT LimitationsServer over IP NetBIOS NameIP Options Sun RPC over SmtpSQL*Net Configuring Application Layer Protocol Inspection View the entire class map using the following command Ciscoasaconfig# policy-mapname ciscoasaconfig-pmap# Keywords Ipsec-pass-thru mapname Icmp Icmp error IlsNetbios mapname Ip-options mapnameTftp Waas Xdmcp Scansafe mapnameSqlnet Sunrpc 10-1 DNS InspectionDNS Inspection Actions Default Settings for DNS InspectionInformation About DNS Inspection General Information About DNSClass-map type inspect dns match-all Do one of the following10-3 10-4 Defining Actions in an Inspection Policy Map section onSection Keyword specifies the question portion of a DNS message.Section the authority keyword specifies the Authority RR Section the additional keyword specifies the Additional RRMatch not domain-name regex regexid Matches a DNS message domain name list. The regexname10-6 10-7 Id-mismatch count number duration seconds actionMessage-length maximum length client length auto Tsig enforced action drop log-Requires a Tsig10-8 Configuring DNS InspectionLayer 3/4 Class Maps section on page 1-12 for more 10-9 Monitoring DNS InspectionDynamic-filter-snoop keyword, see the Enabling DNS 10-10 Ciscoasa# show service-policyFTP Inspection FTP Inspection Overview10-11 Using the strict Option10-12 10-13 10-14 Ciscoasaconfig# policy-map type inspect ftp mymapHttp Inspection Overview Ciscoasaconfig# service-policy ftp-policy interface insideHttp Inspection Verifying and Monitoring FTP Inspection10-16 10-17 Ciscoasaconfig-cmap#match not req-resp content-type mismatch10-18 Ciscoasaconfig# policy-map type inspect http policymapname10-19 IM Inspection Overview Icmp Error InspectionIcmp Inspection Instant Messaging InspectionConference games Ciscoasaconfig-cmap#match not protocol im-yahoo im-msn10-21 10-22 Ciscoasaconfig# policy-map type inspect im policymapname10-23 IP Options Inspection10-24 IP Options Inspection Overview10-25 Ciscoasaconfig-pmap-p#router-alert action allow clearIPsec Pass Through Inspection 10-26 IPv6 InspectionIPsec Pass Through Inspection Overview Example for Defining an IPsec Pass Through Parameter Map10-27 Default Settings for IPv6 InspectionOptional Configuring an IPv6 Inspection Policy Map Information about IPv6 Inspection10-28 Routing-address count gt number -Sets the maximum10-29 Configuring IPv6 InspectionTo enable IPv6 inspection, perform the following steps 10-30 NetBIOS InspectionNetBIOS Inspection Overview 10-31 10-32 Pptp InspectionSmtp and Extended Smtp Inspection Smtp and Esmtp Inspection Overview10-33 10-34 Ciscoasaconfig# policy-map type inspect esmtp policymapname10-35 Tftp Inspection10-36 11-1 Ctiqbe InspectionCtiqbe Inspection Overview 11-2 Limitations and RestrictionsVerifying and Monitoring Ctiqbe Inspection 11-3 Inspection11-4 Inspection OverviewHow H.323 Works 11-5 Support in H.245 Messages11-6 11-7 Ciscoasaconfig-cmap#match not media-type audio data videoCiscoasaconfig# policy-map type inspect h323 policymapname 11-8 Ciscoasaconfig# ras-rcf-pinholes enableCiscoasaconfig-pmap-p#rtp-conformance enforce-payloadtype Ciscoasaconfig-pmap-p#state-checking h225 ras11-9 Configuring H.323 and H.225 Timeout ValuesVerifying and Monitoring H.323 Inspection Monitoring H.225 SessionsCiscoasa# show h323-ras Monitoring H.245 SessionsMonitoring H.323 RAS Sessions 11-1011-11 Mgcp InspectionMgcp Inspection Overview 11-12 Ciscoasaconfig# policy-map type inspect mgcp mapname11-13 Configuring Mgcp Timeout ValuesFollowing example shows how to define an Mgcp map 11-14 Rtsp InspectionVerifying and Monitoring Mgcp Inspection 11-15 Using RealPlayerRtsp Inspection Overview Restrictions and Limitations11-16 Ciscoasaconfig-cmap#match not request-method method11-17 Ciscoasaconfig# policy-map type inspect rtsp policymapname11-18 SIP InspectionSIP Inspection Overview 11-19 SIP Instant Messaging11-20 11-21 Ciscoasaconfig-cmap#match not content length gt length11-22 Ciscoasaconfig-cmap#match not uri sip tel length gt lengthCiscoasaconfig# policy-map type inspect sip policymapname 11-23 Ciscoasaconfig-pmap-p#software-version action mask log logCiscoasaconfig-pmap-p#uri-non-sip action mask log log 11-24 Configuring SIP Timeout ValuesSkinny Sccp Inspection Verifying and Monitoring SIP Inspection11-25 Sccp Inspection OverviewSupporting Cisco IP Phones 11-26 Ciscoasaconfig# policy-map type inspect skinny policymapname11-27 Ciscoasaconfig-pmap-p#sccp-prefix-len max min valuelength11-28 Verifying and Monitoring Sccp Inspection12-1 ILS InspectionILS Inspection, SQL*Net Inspection, Sun RPC Inspection, 12-2 SQL*Net Inspection12-3 Sun RPC InspectionSun RPC Inspection Overview 12-4 Managing Sun RPC ServicesVerifying and Monitoring Sun RPC Inspection Ciscoasa# show sunrpc-server active 12-512-6 13-1 Dcerpc InspectionDcerpc Overview 13-2 Ciscoasaconfig# policy-map type inspect dcerpc policymapname13-3 GTP InspectionGTP Inspection Overview 13-4 Ciscoasaconfig# policy-map type inspect gtp policymapname13-5 Ciscoasaconfig# object-group network GSN-pool-nameCiscoasaconfig-network#network-object host 13-6 Ciscoasaconfig# object-group network SGSN-nameCiscoasaconfig# object-group network sgsn32 13-7 Ciscoasaconfig# service-policy globalpolicy globalCiscoasa# show service-policy inspect gtp statistics Verifying and Monitoring GTP Inspection13-8 Ciscoasa# show service-policy gtp statistics grep gsnRadius Accounting Inspection Inspect radius-accounting radiusaccountingmap Configure the service policyRadius Accounting Inspection Overview 13-913-10 RSH InspectionSnmp Inspection Snmp Inspection Overview13-11 Xdmcp Inspection13-12 Configuring Unified Communications Page 14-1 14-2 Application Might not needCertificate for Phone proxy14-4 Model License Requirement1ASA Base License and Security Plus License 2 sessions ASA Base License 2 sessions14-5 ASA 5585-X with Base License 2 sessions SSP-10ASA 5585-X with Base License 2 sessions SSP-20, -40, or 14-6 IME15-1 Cisco Mobility Advantage ProxyCisco Presence Federation Proxy Cisco Intercompany Media Engine Proxy15-2 15-3 Licensing Requirements for the Unified Communication Wizard15-4 Supports IPv6 addresses15-5 Configuring the Private Network for the Phone Proxy15-6 Configuring Servers for the Phone ProxyClick the Generate and Export LDC Certificate button 15-7 Address Default Port Description15-8 15-9 Configuring the Public IP Phone Network15-10 15-11 15-12 15-13 15-14 15-15 Dialog box. See Installing a Certificate,Certificate, 15-16 15-17 15-18 Basic DeploymentOff-path Deployment 15-19 15-20 Other, respectively, during TLS handshakes Wizard supports using self-signed certificates onlyCisco UCMs need to be installed on the security appliance Supports installing self-signed certificates15-22 15-23 Installing a CertificateExporting an Identity Certificate 15-24 Click Install Certificate15-25 Saving the Identity Certificate Request15-26 15-27 15-28 16-1 Information About the Cisco Phone ProxyPhone Proxy Functionality TCP/RTP TLS/SRTP 16-216-3 Supported Cisco UCM and IP Phones for the Phone ProxyCisco Unified Communications Manager Cisco Unified IP Phones16-4 Licensing Requirements for the Phone Proxy16-5 16-6 Prerequisites for the Phone ProxyMedia Termination Instance Prerequisites This section contains the following topicsACL Rules Certificates from the Cisco UCMDNS Lookup Prerequisites Cisco Unified Communications Manager PrerequisitesPAT Prerequisites NAT and PAT PrerequisitesAddress Port Protocol Description NAT Prerequisites16-9 Prerequisites for IP Phones on Multiple Interfaces7940 IP Phones Support There must be two CTL file record entries for the Cisco UCM16-10 Cipc security-mode authenticatedCisco IP Communicator Prerequisites 16-11 Rate Limiting Configuration ExamplePrerequisites for Rate Limiting Tftp Requests Icmp deny any outside16-12 Phone Proxy Guidelines and LimitationsEnd-User Phone Provisioning Ways to Deploy IP Phones to End Users16-13 General Guidelines and Limitations16-14 Configuring the Phone ProxyMedia Termination Address Guidelines and Limitations 16-15 Importing Certificates from the Cisco UCMChoose Security Certificate Management Certificate Name Required for Authenticating IP phones with an LSCHostnameconfig# crypto ca trustpoint trustpointname Hostnameconfig# crypto ca authenticate trustpoint16-17 Creating Trustpoints and Generating Certificates16-18 Creating the CTL FilePrerequisites What to Do Next16-19 16-20 Using an Existing CTL File16-21 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster16-22 16-23 Creating the Media Termination InstanceCucm/cucos/504/iptpch6.html#wp1040848 Cucm/cucos/504/iptpch6.html#wp104035416-24 Creating the Phone Proxy InstanceSee Media Termination Instance Prerequisites 16-25 See Creating the Media Termination Instance16-26 Enabling the Phone Proxy with SIP and Skinny InspectionSee Cisco IP Communicator Prerequisites 16-27 16-28 Troubleshooting the Phone ProxyConfiguring Your Router Debugging Information from the Security Appliance16-29 Use the Command16-30 Show conn all Show asp dropDebugging Information from IP Phones Show asp table classify domain16-32 Debugging Information from IP Phones16-33 Tftp Auth Error Displays on IP Phone ConsoleProblem The IP phone displays the following Status message IP Phone Registration Failure16-34 Configuration File Parsing ErrorConfiguration File Parsing Error Unable to Get DNS Response Ciscoasa# show running-config all ctl-file ctlnameHostname# debug phone-proxy tftp Non-configuration File Parsing ErrorPhone-proxy tftp 16-35Hostname# capture out interface outside 16-3616-37 IP Phone Requesting Unsigned File ErrorHostnameconfig# show running-config all phone-proxy IP Phone Unable to Download CTL File16-38 IP Phone Registration Failure from Signaling ConnectionsHostname# show run all ssl To add the required ciphers, enter the following commandDebug sip Debug skinny 16-3916-40 SSL Handshake Failure16-41 Media Termination Address ErrorsCertificate Validation Errors 16-42 Audio Problems with IP PhonesSaving Sast Keys 16-43 Record-entry capf trustpoint trustpoint address address Configuration Examples for the Phone Proxy16-44 Record-entry cucm trustpoint trustpoint address addressCorporate Network 16-45Fqdn my-ldc-ca.exmaple.com 16-46Phone a 10.10.0.24 16-4716-48 ASA Outside Interface Phone a 10.10.0.24 16-4916-50 16-51 Enroll terminal crypto ca authenticate capf ctl-file myctl16-52 Example 6 Vlan TransversalASA Inside Interface 10.130.50.24 16-5316-54 Feature History for the Phone Proxy17-1 17-2 Supported Cisco UCM and IP Phones for the TLS Proxy17-3 CTL Client Overview17-4 CTL Client TLS Proxy Features ASA IP Address or Domain Name17-5 Licensing for the TLS Proxy17-6 17-7 Configuring the TLS Proxy for Encrypted Voice Inspection17-8 Ciscoasaconfig# tls-proxy maximum-sessionsCiscoasaconfig# show crypto ca server certificate 17-9 17-10 Creating an Internal CA17-11 Creating a CTL Provider Instance17-12 Creating the TLS Proxy Instance17-13 Crypto ca trustpoint command17-14 17-15 Monitoring the TLS ProxyAES128-SHA 17-1617-17 2lists the release history for this featureTLS Proxy TLS proxy feature was introduced 17-18 18-1 Cisco Mobility Advantage Proxy Functionality18-2 Hostnameconfig-tlsp#no server authenticate-clientMobility Advantage Proxy Deployment Scenarios TLS 18-318-4 Mobility Advantage Proxy Using NAT/PATVersus 18-5 Trust Relationships for Cisco UMA Deployments18-6 Configuring Cisco Mobility AdvantageLonger requires a Unified Communications Proxy license 18-7 Task Flow for Configuring Cisco Mobility AdvantageInstalling the Cisco UMA Server Certificate Enabling the TLS Proxy for MMP Inspection,18-8 18-9 Enabling the TLS Proxy for MMP Inspection18-10 Exits from the Policy Map configuration modeEnables the service policy on all interfaces Monitoring for Cisco Mobility Advantage18-11 Configuration Examples for Cisco Mobility Advantage18-12 18-13 18-14 Feature History for Cisco Mobility Advantage19-1 Information About Cisco Unified Presence19-2 Ciscoasaconfig# object network obj-10.0.0.2-0119-3 19-4 Trust Relationship in the Presence Federation19-5 Xmpp Federation Deployments19-6 Configuration Requirements for Xmpp FederationConfigure the following NAT commands Allow traffic from any address to any single node on port19-7 Licensing for Cisco Unified Presence19-8 Configuring Cisco Unified Presence Proxy for SIP Federation19-9 Install the certificates. See Installing Certificates,19-10 Installing CertificatesTrustpoint for the remote entity 19-11 19-12 19-13 Trust-pointcommand is the remote entity proxyEnabling the TLS Proxy for SIP Inspection 19-14 Configuration Example for Cisco Unified PresenceExample Configuration for SIP Federation Deployments, Monitoring Cisco Unified Presence19-15 Example Configuration for SIP Federation Deployments19-16 19-17 Example ACL Configuration for Xmpp Federation19-18 Example NAT Configuration for Xmpp Federation19-19 19-20 Feature History for Cisco Unified Presence20-1 Features of Cisco Intercompany Media Engine Proxy20-2 How the UC-IME Works with the Pstn and the Internet20-3 Tickets and Passwords20-4 Call Fallback to the Pstn20-5 ArchitectureArchitecture, Basic Deployment, Off Path Deployment, 20-6 Basic Deployment20-7 Licensing for Cisco Intercompany Media EngineOff Path Deployment 20-8 Supported in single context mode onlySupported in routed firewall mode only Does not support IPv6 addresses20-9 20-10 Configuring Cisco Intercompany Media Engine ProxyTask Flow for Configuring Cisco Intercompany Media Engine 20-11 Configuring NAT for Cisco Intercompany Media Engine ProxyCreate the TLS proxy. See Creating the TLS Proxy, 20-12 Cisco UCM that you want to translate20-13 Configuring PAT for the Cisco UCM Server20-14 20-15 Creating ACLs for Cisco Intercompany Media Engine Proxy20-16 ProcedureGuidelines 20-17 Creating the Cisco Intercompany Media Engine ProxySee Creating the Cisco Intercompany Media Engine 20-18 20-19 Show running-config uc-ime command20-20 20-21 Prerequisites for Installing Certificates20-22 20-23 Creating the TLS ProxyCreating Trustpoints and Generating Certificates section on20-24 20-25 Created in , page 20-15of the task CreatingACLs for Cisco Intercompany Media Engine Proxy 20-26 Optional Configuring TLS within the Local EnterpriseWhere policymapname is the name of the policy Map you created in of this task20-27 Commands Purpose20-28 Where proxytrustpoint for the server trust-pointWhere proxytrustpoint for the client trust-point 20-29 Optional Configuring Off Path Signaling20-30 Intercompany Media Engine Proxy,Creating the Cisco Intercompany Media Engine Proxy,20-31 20-32 20-33 Show uc-ime signaling-sessions20-34 Show uc-ime signaling-sessions statisticsShow uc-ime media-sessions detail 20-35 Show uc-ime mapping-service-sessionsShow uc-ime mapping-service-sessions statistics Show uc-ime fallback-notification statistics20-36 Configuring Connection Settings and QoS Page 22-1 Information About Connection Settings22-2 TCP Intercept and Limiting Embryonic ConnectionsDead Connection Detection DCD 22-3 TCP Sequence RandomizationTCP Normalization TCP State Bypass22-4 Licensing Requirements for Connection SettingsTCP Normalizer TCP State Bypass Unsupported FeaturesMaximum Concurrent and Embryonic Connection Guidelines TCP State BypassCustomizing the TCP Normalizer with a TCP Map Configuring Connection SettingsTask Flow For Configuring Connection Settings For each TCP map, you can customize one or more settings22-7 22-8 Command22-9 Command22-10 22-11 Configuring Connection SettingsUrgent-flag allow clear Window-variation allow drop22-12 22-13 Random-sequence-number enable disable keywordTCP Sequence Randomization section on page 22-3 section for Embryonic-conn-max keywordsTo 0, which means the connection never times out Command in the command referenceEmbryonic hh mm ss keyword sets the timeout period until a Idle hh mm ss keyword sets the idle timeout period after22-15 Monitoring Connection SettingsConfiguration Examples for Connection Settings Configuration Examples for Connection Limits and Timeouts22-16 Configuration Examples for TCP State BypassConfiguration Examples for TCP Normalization Following is a sample configuration for TCP state bypass22-17 Feature History for Connection SettingsPer-client-max Timeout half-closed,timeout half-closedConn-max,set connection embryonic-conn-max,set Connection per-client-embryonic-max,set connection23-1 Information About QoS23-2 Supported QoS FeaturesWhat is a Token Bucket? 23-3 Information About PolicingInformation About Priority Queuing 23-4 How QoS Features InteractInformation About Traffic Shaping Model Guidelines Licensing Requirements for QoSDscp and DiffServ Preservation Does not support IPv623-6 Configuring QoS23-7 Mbps125 Kbps23-8 Configuring the Standard Priority Queue for an InterfacePriority queue, or for the ASA 5505 or ASASM, the Vlan Interface name23-9 23-10 23-11 Step23-12 23-13 23-14 Configuring the Service Rule23-15 Multiple of 8000. See the Information About Traffic ShapingPriority Queuing Policy section on 23-16 Ciscoasa# show service-policy policeMonitoring QoS Viewing QoS Police Statistics23-17 Viewing QoS Standard Priority StatisticsViewing QoS Shaping Statistics Ciscoasa# show priority-queue statistics test Viewing QoS Standard Priority Queue Statistics23-18 23-19 Feature History for QoS23-20 24-1 Troubleshooting Connections and ResourcesTesting Your Configuration 24-2 Enabling Icmp Debugging Messages and Syslog Messages24-3 Pinging ASA Interfaces24-4 ASA24-5 Passing Traffic Through the ASA24-6 Disabling the Test Configuration24-7 Monitoring Per-Process CPU UsageDetermining Packet Routing with Traceroute Tracing Packets with Packet Tracer24-8 Configuring Advanced Network Protection Page 25-1 Configuring the ASA for Cisco Cloud Web Security25-2 User Authentication and Cloud Web SecurityInformation About Cisco Cloud Web Security Redirection of Web Traffic to Cloud Web Security25-3 Authentication KeysCompany Authentication Key Group Authentication Key Company Authentication Key, Group Authentication Key,25-4 ScanCenter PolicyDirectory Groups Custom Groups25-5 How Groups and the Authentication Key InteroperateCloud Web Security Actions IPv4 and IPv6 Support Failover from Primary to Backup Proxy ServerLicensing Requirements for Cisco Cloud Web Security Bypassing Scanning with Whitelists25-7 Optional User Authentication PrerequisitesPrerequisites for Cloud Web Security Optional Fully Qualified Domain Name Prerequisites25-8 Configuring Cisco Cloud Web SecurityBy default, Cisco Cloud Web Security is not enabled 25-9 See the Authentication Keys section on25-10 Config-url disk0/onectx.cfg Context two25-11 Optional Configuring Whitelisted Traffic section on25-12 Adding an Extended Access Control List,25-13 Policy section on page 1-17for more information25-14 25-15 Optional Configuring Whitelisted Traffic25-16 Optional Configuring the User Identity MonitorConfiguring the Cloud Web Security Policy Object-group-user-Specifies an object-group user name25-17 Monitoring Cloud Web SecurityHttp//Whoami.scansafe.net 25-18 Configuration Examples for Cisco Cloud Web SecuritySingle Mode Example 25-19 Multiple Mode ExampleWhitelist Example To attach class-maps to the Cloud Web Security Policy map25-20 Configuring the Active Directory Server Using LdapDirectory Integration Examples Creating the ASA as a Client on the AD Agent Server Configuring the Active Directory Agent Using RadiusTesting the AD Agent Configuring the Identity Options on the ASAShowing a List of Active Users Cloud Web Security with Identity Firewall ExampleMonitoring the Active Directory Groups Downloading the Database from the AD Agent25-23 Aaa-server AD inside host 192.168.116.220 server-port 25-24No call-home reporting anonymous call-home 25-2525-26 Feature History for Cisco Cloud Web SecurityRelated Documents Related Documents26-1 Information About the Botnet Traffic FilterBotnet Traffic Filter Address Types, Information About the Dynamic Database Botnet Traffic Filter Address TypesBotnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases26-3 Information About the Static Database26-4 26-5 How the Botnet Traffic Filter Works26-6 Licensing Requirements for the Botnet Traffic FilterPrerequisites for the Botnet Traffic Filter 26-7 Configuring the Botnet Traffic FilterTask Flow for Configuring the Botnet Traffic Filter 26-8 Configuring the Dynamic Database26-9 Adding Entries to the Static DatabaseSee the Adding Entries to the Static Database section on 26-10 Enabling DNS SnoopingSee the Enabling DNS Snooping section on TCP DNS traffic is not supported26-11 26-12 Inspection section on page 10-1 for more information about26-13 Recommended ConfigurationVery-low Low Moderate High Very-high Subset of the dynamic-filter enable ACLSee the Blocking Botnet Traffic Manually section on Threat-level range moderate very-high26-15 For dropping purposes. If you do not enable this commandBlocking Botnet Traffic Manually About the greylist26-16 Searching the Dynamic Database26-17 Botnet Traffic Filter CommandsMonitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging26-18 Infected-hosts commandDns-snoop command Ciscoasa# show dynamic-filter reports top malware-ports Configuration Examples for the Botnet Traffic FilterRecommended Configuration Example 26-19Outside Other Configuration Examples26-20 26-21 26-22 Feature History for the Botnet Traffic Filter27-1 Configuring Threat DetectionInformation About Threat Detection Licensing Requirements for Threat Detection27-2 Configuring Basic Threat Detection StatisticsInformation About Basic Threat Detection Statistics Types of Traffic Monitored Trigger Settings Packet Drop Reason Average Rate Burst RateGuidelines and Limitations Security Context Guidelines27-4 Configuring Basic Threat Detection Statistics27-5 Monitoring Basic Threat Detection StatisticsThreat Detection Statistics section on 27-6 Configuring Advanced Threat Detection StatisticsFeature History for Basic Threat Detection Statistics Information About Advanced Threat Detection Statistics27-7 Configuring Advanced Threat Detection Statistics27-8 27-9 Monitoring Advanced Threat Detection Statistics27-10 27-11 Using the show threat-detection rate acl-drop command27-12 Protocolnumber argument is an integer between 0Statistics Field27-13 Field Description27-14 Feature History for Advanced Threat Detection Statistics27-15 Configuring Scanning Threat DetectionInformation About Scanning Threat Detection 27-16 Average Rate Burst RateDisplays the hosts that are currently shunned Configuring Scanning Threat DetectionConfiguration see the Configuring Basic Threat Detection Monitoring Shunned Hosts, Attackers, and Targets27-18 Feature History for Scanning Threat Detection27-19 Configuration Examples for Threat Detection27-20 28-1 Preventing IP Spoofing28-2 Configuring the Fragment SizeBlocking Unwanted Connections 28-3 Configuring IP Audit for Basic IPS SupportConfiguring IP Audit Configuring IP Audit, IP Audit Signature List,28-4 IP Audit Signature List1lists supported signatures and system message numbers Signature Message Number Signature Title28-5 28-6 28-7 28-8 29-1 Information About Web Traffic Filtering29-2 Configuring ActiveX FilteringLicensing Requirements for ActiveX Filtering Information About ActiveX Filtering29-3 Configuring ActiveX FilteringConfiguration Examples for ActiveX Filtering Guidelines and Limitations for ActiveX FilteringLicensing Requirements for Java Applet Filtering Configuring Java Applet FilteringFeature History for ActiveX Filtering Information About Java Applet Filtering29-5 Configuring Java Applet FilteringConfiguration Examples for Java Applet Filtering Guidelines and Limitations for Java Applet Filtering29-6 Feature History for Java Applet FilteringFiltering URLs and FTP Requests with an External Server Information About URL Filtering29-7 Licensing Requirements for URL FilteringGuidelines and Limitations for URL Filtering 29-8 Identifying the Filtering ServerChoose from the following options 29-9 Maximum memory allocation of 2 KB to 10 MB Configuring Additional URL Filtering SettingsBuffering the Content Server Response Replaces block-buffer with the maximum number of HttpWebsense server Caching Server AddressesFiltering Http URLs On the Websense server29-12 29-13 Filtering Https URLs29-14 Filtering FTP RequestsMight enter cd ./files instead of cd /public/files Ciscoasa# show url-server Following is sample output from the show url-servercommandMonitoring Filtering Statistics 29-1529-16 Following is sample output from the show url-blockcommandFollowing is sample output from the show perfmon command Following is sample output from the show filter command29-17 Feature History for URL Filtering29-18 Configuring Modules Page 30-1 Information About the ASA CX Module30-2 How the ASA CX Module Works with the ASA30-3 Monitor-Only ModeService Policy in Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only Mode30-4 Initial ConfigurationInitial Configuration, Policy Configuration and Management, Information About ASA CX ManagementInformation About VPN and the ASA CX Module Information About Authentication ProxyCompatibility with ASA Features Policy Configuration and Management30-6 Licensing Requirements for the ASA CX Module30-7 Monitor-Only Mode GuidelinesASA Clustering Guidelines Does not support clusteringTask Flow for the ASA CX Module Configuring the ASA CX ModuleSee the Compatibility with ASA Features section on Parameters Default30-9 Connecting the ASA CX Management InterfaceASA 5585-X Hardware Module 30-10 If you have an inside routerIf you do not have an inside router 30-11 ASA 5512-X through ASA 5555-X Software Module30-12 30-13 ExamplePartition the SSD 30-14 Session 1 do setup host ipASA 5585-X Changing the ASA CX Management IP Address Sets the ASA CX management IP address, mask, and gatewayEnter an IPv6 address 2001DB80CD301234/64 Configuring Basic ASA CX Settings at the ASA CX CLI30-15 Ciscoasa# session cxsc console30-16 Change the admin password by entering the following commandAsacx config passwd 30-17 Optional Configuring the Authentication Proxy Port30-18 Creating the ASA CX Service PolicyRedirecting Traffic to the ASA CX Module 30-19 See the Monitor-Only Mode section on page 30-3 for more30-20 Configuring Traffic-Forwarding Interfaces Monitor-Only ModeSee the Feature Matching Within a Service Policy section on 30-21 Managing the ASA CX Module30-22 Resetting the PasswordReloading or Resetting the Module For a software module ASA 5512-X through ASA30-23 Shutting Down the ModuleReload Sw-module module cxsc uninstallNew module type 30-2430-25 Admin123Monitoring the ASA CX Module Showing Module Status30-26 Showing Module Statistics30-27 Monitoring Module ConnectionsShow asp event dp-cp cxsc-msg Dp-cp‘X’ flag 30-28Ciscoasa# show asp event dp-cp cxsc-msg 30-29Ciscoasa# show asp drop 30-30 Troubleshooting the ASA CX ModuleCapturing Module Traffic Debugging the Module30-31 Problems with the Authentication Proxy30-32 Configuration Examples for the ASA CX ModuleCheck the authentication proxy port Check the authentication proxy rules30-33 Feature History for the ASA CX Module30-34 We modified or introduced the following commands cxscFail-close fail-openmonitor-only,traffic-forward Cxsc monitor-only30-35 Capture interface asadataplane commandAsadataplane 30-36 31-1 Information About the ASA IPS Module31-2 How the ASA IPS Module Works with the ASA31-3 Using Virtual Sensors ASA 5510 and HigherOperating Modes 31-4 Information About Management Access31-5 Licensing Requirements for the ASA IPS module31-6 1lists the default settings for the ASA IPS moduleManagement Vlan ASA 5505 only 31-7 Configuring the ASA IPS moduleTask Flow for the ASA IPS Module 31-8 Connecting the ASA IPS Management Interface31-9 31-10 ASA31-11 ASA 5512-X through ASA 5555-X Booting the Software ModuleSessioning to the Module from the ASA 31-12 Configuring Basic IPS Module Network SettingsFor example, using the filename in the example in , enter Ciscoasa# sw-module module ips recover bootSessioning to the Module from the ASA Section on ASA 5510 and Higher Configuring Basic Network SettingsASA 5505 Configuring Basic Network Settings Connecting the ASA IPS Management Interface section on31-14 31-15 Configuring the Security Policy on the ASA IPS ModuleDetails command 31-16 31-17 31-18 Diverting Traffic to the ASA IPS module31-19 31-20 31-21 Installing and Booting an Image on the ModuleManaging the ASA IPS module IPS module31-22 31-23 Uninstalling a Software Module ImageSw-module module ips uninstall For a software module for example, the ASA 5545-X31-24 Sw-module module ips password-resetFor a software module for example, the ASA 31-25 Monitoring the ASA IPS moduleIps for a software module Ciscoasa# show module ips Configuration Examples for the ASA IPS module31-26 31-27 Feature History for the ASA IPS moduleAllow-ssc-mgmt,hw-module module ip, and hw-module Module allow-ip31-28 Inventory, show environmentSession, show module, sw-module 32-1 Information About the CSC SSM32-2 ASA32-3 Determining What Traffic to Scan32-4 Common Network Configuration for CSC SSM Scanning32-5 Licensing Requirements for the CSC SSMPrerequisites for the CSC SSM 32-6 1lists the default settings for the CSC SSMParameter Default Supported in single and multiple context modes32-7 Configuring the CSC SSMBefore Configuring the CSC SSM 32-8 Connecting to the CSC SSMSee the Connecting to the CSC SSM section on 32-9 32-10 Diverting Traffic to the CSC SSMSee the Diverting Traffic to the CSC SSM section on Determining What Traffic to Scan section on32-11 32-12 Guidelines and Limitations section onDisplays additional status information Monitoring the CSC SSMSee the Monitoring the CSC SSM section on Displays the status32-14 Troubleshooting the CSC ModuleInstalling an Image on the Module 32-15 Resetting the PasswordRecover command 32-16 Reloading or Resetting the ModuleShuts down the module Configuration Examples for the CSC SSMCiscoasaconfig-cmap#policy-map cscinpolicy Shutting Down the ModuleAssistance with the Startup Wizard Additional ReferencesRelated Topic Document Title Instructions on use of the CSC SSM GUI32-19 Feature History for the CSC SSMFeature Name Platform Releases Feature Information Details recover32-20 IN-1 IN-2 IN-3 IN-4 IN-5 IN-6 See also policy mapLDP 6-7router-id 6-7TDP Multi-session PAT RPC not supported withIN-7 IN-8 IN-9 IN-10

Command

Step 1.

Example:

Example:

Example:

Example:

Example:

Examples

23-11