Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring IPsec

68-11

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Configuring IPsec

The IP addresses in the pool range must not be assigned to other network resources.

Fields

•Name—Assign an alpha-numeric name to the address pool. Limit 64 characters

•Starting IP Address—Enter the first IP address available in this pool. Use dotted decimal notation,

for example: 10.10.147.100.

•Ending IP Address—Enter the last IP address available in this pool. Use dotted decimal notation,

for example: 10.10.147.100.

•Subnet Mask—Choose the subnet mask for the IP address pool.

Modes

The following table shows the modes in which this feature is available:

Configuring IPsec

The ASA uses IPsec for LAN-to-LAN VPN connections, and provides the option of using IPsec for

client-to-LAN VPN connections. In IPsec terminology, a “peer” is a remote-access client or another

secure gateway.

Note The ASA supports LAN-to-LAN IPsec connections with Cisco peers (IPv4 or IPv6), and with third-party

peers that comply with all relevant standards.

During tunnel establishment, the two peers negotiate security associations that govern authentication,

encryption, encapsulation, and key management. These negotiations involve two phases: first, to

establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).

A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN

connections, the ASA can function as initiator or responder. In IPsec client-to-LAN connections, the

ASA functions only as responder. Initiators propose SAs; responders accept, reject, or make

counter-proposals—all in accordance with configured SA parameters. To establish a connection, both

entities must agree on the SAs.

The ASA supports these IPsec attributes:

•Main mode for negotiating phase one ISAKMP security associations when using digital certificates

for authentication

•Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using

preshared keys for authentication

•Authentication Algorithms:

–

ESP-MD5-HMAC-128

–

ESP-SHA1-HMAC-160

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Contents

Main Cisco ASA 5500 Series Configuration Guide using ASDM Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This Guide Document Objectives Audience Related Documentation Conventions Obtaining Documentation and Submitting a Service Request Page Page Page Introduction to the Cisco ASA 5500 Series ASDM Client Operating System and Browser Requirements Hardware and Software Compatibility VPN Specifications New Features New Features in Version 8.6(1)/6.6(1) Page New Features in Version 8.4(4.1)/6.4(9) Page Page Page New Features in Version 8.4(3)/6.4(7) Page New Features in Version 8.4(2)/6.4(5) Page Page Page Page New Features in Version 8.2(5)/6.4(3) New Features in Version 8.4(1)/6.4(1) Page Page Page Page Page Firewall Functional Overview Security Policy Overview Permitting or Denying Traffic with Access Rules Applying NAT Protecting from IP Fragments Using AAA for Through Traffic Applying HTTP, HTTPS, or FTP Filtering Applying Application Inspection Sending Traffic to the IPS Module Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Security Context Overview Page Getting Started Accessing the Appliance Command-Line Interface Configuring ASDM Access for Appliances Accessing ASDM Using the Factory Default Configuration Accessing ASDM Using a Non-Default Configuration (ASA 5505) Page Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) Starting ASDM Connecting to ASDM for the First Time Starting ASDM from the ASDM-IDM Launcher Starting ASDM from the Java Web Start Application Using ASDM in Demo Mode Factory Default Configurations Restoring the Factory Default Configuration Limitations Page ASA 5505 Default Configuration ASA 5505 Routed Mode Default Configuration ASA 5505 Transparent Mode Sample Configuration 2-16 ASA 5510 and Higher Default Configuration Getting Started with the Configuration Using the Command Line Interface Tool in ASDM Using the Command Line Interface Tool Handling Command Errors Using Interactive Commands Avoiding Conflicts with Other Administrators Showing Commands Ignored by ASDM on the Device Page Using the ASDM User Interface Information About the ASDM User Interface 765 89 24 Navigating in the ASDM User Interface Menus File Menu View Menu Tools Menu Page Wizards Menu Window Menu Help Menu Toolbar ASDM Assistant Status Bar Connection to Device Device List Common Buttons Keyboard Shortcuts Page Find Function Using the Find Function in Most ASDM Panes Using the Find Function in the ACL Manager Pane Enabling Extended Screen Reader Support Organizational Folder About the Help Window Header Buttons Browser Window Home Pane (Single Mode and Context) Device Dashboard Tab Device Information Pane General Tab License Tab Interface Status Pane VPN Sessions Pane Failover Status Pane System Resources Status Pane Traffic Status Pane Page Firewall Dashboard Tab Traffic Overview Pane Top 10 Access Rules Pane Top Usage Status Pane Top Ten Protected Servers Under SYN Attack Pane Top 200 Hosts Pane Top Botnet Traffic Filter Hits Pane Content Security Tab Intrusion Prevention Tab 1 23 4 5 ASA CX Status Tab Home Pane (System) Defining ASDM Preferences Using the ASDM Assistant Enabling History Metrics Unsupported Commands Ignored and View-Only Commands Effects of Unsupported Commands Discontinuous Subnet Masks Not Supported Interactive User Commands Not Supported by the ASDM CLI Tool Page Page Managing Feature Licenses Supported Feature Licenses Per Model Licenses Per Model Page Page Page Page Page Page Page Page Page Page Page Page Page Page License Notes Page Page Page VPN License and Feature Compatibility Information About Feature Licenses Preinstalled License Permanent License Time-Based Licenses Time-Based License Activation Guidelines How the Time-Based License Timer Works How Permanent and Time-Based Licenses Combine Stacking Time-Based Licenses Time-Based License Expiration Shared AnyConnect Premium Licenses Information About the Shared Licensing Server and Participants Communication Issues Between Participant and Server Information About the Shared Licensing Backup Server Failover and Shared Licenses Failover and Shared License Servers Failover and Shared License Participants Maximum Number of Participants Failover Licenses (8.3(1) and Later) Failover License Requirements and Exceptions How Failover Licenses Combine Loss of Communication Between Failover Units Upgrading Failover Pairs No Payload Encryption Models Licenses FAQ Page Configuring Licenses Obtaining an Activation Key Activating or Deactivating Keys Limitations and Restrictions Configuring a Shared License Configuring the Shared Licensing Server Configuring the Shared Licensing Participant and the Optional Backup Server Monitoring Licenses Viewing Your Current License Monitoring the Shared License Feature History for Licensing Page Page Page Page Page Page Using the Startup Wizard Information About the Startup Wizard Licensing Requirements for the Startup Wizard Startup Wizard Screens Starting Point or Welcome Basic Configuration Interface Screens Interface Selection (ASA 5505) Switch Port Allocation (ASA 5505) Interface IP Address Configuration (ASA 5505, Routed Mode) Static Routes Easy VPN Remote Configuration (ASA 5505, Single Mode, Routed Mode) DHCP Server Address Translation (NAT/PAT) Administrative Access IPS Basic Configuration (IPS SSP) Time Zone and Clock Configuration (ASA 5585-X) Auto Update Server (Single Mode) Startup Wizard Summary Feature History for the Startup Wizard Page VPN Wizards VPN Overview IPsec IKEv1 Remote Access Wizard Remote Access Client VPN Client Authentication Method and Tunnel Group Name Client Authentication User Accounts Address Pool Attributes Pushed to Client (Optional) IKE Policy IPsec Settings (Optional) IPsec Site-to-Site VPN Wizard Peer Device Identification IKE Version Traffic to Protects Authentication Methods Encryption Algorithm Miscellaneous AnyConnect VPN Wizard Connection Profile Identification VPN Protocols Client Images Authentication Methods Client Address Assignment Network Name Resolution Servers NAT Exempt Clientless SSL VPN Wizard SSL VPN Interface User Authentication Group Policy Bookmark List Page Page Page Using the Information About the High Availability and Scalability Wizard Licensing Requirements for the High Availability and Scalability Prerequisites for the High Availability and Scalability Wizard Configuring Failover with the High Availability and Scalability Accessing the High Availability and Scalability Wizard Configuring Active/Active Failover with the High Availability and Scalability Configuring Active/Standby Failover with the High Availability and Scalability High Availability and Scalability Wizard Screens Configuration Type Failover Peer Connectivity and Compatibility Check Change a Device to Multiple Mode Security Context Configuration Failover Link Configuration State Link Configuration Standby Address Configuration Summary Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard VPN Cluster Load Balancing Configuration Page Feature History for the High Availability and Scalability Wizard Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard Page Licensing Requirements for the Unified Communication Wizard Configuring the Phone Proxy by using the Unified Configuring the Private Network for the Phone Proxy Configuring Servers for the Phone Proxy Page Enabling Certificate Authority Proxy Function (CAPF) for IP Phones Configuring the Public IP Phone Network Configuring the Media Termination Address for Unified Communication Proxies Configuring the Mobility Advantage by using the Unified Configuring the Topology for the Cisco Mobility Advantage Proxy Configuring the Server-Side Certificates for the Cisco Mobility Advantage Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy Configuring the Presence Federation Proxy by using the Unified Communication Wizard Configuring the Topology for the Cisco Presence Federation Proxy Configuring the Local-Side Certificates for the Cisco Presence Federation Configuring the Remote-Side Certificates for the Cisco Presence Federation Configuring the UC-IME by using the Unified Communication Configuring the Topology for the Cisco Intercompany Media Engine Proxy Configuring the Private Network Settings for the Cisco Intercompany Media Page Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Configuring the Public Network Settings for the Cisco Intercompany Media Configuring the Local-Side Certificates for the Cisco Intercompany Media Configuring the Remote-Side Certificates for the Cisco Intercompany Media Working with Certificates in the Unified Communication Wizard Exporting an Identity Certificate Installing a Certificate Generating a Certificate Signing Request (CSR) for a Unified Communications Saving the Identity Certificate Request Installing the ASA Identity Certificate on the Mobility Advantage Server Page Page Configuring Trend Micro Content Security Information About the CSC SSM Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM CSC SSM Setup Activation/License IP Configuration Host/Notification Settings Management Access Host/Networks Password Restoring the Default Password Wizard Setup CSC Setup Wizard Activation Codes Configuration CSC Setup Wizard IP Configuration CSC Setup Wizard Host Configuration CSC Setup Wizard Management Access Configuration CSC Setup Wizard Password Configuration CSC Setup Wizard Traffic Selection for CSC Scan Specifying Traffic for CSC Scanning CSC Setup Wizard Summary Using the CSC SSM GUI Web Mail SMTP Tab POP3 Tab File Transfer Updates Feature History for the CSC SSM Page Page Page Configuring the Transparent or Routed Firewall Configuring the Firewall Mode Information About the Firewall Mode Information About Routed Firewall Mode Information About Transparent Firewall Mode Transparent Firewall Network Bridge Groups Management Interface (ASA 5510 and Higher) Allowing Layer 3 Traffic Allowed MAC Addresses Passing Traffic Not Allowed in Routed Mode Passing Traffic For Routed-Mode Features BPDU Handling MAC Address vs. Route Lookups Using the Transparent Firewall in Your Network Licensing Requirements for the Firewall Mode Page Setting the Firewall Mode Feature History for Firewall Mode Configuring ARP Inspection for the Transparent Firewall Information About ARP Inspection Licensing Requirements for ARP Inspection Configuring ARP Inspection Task Flow for Configuring ARP Inspection Adding a Static ARP Entry Enabling ARP Inspection Feature History for ARP Inspection Customizing the MAC Address Table for the Transparent Firewall Information About the MAC Address Table Licensing Requirements for the MAC Address Table Configuring the MAC Address Table Adding a Static MAC Address Disabling MAC Address Learning Feature History for the MAC Address Table Firewall Mode Examples How Data Moves Through the ASA in Routed Firewall Mode An Inside User Visits a Web Server An Outside User Visits a Web Server on the DMZ An Inside User Visits a Web Server on the DMZ An Outside User Attempts to Access an Inside Host A DMZ User Attempts to Access an Inside Host How Data Moves Through the Transparent Firewall An Inside User Visits a Web Server An Inside User Visits a Web Server Using NAT An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host Configuring Multiple Context Mode Information About Security Contexts Common Uses for Security Contexts Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the ASA Classifies Packets Valid Classifier Criteria Unique Interfaces Unique MAC Addresses NAT Configuration Classification Examples 11-5 Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access Information About Resource Management Resource Limits Default Class Class Members Information About MAC Addresses Default MAC Address Interaction with Manual MAC Addresses Failover MAC Addresses Licensing Requirements for Multiple Context Mode MAC Address Format MAC Address Format Using a Prefix MAC Address Format Without a Prefix (Legacy Method; Not Available in 8.6(1) and Later) Page Configuring Multiple Contexts Task Flow for Configuring Multiple Context Mode Enabling or Disabling Multiple Context Mode Enabling Multiple Context Mode Restoring Single Context Mode Configuring a Class for Resource Management Page Page Configuring a Security Context Automatically Assigning MAC Addresses to Context Interfaces Monitoring Security Contexts Monitoring Context Resource Usage Viewing Assigned MAC Addresses Viewing MAC Addresses in the System Configuration Viewing MAC Addresses Within a Context Feature History for Multiple Context Mode Page Page Page Page Starting Interface Configuration (ASA 5510 and Higher) Information About Starting ASA 5510 and Higher Interface Configuration Auto-MDI/MDIX Feature Interfaces in Transparent Mode Management Interface Management Interface Overview Management Slot/Port Interface Using Any Interface for Management-Only Traffic Management Interface for Transparent Mode No Support for Redundant Management Interfaces Management 0/0 Interface on the ASA 5512-X through ASA 5555-X Redundant Interfaces Redundant Interface MAC Address EtherChannels Channel Group Interfaces Connecting to an EtherChannel on Another Device Link Aggregation Control Protocol Load Balancing EtherChannel MAC Address Licensing Requirements for ASA 5510 and Higher Interfaces Page Page Page Starting Interface Configuration (ASA 5510 and Higher) Task Flow for Starting Interface Configuration Converting In-Use Interfaces to a Redundant or EtherChannel Interface Detailed Steps (Single Mode) Page 12-15 commands: interface redundant number [1-8] interface port-channel channel_id [1-48] For example: command: 12-16 EtherChannel interfaceEnter the following command under each interface you want to add to the 12-17 shutdown command. For example, your final EtherChannel configuration is: Detailed Steps (Multiple Mode) Page 12-20 For example, you download the following context configurations (interface configuration shown): CustomerA Context CustomerB Context Page Page Enabling the Physical Interface and Configuring Ethernet Parameters Page Page Configuring a Redundant Interface Configuring a Redundant Interface Page Page Changing the Active Interface Configuring an EtherChannel Adding Interfaces to the EtherChannel Page Customizing the EtherChannel Page Page Configuring VLAN Subinterfaces and 802.1Q Trunking Page Page Enabling Jumbo Frame Support (Supported Models) Page Page Page Feature History for ASA 5510 and Higher Interfaces Page Page Starting Interface Configuration (ASA 5505) Information About ASA 5505 Interfaces Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Page VLAN MAC Addresses Licensing Requirements for ASA 5505 Interfaces Power over Ethernet Monitoring Traffic Using SPAN Auto-MDI/MDIX Feature Page Starting ASA 5505 Interface Configuration Task Flow for Starting Interface Configuration Configuring VLAN Interfaces Page Configuring and Enabling Switch Ports as Access Ports Page Configuring and Enabling Switch Ports as Trunk Ports Page Page Page Page Page Feature History for ASA 5505 Interfaces Completing Interface Configuration (Routed Mode) Information About Completing Interface Configuration in Routed Mode Dual IP Stack (IPv4 and IPv6) Licensing Requirements for Completing Interface Configuration in Routed Mode Page Page Completing Interface Configuration in Routed Mode Page Page Page Page PPPoE IP Address and Route Settings Page Information About the MTU Page Configuring IPv6 Addressing Page Page Page Page Page (Optional) Configuring the Link-Local Addresses Automatically (Optional) Configuring the Link-Local Addresses Manually Information About Intra-Interface Communication DHCP DHCP Server Table DHCP Client Lease Information DHCP Statistics Dynamic ACLs Page Page PPPoE Client Interface Connection Track Status for Monitoring Statistics for Feature History for Interfaces in Routed Mode Page Completing Interface Configuration (Transparent Mode, 8.4 and Later) Information About Completing Interface Configuration in Transparent Mode (8.4 and Later) Bridge Groups in Transparent Mode Licensing Requirements for Completing Interface Configuration in Transparent Mode Page Page Completing Interface Configuration in Transparent Mode (8.4 and Later) Configuring Bridge Groups Page Page Page Configuring a Management Interface (ASA 5510 and Higher) Page Page Information About the MTU Page Configuring IPv6 Addressing Page Unsupported Commands Page (Optional) Configuring the Link-Local Addresses Automatically (Optional) Configuring the Link-Local Addresses Manually Page DHCP DHCP Server Table DHCP Client Lease Information DHCP Statistics Dynamic ACLs Page Page PPPoE Client Interface Connection Track Status for Monitoring Statistics for Feature History for Interfaces in Transparent Mode Page Completing Interface Configuration (Transparent Mode, 8.3 and Earlier) Information About Completing Interface Configuration in Transparent Mode (8.3 and Earlier) Information About the Global Management IP Address Licensing Requirements for Completing Interface Configuration in Transparent Mode Setting the Management IP Address for a Transparent Firewall (8.3 and Earlier) Configuring the IPv4 Address Configuring the IPv6 Address Unsupported Commands Configuring the Global Address Configuring the Link-Local Addresses Automatically Configuring the Link-Local Address on an Interface Manually Configuring DAD Settings Completing Interface Configuration in Transparent Mode (8.3 and Earlier) Page Configuring a Management Interface (ASA 5510 and Higher) Configuring General Parameters and the IPv4 Address Page Page Page Page Page Page Feature History for Interfaces in Transparent Mode Page Page Page Page Configuring Basic Settings Configuring the Hostname, Domain Name, and Passwords Setting the Hostname, Domain Name, and the enable and Telnet Passwords Setting the Date and Time Setting the Date and Time Using an NTP Server Adding or Editing the NTP Server Configuration Setting the Date and Time Manually Configuring the Master Passphrase Information About the Master Passphrase Licensing Requirements for the Master Passphrase Adding or Changing the Master Passphrase Disabling the Master Passphrase Recovering the Master Passphrase Feature History for the Master Passphrase Configuring the DNS Server Page Monitoring DNS Cache Feature History for DNS Cache Page Configuring DHCP Information About DHCP Licensing Requirements for DHCP Configuring DHCP Relay Services Page Editing DHCP Relay Agent Settings Adding or Editing Global DHCP Relay Server Settings Configuring a DHCP Server Editing DHCP Servers Configuring Advanced DHCP Options DHCP Monitoring Feature History for DHCP Page Configuring Dynamic DNS Information About DDNS Licensing Requirements for DDNS Configuring Dynamic DNS Page DDNS Monitoring Feature History for DDNS Page Page Configuring Objects Configuring Network Objects and Groups Network Object Overview Configuring a Network Object Configuring a Network Object Group Using Network Objects and Groups in a Rule Viewing the Usage of a Network Object or Group Configuring Service Objects and Service Groups Information about Service Objects and Service Groups Adding and Editing a Service Object Adding a Service Object Editing a Service Object Adding and Editing a Service Group Adding a Service Group Editing a Service Group Browse Service Groups Licensing Requirements for Objects and Groups Guidelines and Limitations for Objects and Groups Configuring Regular Expressions Creating a Regular Expression Page Building a Regular Expression Page Testing a Regular Expression Creating a Regular Expression Class Map Configuring Time Ranges Add/Edit Time Range Adding a Time Range to an Access Rule Add/Edit Recurring Time Range Page Using the ACL Manager Information About the ACL Manager Licensing Requirements for the ACL Manager Adding ACLs and ACEs Page Using Standard ACLs in the ACL Manager Feature History for the ACL Manager Page Adding a StandardACL Information About Standard ACLs Licensing Requirements for Standard ACLs Using Standard ACLs Adding a Standard ACL Adding an ACE to a Standard ACL Editing an ACE in a Standard ACL Feature History for Standard ACLs Adding a WebtypeACL Licensing Requirements for Webtype ACLs Using Webtype ACLs Task Flow for Configuring Webtype ACLs Adding a Webtype ACL and ACE Editing Webtype ACLs and ACEs Deleting Webtype ACLs and ACEs Feature History for Webtype Access Lists Page Page Page Page Page Page Page Routing Overview Information About Routing Switching Path Determination Supported Route Types Static Versus Dynamic Single-Path Versus Multipath Flat Versus Hierarchical Link-State Versus Distance Vector How Routing Behaves Within the ASA Egress Interface Selection Process Next Hop Selection Process Supported Internet Protocols for Routing Information About the Routing Table Displaying the Routing Table How the Routing Table Is Populated Page Backup Routes How Forwarding Decisions Are Made Dynamic Routing and Failover Information About IPv6 Support Features That Support IPv6 IPv6-Enabled Commands Entering IPv6 Addresses in Commands Disabling Proxy ARPs Page Configuring Static and Default Routes Information About Static and Default Routes Licensing Requirements for Static and Default Routes Configuring Static and Default Routes Configuring a Static Route Adding or Editing a Static Route Page Configuring Static Route Tracking Deleting Static Routes Configuring a Default Static Route Limitations on Configuring a Default Static Route Configuring IPv6 Default and Static Routes Monitoring a Static or Default Route Configuration Examples for Static or Default Routes Feature History for Static and Default Routes Page Defining Route Maps Information About Route Maps Permit and Deny Clauses Match and Set Clause Values Licensing Requirements for Route Maps Defining a Route Map Adding or Editing a Route Map Customizing a Route Map Defining a Route to Match a Specific Destination Address Configuring Prefix Lists Configuring Prefix Rules Configuring the Metric Values for a Route Action Configuration Example for Route Maps Feature History for Route Maps Configuring OSPF Information About OSPF Licensing Requirements for OSPF Configuring OSPF Customizing OSPF Redistributing Routes Into OSPF Page Configuring Route Summarization When Redistributing Routes Into OSPF Adding a Route Summary Address Adding or Editing an OSPF Summary Address Configuring Route Summarization Between OSPF Areas Configuring OSPF Interface Parameters Page Page Configuring OSPF Area Parameters Configuring OSPF NSSA Defining Static OSPF Neighbors Configuring Route Calculation Timers Logging Neighbors Going Up or Down Configuring Filtering in OSPF Configuring a Virtual Link in OSPF Page Restarting the OSPF Process Configuration Example for OSPF Monitoring OSPF Feature History for OSPF Page Configuring RIP Information About RIP Routing Update Process RIP Routing Metric RIP Stability Features RIP Timers Licensing Requirements for RIP Configuring RIP Enabling RIP Customizing RIP Configuring the RIP Version Configuring Interfaces for RIP Editing a RIP Interface Configuring the RIP Send and Receive Version on an Interface Configuring Route Summarization Filtering Networks in RIP Adding or Editing a Filter Rule Redistributing Routes into the RIP Routing Process Enabling RIP Authentication Restarting the RIP Process Monitoring RIP Configuration Example for RIP Feature History for RIP Page Configuring Multicast Routing Information About Multicast Routing Stub Multicast Routing PIM Multicast Routing Multicast Group Concept Licensing Requirements for Multicast Routing Enabling Multicast Routing Customizing Multicast Routing Configuring Stub Multicast Routing and Forwarding IGMP Messages Configuring a Static Multicast Route Configuring IGMP Features Disabling IGMP on an Interface Configuring IGMP Group Membership Configuring a Statically Joined IGMP Group Controlling Access to Multicast Groups Limiting the Number of IGMP States on an Interface Modifying the Query Messages to Multicast Groups Changing the IGMP Version Configuring PIM Features Enabling and Disabling PIM on an Interface Configuring a Static Rendezvous Point Address Configuring the Designated Router Priority Configuring and Filtering PIM Register Messages Configuring PIM Message Intervals Configuring a Route Tree Configuring a Multicast Group Filtering PIM Neighbors Configuring a Bidirectional Neighbor Filter Configuring a Multicast Boundary Configuration Example for Multicast Routing Page Related Documents Feature History for Multicast Routing Page Configuring EIGRP Information About EIGRP Licensing Requirements for EIGRP Task List to Configure an EIGRP Process Configuring EIGRP Enabling EIGRP Enabling EIGRP Stub Routing Customizing EIGRP Defining a Network for an EIGRP Routing Process Configuring Interfaces for EIGRP Configuring Passive Interfaces Configuring the Summary Aggregate Addresses on Interfaces Changing the Interface Delay Value Enabling EIGRP Authentication on an Interface Defining an EIGRP Neighbor Redistributing Routes Into EIGRP Page Filtering Networks in EIGRP Customizing the EIGRP Hello Interval and Hold Time Disabling Automatic Route Summarization Configuring Default Information in EIGRP Disabling EIGRP Split Horizon Restarting the EIGRP Process Monitoring EIGRP Feature History for EIGRP Page Page Page Page Page Page Page Page Page Page Page Page Configuring IPv6 Neighbor Discovery Information About IPv6 Neighbor Discovery Neighbor Solicitation Messages Neighbor Reachable Time Router Advertisement Messages Static IPv6 Neighbors Licensing Requirements for IPv6 Neighbor Discovery Guidelines and Limitations Page Default Settings for IPv6 Neighbor Discovery Configuring the Neighbor Solicitation Message Interval Configuring the Neighbor Reachable Time Configuring the Router Advertisement Transmission Interval Configuring the Router Lifetime Value Configuring DAD Settings Configuring IPv6 Addresses on an Interface Suppressing Router Advertisement Messages Configuring the IPv6 Prefix Adding an IPv6 Static Neighbor Editing Static Neighbors Deleting Static Neighbors Viewing and Clearing Dynamically Discovered Neighbors Related Documents for IPv6 Prefixes RFCs for IPv6 Prefixes and Documentation Feature History for IPv6 Neighbor Discovery Page Page Page Information About NAT Why Use NAT? NAT Terminology NAT Types NAT Types Overview Static NAT Information About Static NAT Information About Static NAT with Port Translation Information About Static NAT with Port Address Translation Static NAT with Identity Port Translation Static NAT with Port Translation for Non-Standard Ports Static Interface NAT with Port Translation Information About One-to-Many Static NAT Information About Other Mapping Scenarios (Not Recommended) Dynamic NAT Information About Dynamic NAT Dynamic NAT Disadvantages and Advantages Dynamic PAT Information About Dynamic PAT Dynamic PAT Disadvantages and Advantages Identity NAT NAT in Routed and Transparent Mode NAT in Routed Mode NAT in Transparent Mode NAT for VPN 32-15 How NAT is Implemented Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT 32-18 Page NAT Rule Order NAT Interfaces Routing NAT Packets Mapped Addresses and Routing Page Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface DNS and NAT Page 32-26 Page Page Configuring Network Object NAT (ASA 8.3 and Later) Information About Network Object NAT Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Configuring Network Object NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Page Page Page Configuring Dynamic PAT (Hide) Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Page Configuring Identity NAT Page Page Monitoring Network Object NAT Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) Page Page 33-22 Page Page Page Page 33-27 Page Page Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) Page Page DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) 33-34 Page 33-36 Page Feature History for Network Object NAT Page Page Configuring Twice NAT (ASA 8.3 and Later) Information About Twice NAT Licensing Requirements for Twice NAT Prerequisites for Twice NAT Configuring Twice NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Page Page Page Page Page Page Configuring Dynamic PAT (Hide) Page Page Page Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Page Page Configuring Identity NAT Page Page Page Page Monitoring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the Destination (Dynamic PAT) 34-29 Page Page Page Page Page Page Page Different Translation Depending on the Destination Address and Port (Dynamic PAT) Page Page Page Page Page Page Page Page Feature History for Twice NAT Page Page Page Page Configuring NAT (ASA 8.2 and Earlier) NAT Overview Introduction to NAT NAT in Routed Mode NAT in Transparent Mode 35-4 NAT Control Page NAT Types Dynamic NAT 35-7 PAT Static NAT Static PAT Bypassing NAT When NAT Control is Enabled Policy NAT 35-11 NAT and Same Security Level Interfaces Order of NAT Rules Used to Match Real Addresses Mapped Address Guidelines DNS and NAT Page Configuring NAT Control Using Dynamic NAT Dynamic NAT Implementation Real Addresses and Global Pools Paired Using a Pool ID NAT Rules on Different Interfaces with the Same Global Pools Global Pools on Different Interfaces with the Same Pool ID Multiple NAT Rules with Different Global Pools on the Same Interface Multiple Addresses in the Same Global Pool Outside NAT Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces Managing Global Pools Configuring Dynamic NAT, PAT, or Identity NAT Page Configuring Dynamic Policy NAT or PAT Page Using Static NAT Configuring Static NAT, PAT, or Identity NAT Page Page Configuring Static Policy NAT, PAT, or Identity NAT Page Using NAT Exemption Page Page Page Page Configuring a Service Policy Information About Service Policies Supported Features for Through Traffic Supported Features for Management Traffic Feature Directionality Feature Matching Within a Service Policy Order in Which Multiple Feature Actions are Applied Incompatibility of Certain Feature Actions Feature Matching for Multiple Service Policies Licensing Requirements for Service Policies Page Default Configuration Default Traffic Classes Task Flows for Configuring Service Policies Task Flow for Configuring a Service Policy Rule Adding a Service Policy Rule for Through Traffic Page Page Page Adding a Service Policy Rule for Management Traffic Configuring a Service Policy Rule for Management Traffic Page Managing the Order of Service Policy Rules Page Feature History for Service Policies Page Page Configuring Access Rules Information About Access Rules General Information About Rules Implicit Permits Information About Interface Access Rules and Global Access Rules Using Access Rules and EtherType Rules on the Same Interface Rule Order Implicit Deny Using Remarks Inbound and Outbound Rules Information About Access Rules Access Rules for Returning Traffic Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules Management Access Rules Information About EtherType Rules Supported EtherTypes and Other Traffic Access Rules for Returning Traffic Allowing MPLS Licensing Requirements for Access Rules Configuring Access Rules Adding an Access Rule Adding an EtherType Rule (Transparent Mode Only) Page Add/Edit EtherType Rule Configuring Management Access Rules Advanced Access Rule Configuration Access Rule Explosion Configuring HTTP Redirect Edit HTTP/HTTPS Settings Feature History for Access Rules Page Configuring AAA Servers and the Local Database Information About AAA Information About Authentication Information About Authorization Information About Accounting Summary of Server Support RADIUS Server Support Authentication Methods Attribute Support RADIUS Authorization Functions TACACS+ Server Support RSA/SDI Server Support RSA/SDI Version Support Two-step Authentication Process RSA/SDI Primary and Replica Servers NT Server Support Kerberos Server Support LDAP Server Support Authentication with LDAP LDAP Server Types HTTP Forms Authentication for Clientless SSL VPN Local Database Support, Including as a Falback Method How Fallback Works with Multiple Servers in a Group Using Certificates and User Login Credentials Using User Login Credentials Using Certificates Licensing Requirements for AAA Servers Configuring AAA Task Flow for Configuring AAA Configuring AAA Server Groups Page Adding a Server to a Group Configuring AAA Server Parameters RADIUS Server Fields TACACS+ Server Fields SDI Server Fields Windows NT Domain Server Fields Kerberos Server Fields LDAP Server Fields Page HTTP Form Server Fields Configuring LDAP Attribute Maps Page Adding a User Account to the Local Database Guidelines Limitations Adding a User Configuring VPN Policy Attributes for a User Page Adding an Authentication Prompt Managing User Passwords Changing User Passwords Authenticating Users with a Public Key for SSH Testing Server Authentication and Authorization Monitoring AAA Servers Page Feature History for AAA Servers Page Configuring the Identity Firewall Information About the Identity Firewall Overview of the Identity Firewall Architecture for Identity Firewall Deployments Features of the Identity Firewall LAN Deployment Scenarios 39-5 Figure39-2 Deployment Scenario without Redundancy No Redundancy Figure39-3 Deployment Scenario with Redundant Components LAN Page Cut-through Proxy and VPN Authentication Licensing for the Identity Firewall Prerequisites Configuring the Identity Firewall Task Flow for Configuring the Identity Firewall Configuring the Active Directory Domain Page Configuring Active Directory Server Groups Configuring Active Directory Agents Configuring Active Directory Agent Groups Configuring Identity Options Page Page Configuring Identity-based Access Rules Adding Users and Groups to Access Rules Configuring Local User Groups Configuring Cut-through Proxy Authentication Page Monitoring the Identity Firewall Monitoring AD Agents Monitoring Groups Monitoring Memory Usage for the Identity Firewall Monitoring Users for the Identity Firewall Feature History for the Identity Firewall Configuring Management Access Configuring ASA Access for ASDM, Telnet, or SSH Licensing Requirements for ASA Access for ASDM, Telnet, or SSH Configuring Management Access Using a Telnet Client Using an SSH Client Configuring CLI Parameters Licensing Requirements for CLI Parameters Configuring a Login Banner Customizing a CLI Prompt Changing the Console Timeout Configuring File Access Licensing Requirements for File Access Configuring the FTP Client Mode Configuring the ASA as a Secure Copy Server Configuring the ASA as a TFTP Client Adding Mount Points Adding a CIFS Mount Point Adding an FTP Mount Point Configuring ICMP Access Information About ICMP Access Licensing Requirements for ICMP Access Configuring ICMP Access Configuring Management Access Over a VPN Tunnel Licensing Requirements for a Management Interface Configuring a Management Interface Configuring AAA for System Administrators Information About AAA for System Administrators Information About Management Authentication Comparing CLI Access with and without Authentication Comparing ASDM Access with and without Authentication Information About Command Authorization Supported Command Authorization Methods About Preserving User Credentials Security Contexts and Command Authorization Licensing Requirements for AAA for System Administrators Prerequisites Page Configuring Authentication for CLI, ASDM, and enable command Access Limiting User CLI and ASDM Access with Management Authorization Configuring Command Authorization Configuring Local Command Authorization Viewing Local Command Privilege Levels Configuring Commands on the TACACS+ Server Page Page Configuring TACACS+ Command Authorization Configuring Management Access Accounting Viewing the Currently Logged-In User Recovering from a Lockout Setting a Management Session Quota Monitoring Device Access Page Feature History for Management Access Page Page Configuring AAA Rules for Network Access AAA Performance Licensing Requirements for AAA Rules Configuring Authentication for Network Access Information About Authentication One-Time Authentication Applications Required to Receive an Authentication Challenge ASA Authentication Prompts Static PAT and HTTP Configuring Network Access Authentication Enabling the Redirection Method of Authentication for HTTP and HTTPS Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating HTTP(S) Connections with a Virtual Server Authenticating Telnet Connections with a Virtual Server Configuring the Authentication Proxy Limit Configuring Authorization for Network Access Configuring TACACS+ Authorization Configuring RADIUS Authorization Configuring a RADIUS Server to Send Downloadable Access Control Lists About the Downloadable Access List Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable Access Lists Configuring Any RADIUS Server for Downloadable Access Lists Converting Wildcard Netmask Expressions in Downloadable Access Lists Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Feature History for AAA Rules Configuring Filtering Services Information About Web Traffic Filtering Filtering URLs and FTP Requests with an External Server Information About URL Filtering Licensing Requirements for URL Filtering Guidelines and Limitations for URL Filtering Identifying the Filtering Server Configuring Additional URL Filtering Settings Buffering the Content Server Response Caching Server Addresses Filtering HTTP URLs Enabling Filtering of Long HTTP URLs Configuring Filtering Rules Page Page Page Page Filtering the Rule Table Defining Queries Feature History for URL Filtering Configuring Web Cache Services Using WCCP Information About WCCP Licensing Requirements for WCCP Configuring WCCP Service Groups Adding or Editing WCCP Service Groups Configuring Packet Redirection Adding or Editing Packet Redirection WCCP Monitoring Feature History for WCCP Page Configuring Digital Certificates Information About Digital Certificates Public Key Cryptography Certificate Scalability Key Pairs Trustpoints Certificate Enrollment Proxy for SCEP Requests Revocation Checking Supported CA Servers CRLs OCSP The Local CA Storage for Local CA Files The Local CA Server Licensing Requirements for Digital Certificates Prerequisites for Local Certificates Prerequisites for SCEP Proxy Support Page Configuring Digital Certificates Configuring CA Certificate Authentication Adding or Installing a CA Certificate Editing or Removing a CA Certificate Configuration Showing CA Certificate Details Configuring CA Certificates for Revocation Configuring CRL Retrieval Policy Configuring CRL Retrieval Methods Configuring OCSP Rules Configuring Advanced CRL and OCSP Settings Configuring Identity Certificates Authentication Adding or Importing an Identity Certificate Page Showing Identity Certificate Details Deleting an Identity Certificate Exporting an Identity Certificate Generating a Certificate Signing Request Installing Identity Certificates Configuring Code Signer Certificates Showing Code Signer Certificate Details Deleting a Code Signer Certificate Importing a Code Signer Certificate Exporting a Code Signer Certificate Authenticating Using the Local CA Configuring the Local CA Server Page Page Deleting the Local CA Server Managing the User Database Adding a Local CA User Sending an Initial OTP or Replacing OTPs Editing a Local CA User Deleting a Local CA User Allowing User Enrollment Viewing or Regenerating an OTP Managing User Certificates Monitoring CRLs Feature History for Certificate Management Page Configuring Public Servers Information About Public Servers Licensing Requirements for Public Servers Adding a Public Server that Enables Static NAT Adding a Public Server that Enables Static NAT with PAT Editing Settings for a Public Server Feature History for Public Servers Page Page Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work When to Use Application Protocol Inspection Page Page Page Configuring Application Layer Protocol Inspection Configuring Inspection of Basic Internet Protocols DNS Inspection How DNS Application Inspection Works How DNS Rewrite Works Configuring DNS Rewrite Page Select DNS Inspect Map DNS Class Map Add/Edit DNS Traffic Class Map Add/Edit DNS Match Criterion DNS Inspect Map Page Add/Edit DNS Policy Map (Security Level) Add/Edit DNS Policy Map (Details) Page FTP Inspection FTP Inspection Overview Using Strict FTP Select FTP Map FTP Class Map Add/Edit FTP Traffic Class Map Add/Edit FTP Match Criterion Page FTP Inspect Map File Type Filtering Add/Edit FTP Policy Map (Security Level) Add/Edit FTP Policy Map (Details) Add/Edit FTP Map Page Verifying and Monitoring FTP Inspection HTTP Inspection HTTP Inspection Overview Select HTTP Map HTTP Class Map Add/Edit HTTP Traffic Class Map Add/Edit HTTP Match Criterion Page Page Page HTTP Inspect Map Page URI Filtering Add/Edit HTTP Policy Map (Security Level) Add/Edit HTTP Policy Map (Details) Page Add/Edit HTTP Map Page Page Page ICMP Inspection ICMP Error Inspection Instant Messaging Inspection IM Inspection Overview Adding a Class Map for IM Inspection Select IM Map IP Options Inspection IP Options Inspection Overview Configuring IP Options Inspection Page Select IP Options Inspect Map IP Options Inspect Map Add/Edit IP Options Inspect Map IPsec Pass Through Inspection IPsec Pass Through Inspection Overview Select IPsec-Pass-Thru Map IPsec Pass Through Inspect Map Add/Edit IPsec Pass Thru Policy Map (Security Level) Add/Edit IPsec Pass Thru Policy Map (Details) IPv6 Inspection Configuring an IPv6 Inspection Policy Map NetBIOS Inspection NetBIOS Inspection Overview Select NETBIOS Map NetBIOS Inspect Map Add/Edit NetBIOS Policy Map PPTP Inspection SMTP and Extended SMTP Inspection SMTP and ESMTP Inspection Overview Select ESMTP Map ESMTP Inspect Map MIME File Type Filtering Add/Edit ESMTP Policy Map (Security Level) Add/Edit ESMTP Policy Map (Details) Add/Edit ESMTP Inspect Page Page Page TFTP Inspection Configuring Inspection for Voice and Video Protocols CTIQBE Inspection CTIQBE Inspection Overview Limitations and Restrictions H.323 Inspection H.323 Inspection Overview How H.323 Works H.239 Support in H.245 Messages Limitations and Restrictions Select H.323 Map H.323 Class Map Add/Edit H.323 Traffic Class Map Add/Edit H.323 Match Criterion H.323 Inspect Map Page Phone Number Filtering Add/Edit H.323 Policy Map (Security Level) Page Add/Edit H.323 Policy Map (Details) Add/Edit HSI Group Add/Edit H.323 Map MGCP Inspection MGCP Inspection Overview Page Select MGCP Map MGCP Inspect Map Gateways and Call Agents Add/Edit MGCP Policy Map Add/Edit MGCP Group RTSP Inspection RTSP Inspection Overview Using RealPlayer Restrictions and Limitations Select RTSP Map RTSP Inspect Map Add/Edit RTSP Policy Map Add/Edit RTSP Inspect SIP Inspection SIP Inspection Overview SIP Instant Messaging Select SIP Map SIP Class Map Add/Edit SIP Traffic Class Map Add/Edit SIP Match Criterion Page SIP Inspect Map Add/Edit SIP Policy Map (Security Level) Page Add/Edit SIP Policy Map (Details) Add/Edit SIP Inspect Page Page Skinny (SCCP) Inspection SCCP Inspection Overview Supporting Cisco IP Phones Restrictions and Limitations Select SCCP (Skinny) Map SCCP (Skinny) Inspect Map Message ID Filtering Add/Edit SCCP (Skinny) Policy Map (Security Level) Add/Edit SCCP (Skinny) Policy Map (Details) Add/Edit Message ID Filter Page Configuring Inspection of Database and Directory Protocols ILS Inspection SQL*Net Inspection Sun RPC Inspection Sun RPC Inspection Overview SUNRPC Server Add/Edit SUNRPC Service Page Page Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC Overview Select DCERPC Map DCERPC Inspect Map Page Add/Edit DCERPC Policy Map GTP Inspection GTP Inspection Overview Select GTP Map GTP Inspect Map IMSI Prefix Filtering Add/Edit GTP Policy Map (Security Level) Add/Edit GTP Policy Map (Details) Page Add/Edit GTP Map RADIUS Accounting Inspection RADIUS Accounting Inspection Overview Select RADIUS Accounting Map Add RADIUS Accounting Policy Map RADIUS Inspect Map RADIUS Inspect Map Host RADIUS Inspect Map Other RSH Inspection SNMP Inspection SNMP Inspection Overview Select SNMP Map SNMP Inspect Map Add/Edit SNMP Map XDMCP Inspection Page Page Page Page Page Page Page Page Page Page Information About Cisco Unified Communications Proxy Features Information About the Adaptive Security Appliance in Cisco Unified Communications Page TLS Proxy Applications in Cisco Unified Communications Licensing for Cisco Unified Communications Proxy Features Page Page Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Phone Proxy Functionality Page Supported Cisco UCM and IP Phones for the Phone Proxy Licensing Requirements for the Phone Proxy Page Prerequisites for the Phone Proxy Media Termination Instance Prerequisites Certificates from the Cisco UCM DNS Lookup Prerequisites Cisco Unified Communications Manager Prerequisites Access List Rules NAT and PAT Prerequisites Prerequisites for IP Phones on Multiple Interfaces 7960 and 7940 IP Phones Support Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting TFTP Requests Rate Limiting Configuration Example End-User Phone Provisioning Ways to Deploy IP Phones to End Users Phone Proxy Guidelines and Limitations General Guidelines and Limitations Media Termination Address Guidelines and Limitations Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy Creating the CTL File Page Adding or Editing a Record Entry in a CTL File Creating the Media Termination Instance Creating the Phone Proxy Instance Page Adding or Editing the TFTP Server for a Phone Proxy Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy Configuring Your Router Feature History for the Phone Proxy Configuring the T Inspection Information about the TLS Proxy for Encrypted Voice Inspection Decryption and Inspection of Unified Communications Encrypted Signaling Licensing for the TLS Proxy Page Prerequisites for the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Add/Edit CTL Provider Configure TLS Proxy Pane Adding a TLS Proxy Instance Add TLS Proxy Instance Wizard Server Configuration Add TLS Proxy Instance Wizard Client Configuration Page Add TLS Proxy Instance Wizard Other Steps Edit TLS Proxy Instance Server Configuration Edit TLS Proxy Instance Client Configuration TLS Proxy Add/Edit TLS Proxy Feature History for the TLS Proxy for Encrypted Voice Inspection Page Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Cisco Mobility Advantage Proxy Functionality Mobility Advantage Proxy Deployment Scenarios Page Mobility Advantage Proxy Using NAT/PAT Trust Relationships for Cisco UMA Deployments Page Licensing for the Cisco Mobility Advantage Proxy Feature Configuring Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Page Configuring Cisco Unified Presence Information About Cisco Unified Presence Architecture for Cisco Unified Presence for SIP Federation Deployments 55-2 Page Trust Relationship in the Presence Federation Security Certificate Exchange Between Cisco UP and the Security Appliance XMPP Federation Deployments Configuration Requirements for XMPP Federation Licensing for Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Feature History for Cisco Unified Presence Page Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy How the UC-IME Works with the PSTN and the Internet Tickets and Passwords M Call Fallback to the PSTN Architecture and Deployment Scenarios for Cisco Intercompany Media Engine Architecture Basic Deployment Off Path Deployment M V V Internet M Licensing for Cisco Intercompany Media Engine V Page Page Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine M M Configuring NAT for Cisco Intercompany Media Engine Proxy M M Configuring PAT for the Cisco UCM Server M Page Creating Access Lists for Cisco Intercompany Media Engine Proxy Creating the Media Termination Instance Creating the Cisco Intercompany Media Engine Proxy Page Page Creating Trustpoints and Generating Certificates Page Page Creating the TLS Proxy Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Page (Optional) Configuring TLS within the Local Enterprise Page Page (Optional) Configuring Off Path Signaling M Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane Page Configuring the Cisco UC-IMC Proxy by using the Unified Communications Page Page Page Feature History for Cisco Intercompany Media Engine Proxy Page Page Page Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility Dead Connection Detection (DCD) TCP Sequence Randomization TCP Normalization TCP State Bypass Licensing Requirements for Connection Settings TCP State Bypass Guidelines and Limitations Configuring Connection Settings Task Flow For Configuring Configuration Settings (Except Global Timeouts) Customizing the TCP Normalizer with a TCP Map Page Configuring Connection Settings Configuring Global Timeouts Page Feature History for Connection Settings Page Configuring QoS Information About QoS Supported QoS Features What is a Token Bucket? Information About Policing Information About Priority Queuing Information About Traffic Shaping How QoS Features Interact DSCP and DiffServ Preservation Licensing Requirements for QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue Configuring the Standard Priority Queue for an Interface Configuring a Service Rule for Standard Priority Queuing and Policing Page Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing Monitoring QoS Viewing QoS Police Statistics Viewing QoS Standard Priority Statistics Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics Feature History for QoS Page Page Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases Information About the Dynamic Database How the ASA Uses the Dynamic Database Database Files Database Traffic Types Information About the Static Database Information About the DNS Reverse Lookup Cache and DNS Host Cache 59-5 How the Botnet Traffic Filter Works ASA 5550 40,000 ASA 5580 100,000 ASA Model Maximum Entries Licensing Requirements for the Botnet Traffic Filter Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database Adding Entries to the Static Database Enabling DNS Snooping Default DNS Inspection Configuration and Recommended Configuration Enabling Traffic Classification and Actions for the Botnet Traffic Filter Recommended Configuration Page Blocking Botnet Traffic Manually Searching the Dynamic Database Monitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging Botnet Traffic Filter Monitor Panes Feature History for the Botnet Traffic Filter Configuring Threat Detection Information About Threat Detection Licensing Requirements for Threat Detection Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics Page Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics Feature History for Basic Threat Detection Statistics Configuring Advanced Threat Detection Statistics Information About Advanced Threat Detection Statistics Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection Information About Scanning Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection Page Using Protection Tools Preventing IP Spoofing Configuring the Fragment Size Show Fragment Configuring TCP Options TCP Reset Settings Configuring IP Audit for Basic IPS Support IP Audit Policy Add/Edit IP Audit Policy Configuration IP Audit Signatures IP Audit Signature List Page Page Page Page Page Page Page Page Configuring the ASA IPS Module Information About the ASA IPS module How the ASA IPS module Works with the ASA Operating Modes Using Virtual Sensors (ASA 5510 and Higher) Information About Management Access Licensing Requirements for the ASA IPS module Configuring the ASA IPS module Task Flow for the ASA IPS Module Connecting Management Interface Cables Ports 1 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA) ASA 5505 Management PC (IP Address from DHCP) Page Sessioning to the Module from the ASA (May Be Required) Configuring Basic IPS Module Network Settings (ASA 5510 and Higher) Configuring Basic Network Settings Detailed StepsSingle Mode Detailed StepsMultiple Mode Using the CLI (ASA 5505) Configuring Basic Network Settings (ASA 5512-X through ASA 5555-X) Installing the Software Module Configuring the Security Policy on the ASA IPS module Page Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) Diverting Traffic to the ASA IPS module Monitoring the ASA IPS module Troubleshooting the ASA IPS module Installing an Image on the Module Page Uninstalling a Software Module Image Page Feature History for the ASA IPS module Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA Information About ASA CX Management Initial Configuration Policy Configuration and Management Information About Authentication Proxy Information About VPN and the ASA CX Module Compatibility with ASA Features Licensing Requirements for the ASA CX Module Configuring the ASA CX Module Task Flow for the ASA CX Module Connecting Management Interface Cables 63-7 Cisco ASA 5500 Series Configuration Guide using ASDM Chapter63 Configuring the ASA CX Module Configuring the ASA CX Module Configuring the ASA CX Management IP Address ASA 5585-X SSP ASA Management 0/0 Switch Configuring Basic ASA CX Settings at the ASA CX CLI Page Configuring the Security Policy on the ASA CX Module Using PRSM (Optional) Configuring the Authentication Proxy Port Redirecting Traffic to the ASA CX Module Page Monitoring the ASA CX Module Showing Module Status Showing Module Statistics Monitoring Module Connections 63-15 The following is sample output from the show asp table classify domain cxsc command: 63-16 The following is sample output from the show asp event dp-cp cxsc-msg command: The following is sample output from the show conn detail command: Capturing Module Traffic Troubleshooting the ASA CX Module General Recovery Procedures Page Problems with the Authentication Proxy Page Feature History for the ASA CX Module Page Configuring the ASA CSC Module Information About the CSC SSM Page Determining What Traffic to Scan Page Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM Page Configuring the CSC SSM Before Configuring the CSC SSM Connecting to the CSC SSM Determining Service Policy Rule Actions for CSC Scanning Monitoring the CSC SSM Threats Live Security Events Live Security Events Log Software Updates Resource Graphs CSC CPU CSC Memory Troubleshooting the CSC Module Installing an Image on the Module Page Page Feature History for the CSC SSM Page Page Page Information About High Availability Introduction to Failover and High Availability Failover System Requirements Hardware Requirements Software Requirements License Requirements Failover and Stateful Failover Links Failover Link Stateful Failover Link Failover Interface Speed for Stateful Links Avoiding Interrupted Failover Links Page 65-7 Scenario 3Recommended Scenario 4Recommended Active/Active and Active/Standby Failover Determining Which Type of Failover to Use Stateless (Regular) and Stateful Failover Stateless (Regular) Failover Stateful Failover Transparent Firewall Mode Requirements Auto Update Server Support in Failover Configurations Auto Update Process Overview Monitoring the Auto Update Process Failover Health Monitoring Unit Health Monitoring Interface Monitoring Failover Times Failover Messages Failover System Messages Debug Messages SNMP Page Configuring Active/Standby Failover Information About Active/Standby Failover Active/Standby Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers Failover Actions Optional Active/Standby Failover Settings Licensing Requirements for Active/Standby Failover Prerequisites for Active/Standby Failover Page Configuring Active/Standby Failover Configuring Failover Page Configuring Interface Standby Addresses Configuring Interface Standby Addresses in Routed Firewall Mode Configuring the Management Interface Standby Address in Transparent Firewall Mode Configuring Optional Active/Standby Failover Settings Disabling and Enabling Interface Monitoring Configuring Failover Criteria Configuring the Unit and Interface Health Poll Times Configuring Virtual MAC Addresses Controlling Failover Forcing Failover Disabling Failover Restoring a Failed Unit Monitoring Active/Standby Failover Feature History for Active/Standby Failover Configuring Active/Active Failover Information About Active/Active Failover Active/Active Failover Overview Primary/Secondary Status and Active/Standby Status Device Initialization and Configuration Synchronization Command Replication Failover Triggers Failover Actions Page Optional Active/Active Failover Settings Licensing Requirements for Active/Active Failover Prerequisites for Active/Active Failover Page Configuring Active/Active Failover Failover-Multiple Mode, Security Context Failover - Routed Edit Failover Interface Configuration Failover - Transparent Failover-Multiple Mode, System Failover > Setup Tab Failover > Criteria Tab Failover > Active/Active Tab Add/Edit Failover Group Add/Edit Interface MAC Address Failover > MAC Addresses Tab Add/Edit Interface MAC Address Configuring Asymmetric Routing Groups in Multiple Context Mode Controlling Failover Forcing Failover Disabling Failover Restoring a Failed Unit or Failover Group Monitoring Active/Active Failover System Failover Group 1 and Failover Group 2 Feature History for Active/Active Failover Page Page Page Configuring IKE, Load Balancing, and NAC Setting IKE Parameters Page Page Page Creating IKE Policies Add/Edit IKEv1 Policy Page Add/Edit IKEv2 Policy (Proposal) Assignment Policy Address Pools Add/Edit IP Pool Configuring IPsec Adding Crypto Maps Page Creating an IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab Creating IPsec Rule/Traffic Selection Tab Page Pre-Fragmentation Edit IPsec Pre-Fragmentation Policy IPsec Transform Sets Add/Edit IPsec Proposal (Transform Set) Add/Edit IPsec Proposal Configuring Load Balancing Eligible Clients Enabling Load Balancing Creating Virtual Clusters Geographical Load Balancing Mixed Cluster Scenarios Comparing Load Balancing to Failover Load Balancing Prerequisites Page Setting Global NAC Parameters Configuring Network Admission Control Policies About NAC Uses, Requirements, and Limitations Page Add/Edit Posture Validation Exception Page General VPN Setup Client Software Page Edit Client Update Entry Default Tunnel Gateway Group Policies Add/Edit External Group Policy Adding or Editing a Remote Access Internal Group Policy, General Attributes Page Page AnyConnect Client Group Policy Attbributes Key Regeneration Dead Peer Detection Customization Configuring the Portal for a Group Policy Page Configuring Customization for a Group Policy Adding or Editing a Site-to-Site Internal Group Policy Add AAA Server Group Browse Time Range Add/Edit Time Range Add/Edit Recurring Time Range ACL Manager Standard ACL Extended ACL Add/Edit/Paste ACE Page Browse Source/Destination Address Browse Source/Destination Port Add TCP Service Group Browse ICMP Add ICMP Group Browse Other Add Protocol Group Add/Edit Internal Group Policy > Servers Login Setting Client Firewall with Local Printer and Tethered Device Support Usage Notes about Firewall Behavior Deploying a Client Firewall for Local Printer Support Tethered Devices Support ACLs Add/Edit Internal Group Policy > IPsec Client Client Access Rules Add/Edit Client Access Rule Add/Edit Internal Group Policy > Client Configuration Dialog Box Add/Edit Internal Group Policy > Client Configuration > General Client Parameters View/Config Banner Add/Edit Internal Group Policy > Client Configuration > Cisco Client Parameters Add or Edit Internal Group Policy > Advanced > IE Browser Proxy Add/Edit Standard Access List Rule Add/Edit Internal Group Policy > Client Firewall Page Add/Edit Internal Group Policy > Hardware Client Page Page Add/Edit Server and URL List Add/Edit Server or URL Configuring AnyConnect VPN Client Connections Page Page Using AnyConnect Client Profiles Specifying an AnyConnect Client Profile Importing an AnyConnect Client Profile Exporting an AnyConnect Client Profile Exempting AnyConnect Traffic from Network Address Translation Page Page Page Page Configuring AnyConnect VPN Connections Configuring Port Settings Setting the Basic Attributes for an AnyConnect VPN Connection Setting Advanced Attributes for a Connection Profile Setting General Attributes for an AnyConnect SSL VPN Connection Page Setting Client Addressing Attributes for an AnyConnect SSL VPN Connection Configuring Authentication Attributes for a Connection Profile Page Configuring Secondary Authentication Attributes for an SSL VPN Connection Profile Page Configuring Authorization Attributes for an SSL VPN Connection Profile Adding or Editing Content to a Script for Certificate Pre-Fill-Username Page Page Configuring AnyConnect Secure Mobility Add or Edit MUS Access Control Configuring Clientless SSL VPN Connections Page Add or Edit Clientless SSL VPN Connections Add or Edit Clientless SSL VPN Connections > Basic Add or Edit Clientless SSL VPN Connections > Advanced Add or Edit Clientless SSL VPN Connections > Advanced > General Assign Authentication Server Group to Interface Add or Edit SSL VPN Connections > Advanced > Authorization Assign Authorization Server Group to Interface Add or Edit SSL VPN Connections > Advanced > SSL VPN Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN Add or Edit Clientless SSL VPN Connections > Advanced > NetBIOS Servers Configure DNS Server Groups Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN IPsec Remote Access Connection Profiles Add or Edit an IPsec Remote Access Connection Profile Add or Edit IPsec Remote Access Connection Profile Basic Mapping Certificates to IPsec or SSL VPN Connection Profiles Setting a Certificate Matching Policy Add/Edit Certificate Matching Rule Add/Edit Certificate Matching Rule Criterion Page Page Site-to-Site Connection Profiles Add/Edit Site-to-Site Connection Page Page Adding or Editing a Site-to-Site Tunnel Group Crypto Map Entry Crypto Map Entry for Static Peer Address Managing CA Certificates Install Certificate Configure Options for CA Certificate Revocation Check Dialog Box Add/Edit Remote Access Connections > Advanced > General Configuring Client Addressing Add IPsec Remote Access Connection and Add SSL VPN Access Connection Assign Address Pools to Interface Select Address Pools Add or Edit IP Pool Add/Edit Connection Profile > General > Authentication Add/Edit SSL VPN Connection > General > Authorization Page Add/Edit SSL VPN Connections > Advanced > Accounting Add/Edit Tunnel Group > General > Client Address Assignment Add/Edit Tunnel Group > General > Advanced Add/Edit Tunnel Group > IPsec for Remote Access > IPsec Page Add/Edit Tunnel Group for Site-to-Site VPN Add/Edit Tunnel Group > PPP Add/Edit Tunnel Group > IPsec for LAN to LAN Access > General > Basic Page Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec Page Clientless SSL VPN Access > Connection Profiles > Add/Edit > General > Basic Configuring Internal Group Policy IPsec Client Attributes Page Configuring Client Addressing for SSL VPN Connections Assign Address Pools to Interface Select Address Pools Add or Edit an IP Address Pool Authenticating SSL VPN Connections System Options Configuring SSL VPN Connections, Advanced Configuring Split Tunneling Differences in Client Split Tunneling Behavior for Traffic within the Subnet Zone Labs Integrity Server Easy VPN Remote Page Advanced Easy VPN Properties Page AnyConnect Essentials DTLS Settings SSL VPN Client Settings Add/Replace SSL VPN Client Image Upload Image Add/Edit SSL VPN Client Profiles Upload Package Bypass Interface Access List Configuring AnyConnect Host Scan Host Scan Dependencies and System Requirements Dependencies System Requirements Licensing Host Scan Packaging Installing and Enabling Host Scan on the ASA Installing or Upgrading Host Scan Enabling or Disabling Host Scan Enabling or Disabling CSD on the ASA Viewing the Host Scan Version Enabled on the ASA Uninstalling Host Scan Uninstalling CSD from the ASA Assigning AnyConnect Posture Module to a Group Policy Other Important Documentation Addressing Host Scan Configuring Dynamic Access Policies Information About Dynamic Access Policies DAP and Endpoint Security DAP Support for Remote Access Connection Types Remote Access Connection Sequence with DAPs Licensing Requirements for Dynamic Access Policies Advanced Endpoint Assessment license SSL VPN license (client) Page Page 70-7 AnyConnect Mobile License Dynamic Access Policies Interface Page Configuring Dynamic Access Policies Page Page Testing Dynamic Access Policies DAP and Authentication, Authorization, and Accounting Services Configuring AAA Attributes in a DAP Page Retrieving Active Directory Groups AAA Attribute Definitions Configuring Endpoint Attributes Used in DAPs Adding an Anti-Spyware or Anti-Virus Endpoint Attribute to a DAP Adding an Application Attribute to a DAP Adding Mobile Posture Attributes to a DAP Licensing Adding a File Endpoint Attribute to a DAP Adding a Device Endpoint Attribute to a DAP Adding a NAC Endpoint Attribute to a DAP Adding an Operating System Endpoint Attribute to a DAP Adding a Personal Firewall Endpoint Attribute to a DAP Adding a Policy Endpoint Attribute to a DAP Adding a Process Endpoint Attribute to a DAP Adding a Registry Endpoint Attribute to a DAP DAP and AntiVirus, AntiSpyware, and Personal Firewall Programs Endpoint Attribute Definitions Page Page Configuring DAP Access and Authorization Policy Attributes Page Page Page Performing a DAP Trace Guide to Creating DAP Logical Expressions using LUA Syntax for Creating Lua EVAL Expressions Constructing DAP EVAL Expressions The DAP CheckAndMsg Function Checking for a Single Antivirus Program Checking for Antivirus Definitions Within the Last 10 Days Checking for a Hotfix on the User PC Checking for Antivirus Programs Checking for Antivirus Programs and Definitions Older than 1 1/2 Days Additional Lua Functions OU-Based Match Example Group Membership Example 70-42 Antivirus Example The following example uses a custom function to check if CSD detects any antivirus software. Antispyware Example The following example uses a custom function to check if CSD detects any antispyware. Firewall Example CheckAndMsg with Custom Function Example Further Information on Lua Operator for Endpoint Category DAP Examples Using DAP to Define Network Resources Using DAP to Apply a WebVPN ACL Enforcing CSD Checks and Applying Policies via DAP Page Page Clientless SSL VPN End User Set-up Requiring Usernames and Passwords Communicating Security Tips Configuring Remote Systems to Use Clientless SSL VPN Features Page Page Page Page Capturing Clientless SSL VPN Data Creating a Capture File Using a Browser to Display Capture Data Page Page Configuring Clientless SSL VPN Information About Clientless SSL VPN Licensing Requirements Page Page Prerequisites for Clientless SSL VPN Observing Clientless SSL VPN Security Precautions Page Configuring Clientless SSL VPN Access Configuring ACLs Adding or Editing ACEs Configuration Examples for ACLs for Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop Uploading Images Configuring Application Helper Uploading APCF Packages Managing Passwords Adding the Cisco Authentication Scheme to SiteMinder Configuring the SAML POST SSO Server Configuring SSO with the HTTP Form Protocol Gathering HTTP Form Data 1 4 5 3 5 2 Page Page Using Auto Signon Page Configuring Session Settings Java Code Signer Encoding Content Cache Content Rewrite Configuration Example for Content Rewrite Rules Configuring Browser Access to Plug-ins Page Adding a New Environment Variable Preparing the Security Appliance for a Plug-in Installing Plug-ins Redistributed By Cisco Page Providing Access to Third-Party Plug-ins Configuring and Applying the POST URL Providing Access to a Citrix Java Presentation Server Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access Creating and Installing the Citrix Plug-in Why a Microsoft Kerberos Constrained Delegation Solution Requirements Understanding How KCD Works Authentication Flow with KCD Page Adding Windows Service Account in Active Directory Configuring DNS for KCD Configuring the ASA to Join the Active Directory Domain Configuring Kerberos Server Groups Page Configuring Bookmarks to Access the Kerberos Authenticated Services Configuring Application Access Configuring Smart Tunnel Access About Smart Tunnels Why Smart Tunnels? Page Configuring a Smart Tunnel (Lotus example) Simplifying Configuration of Which Applications to Tunnel Page Page Assigning a Smart Tunnel List Configuring and Applying Smart Tunnel Policy Specifying Servers for Smart Tunnel Auto Sign-on Adding or Editing a Smart Tunnel Auto Sign-on Server Entry Enabling and Disabling Smart Tunnel Access Logging Off Smart Tunnel When Its Parent Process Terminates With A Notification Icon Configuring Port Forwarding Information About Port Forwarding Page Configuring DNS for Port Forwarding Page Page Adding Applications to Be Eligible for Port Forwarding Adding/Editing Port Forwarding Entry Assigning a Port Forwarding List Enabling and Disabling Port Forwarding Configuring the Use of External Proxy Servers SSO Servers Configuring SiteMinder and SAML Browser Post Profile Adding the Cisco Authentication Scheme to SiteMinder Adding or Editing SSO Servers Application Access User Notes Using Application Access on Vista Closing Application Access to Prevent hosts File Errors Recovering from hosts File Errors When Using Application Access Understanding the hosts File Stopping Application Access Improperly Reconfiguring a Hosts File Automatically Using Clientless SSL VPN Reconfiguring hosts File Manually Configuring File Access CIFS File Access Requirement and Limitation Adding Support for File Access Ensuring Clock Accuracy for SharePoint Access Customizing the Clientless SSL VPN User Experience Customizing the Logon Page with the Customization Editor Page Replacing the Logon Page with your own Fully Customized Page Creating the Custom Login Screen File Importing the File and Images Configuring the Security Appliance to use the Custom Login Screen Using Clientless SSL VPN with PDAs Using E-Mail over Clientless SSL VPN Configuring E-mail Proxies Configuring Web E-mail: MS Outlook Web App Configuring Portal Access Rules Using Proxy Bypass Configuring Application Profile Customization Framework Uploading APCF Packages APCF Syntax Page 72-79 Configuration Examples for APCF Table72-7 APCF XML Tags (continued) Tag Use Clientless SSL VPN End User Setup Defining the End User Interface Viewing the Clientless SSL VPN Home Page Viewing the Clientless SSL VPN Application Access Panel Viewing the Floating Toolbar Customizing Clientless SSL VPN Pages Information About Customization Exporting a Customization Template Editing the Customization Template 72-84 72-85 72-86 72-87 72-88 Login Screen Advanced Customization 72-90 Figure72-25 Example of Full Customization of Login Screens The following HTML code is used as an example and is the code that displays: Modifying Your HTML File Customizing the Portal Page Configuring Custom Portal Timeout Alerts Specifying a Custom Timeout Alert in a Customization Object File Configuration Example for Timeout-alert Element and Child Elements Customizing the Logout Page Adding Customization Object Importing/Exporting Customization Object Creating XML-Based Portal Customization Objects and URL Lists Understanding the XML Customization File Structure Page Page Configuration Example for Customization 72-101 72-102 Using the Customization Template The Customization Template 72-104 72-105 72-106 72-107 72-108 72-109 72-110 72-111 72-112 72-113 72-114 Help Customization Customizing a Help File Provided by Cisco Page Import/Export Application Help Content Customizing a Help File Provided by Cisco Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins Requirements RDP Plug-in ActiveX Debug Quick Reference Preparing the Security Appliance for a Plug-in Customizing Help Customizing a Help File Provided By Cisco Requiring Usernames and Passwords Communicating Security Tips Configuring Remote Systems to Use Clientless SSL VPN Features Starting Clientless SSL VPN Using the Clientless SSL VPN Floating Toolbar Browsing the Web Browsing the Network (File Management) Using Port Forwarding Using E-mail Via Port Forwarding Using E-mail Via Web Access Using E-mail Via E-mail Proxy Using Smart Tunnel Adding/Editing Localization Entry Customizing the AnyConnect Client Customizing AnyConnect by Importing Resource Files Customizing Your Own AnyConnect GUI Text and Scripts Importing your own GUI as a Binary Executable Importing Scripts Writing, Testing, and Deploying Scripts Customizing AnyConnect GUI Text and Messages Customizing the Installer Program Using Installer Transforms Configuration Example for Transform Localizing the Install Program using Installer Transforms Importing/Exporting Language Localization Configuring Bookmarks Adding a Bookmark Entry Importing/Exporting Bookmark List Importing/Exporting GUI Customization Objects (Web Contents) Adding/Editing Post Parameter Using Variables 1 - 4 Using Variables 5 and 6 Using Variables 7 - 10 Example 1: Setting a Homepage Configuration Example for Setting a Bookmark or URL Entry Configuration Example for Configuring File Share (CIFS) URL Substitutions Configuration Example for Customizing External Ports Page E-Mail Proxy Configuring E-Mail Proxy AAA POP3S Tab Page IMAP4S Tab SMTPS Tab Page Access Edit E-Mail Proxy Access Authentication Page Default Servers Delimiters Page Monitoring VPN VPN Connection Graphs IPsec Tunnels Sessions VPN Statistics Sessions Page Page Sessions Details Page Cluster Loads Crypto Statistics Compression Statistics Encryption Statistics Global IKE/IPsec Statistics NAC Session Summary Protocol Statistics VLAN Mapping Sessions SSO Statistics for Clientless SSL VPN Session VPN Connection Status for the Easy VPN Client Page Page Page Page Configuring SSL Settings SSL Edit SSL Certificate SSL Certificates Page Page Page Page Configuring Logging Information About Logging Logging in Multiple Context Mode Analyzing Syslog Messages Syslog Message Format Severity Levels Message Classes and Range of Syslog IDs Filtering Syslog Messages Sorting in the Log Viewers Using Custom Message Lists Licensing Requirements for Logging Prerequisites for Logging Configuring Logging Enabling Logging Configuring an Output Destination Sending Syslog Messages to an External Syslog Server Configuring FTP Settings Configuring Logging Flash Usage Configuring Syslog Messaging Editing Syslog ID Settings Including a Device ID in Non-EMBLEM Formatted Syslog Messages Sending Syslog Messages to the Internal Log Buffer Sending Syslog Messages to an E-mail Address Adding or Editing E-Mail Recipients Configuring the Remote SMTP Server Viewing Syslog Messages in ASDM Applying Message Filters to a Logging Destination Applying Logging Filters Adding or Editing a Message Class and Severity Filter Adding or Editing a Syslog Message ID Filter Sending Syslog Messages to the Console Port Sending Syslog Messages to a Telnet or SSH Session Creating a Custom Event List Generating Syslog Messages in EMBLEM Format to a Syslog Server Adding or Editing Syslog Server Settings Generating Syslog Messages in EMBLEM Format to Other Output Destinations Changing the Amount of Internal Flash Memory Available for Logs Configuring the Logging Queue Sending All Syslog Messages in a Class to a Specified Output Destination Enabling Secure Logging Including the Device ID in Non-EMBLEM Format Syslog Messages Including the Date and Time in Syslog Messages Disabling a Syslog Message Changing the Severity Level of a Syslog Message Limiting the Rate of Syslog Message Generation Assigning or Changing Rate Limits for Individual Syslog Messages Adding or Editing the Rate Limit for a Syslog Message Editing the Rate Limit for a Syslog Severity Level Monitoring the Logs Filtering Syslog Messages Through the Log Viewers Page Editing Filtering Settings Executing Certain Commands Using the Log Viewers Feature History for Logging Page Configuring Information About NSEL Using NSEL and Syslog Messages Licensing Requirements for NSEL Prerequisites for NSEL Configuring NSEL Using NetFlow Matching NetFlow Events to Configured Collectors Monitoring NSEL Page Related Documents Feature History for NSEL Page Page Configuring SNMP Information About SNMP Information About SNMP Terminology SNMP Version 3 SNMP Version 3 Overview Security Models SNMP Groups SNMP Users SNMP Hosts Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software Licensing Requirements for SNMP Prerequisites for SNMP Configuring SNMP Enabling SNMP Configuring an SNMP Management Station Configuring SNMP Traps Using SNMP Version 1 or 2c Using SNMP Version 3 SNMP Syslog Messaging SNMP Monitoring RFCs for SNMP Version 3 MIBs 78-12 Application Services and Third-Party Tools Feature History for SNMP Page Configuring Anonymous Reporting and Smart Call Home Information About Anonymous Reporting and Smart Call Home Information About Anonymous Reporting What is Sent to Cisco? DNS Requirement Anonymous Reporting and Smart Call Home Prompt Information About Smart Call Home Licensing Requirements for Anonymous Reporting and Smart Call Home Prerequisites for Smart Call Home and Anonymous Reporting Configuring Anonymous Reporting and Smart Call Home Configuring Anonymous Reporting Configuring Smart Call Home Page Page Page Monitoring Smart Call Home Feature History for Anonymous Reporting and Smart Call Home Page Page Page Managing Software and Configurations Saving the Running Configuration to a TFTP Server Managing Files Accessing the File Management Tool Managing Mount Points Adding or Editing a CIFS/FTP Mount Point Accessing a CIFS Mount Point Transferring Files Transferring Files Between Local PC and Flash Transferring Files Between Remote Server and Flash Configuring Auto Update Setting the Polling Schedule Adding or Editing an Auto Update Server Configuring the Boot Image/Configuration Settings Adding a Boot Image Upgrading Software from Your Local Computer Upgrading Software from the Cisco.com Wizard Scheduling a System Restart Backing Up and Restoring Configurations, Images, and Profiles (Single Mode) Backing Up Configurations Page Page Backing Up the Local CA Server Restoring Configurations Page Page Downgrading Your Software Information About Activation Key Compatibility Performing the Downgrade Page Troubleshooting Testing Your Configuration Pinging ASA Interfaces 81-2 If the ping reaches the ASA, and it responds, debugging messages similar to the following appear: Passing Traffic Through the ASA Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping ? Pinging From an ASA Interface Pinging to an ASA Interface Pinging Through the ASA Interface Troubleshooting the Ping Tool Using the Ping Tool Determining Packet Routing with Traceroute Tracing Packets with Packet Tracer Handling TCP Packet Loss Other Troubleshooting Tools Configuring and Running Captures with the Packet Capture Wizard Page Ingress Traffic Selector Egress Traffic Selector Buffers Summary Run Captures Sending an Administrators Alert to Clientless SSL VPN Users Saving an Internal Log Buffer to Flash Viewing and Copying Logged Entries with the ASDM Java Console Monitoring Performance Monitoring System Resources Blocks CPU Memory Monitoring Connections Monitoring Per-Process CPU Usage Common Problems Additional Troubleshooting Page Page APPENDIX A Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks Classes Private Networks Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask Class C-Size Network Address Class B-Size Network Address IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Global Address Site-Local Address Link-Local Address IPv4-Compatible IPv6 Addresses Unspecified Address Multicast Address Anycast Address Required Addresses IPv6 Address Prefixes Protocols and Applications TCP and UDP Ports Page Page Local Ports and Protocols ICMP Types Page APPENDIX B Configuring an External Server for Authorization and Authentication Understanding Policy Enforcement of Permissions and Attributes Configuring an External LDAP Server Organizing the ASA for LDAP Operations Searching the LDAP Hierarchy Binding the ASA to the LDAP Server Defining the ASA LDAP Configuration Supported Cisco Attributes for LDAP Authorization Page Page Page Page Page Page Page Cisco AV Pair Attribute Syntax Cisco AV Pairs ACL Examples URL Types Supported in ACLs Guidelines for Using Cisco-AV Pairs (ACLs) Active Directory/LDAP VPN Remote Access Authorization Examples User-Based Attributes Policy Enforcement Page Placing LDAP Users in a Specific Group Policy Page Enforcing Static IP Address Assignment for AnyConnect Tunnels Page Enforcing Dial-in Allow or Deny Access Page Page Enforcing Logon Hours and Time-of-Day Rules Page Configuring an External RADIUS Server Reviewing the RADIUS Configuration Procedure ASA RADIUS Authorization Attributes Page Page Page Page Page Page Page Page ASA IETF RADIUS Authorization Attributes RADIUS Accounting Disconnect Reason Codes Configuring an External TACACS+ Server Page Page GLOSSARY Numerics A B C D Page E F G H I Page J K L M N O P Page Page Q R S Page T Page U V W X Page Page INDEX Symbols Numerics A Page Page B C Page Page D E F G H I Page J K L M Page N O P proxy ARP Q R Page S Page Page T U V W X Z