Main
Cisco ASA 5500 Series Configuration Guide using ASDM
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
About This Guide
Document Objectives
Audience
Related Documentation
Conventions
Obtaining Documentation and Submitting a Service Request
Page
Page
Page
Introduction to the Cisco ASA 5500 Series
ASDM Client Operating System and Browser Requirements
Hardware and Software Compatibility
VPN Specifications
New Features
New Features in Version 8.6(1)/6.6(1)
Page
New Features in Version 8.4(4.1)/6.4(9)
Page
Page
Page
New Features in Version 8.4(3)/6.4(7)
Page
New Features in Version 8.4(2)/6.4(5)
Page
Page
Page
Page
New Features in Version 8.2(5)/6.4(3)
New Features in Version 8.4(1)/6.4(1)
Page
Page
Page
Page
Page
Firewall Functional Overview
Security Policy Overview
Permitting or Denying Traffic with Access Rules
Applying NAT
Protecting from IP Fragments
Using AAA for Through Traffic
Applying HTTP, HTTPS, or FTP Filtering
Applying Application Inspection
Sending Traffic to the IPS Module
Firewall Mode Overview
Stateful Inspection Overview
VPN Functional Overview
Security Context Overview
Page
Getting Started
Accessing the Appliance Command-Line Interface
Configuring ASDM Access for Appliances
Accessing ASDM Using the Factory Default Configuration
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
Page
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
Starting ASDM
Connecting to ASDM for the First Time
Starting ASDM from the ASDM-IDM Launcher
Starting ASDM from the Java Web Start Application
Using ASDM in Demo Mode
Factory Default Configurations
Restoring the Factory Default Configuration
Limitations
Page
ASA 5505 Default Configuration
ASA 5505 Routed Mode Default Configuration
ASA 5505 Transparent Mode Sample Configuration
2-16
ASA 5510 and Higher Default Configuration
Getting Started with the Configuration
Using the Command Line Interface Tool in ASDM
Using the Command Line Interface Tool
Handling Command Errors
Using Interactive Commands
Avoiding Conflicts with Other Administrators
Showing Commands Ignored by ASDM on the Device
Page
Using the ASDM User Interface
Information About the ASDM User Interface
765 89
24
Navigating in the ASDM User Interface
Menus
File Menu
View Menu
Tools Menu
Page
Wizards Menu
Window Menu
Help Menu
Toolbar
ASDM Assistant
Status Bar
Connection to Device
Device List
Common Buttons
Keyboard Shortcuts
Page
Find Function
Using the Find Function in Most ASDM Panes
Using the Find Function in the ACL Manager Pane
Enabling Extended Screen Reader Support
Organizational Folder
About the Help Window
Header Buttons
Browser Window
Home Pane (Single Mode and Context)
Device Dashboard Tab
Device Information Pane
General Tab
License Tab
Interface Status Pane
VPN Sessions Pane
Failover Status Pane
System Resources Status Pane
Traffic Status Pane
Page
Firewall Dashboard Tab
Traffic Overview Pane
Top 10 Access Rules Pane
Top Usage Status Pane
Top Ten Protected Servers Under SYN Attack Pane
Top 200 Hosts Pane
Top Botnet Traffic Filter Hits Pane
Content Security Tab
Intrusion Prevention Tab
1 23 4 5
ASA CX Status Tab
Home Pane (System)
Defining ASDM Preferences
Using the ASDM Assistant
Enabling History Metrics
Unsupported Commands
Ignored and View-Only Commands
Effects of Unsupported Commands
Discontinuous Subnet Masks Not Supported
Interactive User Commands Not Supported by the ASDM CLI Tool
Page
Page
Managing Feature Licenses
Supported Feature Licenses Per Model
Licenses Per Model
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
License Notes
Page
Page
Page
VPN License and Feature Compatibility
Information About Feature Licenses
Preinstalled License
Permanent License
Time-Based Licenses
Time-Based License Activation Guidelines
How the Time-Based License Timer Works
How Permanent and Time-Based Licenses Combine
Stacking Time-Based Licenses
Time-Based License Expiration
Shared AnyConnect Premium Licenses
Information About the Shared Licensing Server and Participants
Communication Issues Between Participant and Server
Information About the Shared Licensing Backup Server
Failover and Shared Licenses
Failover and Shared License Servers
Failover and Shared License Participants
Maximum Number of Participants
Failover Licenses (8.3(1) and Later)
Failover License Requirements and Exceptions
How Failover Licenses Combine
Loss of Communication Between Failover Units
Upgrading Failover Pairs
No Payload Encryption Models
Licenses FAQ
Page
Configuring Licenses
Obtaining an Activation Key
Activating or Deactivating Keys
Limitations and Restrictions
Configuring a Shared License
Configuring the Shared Licensing Server
Configuring the Shared Licensing Participant and the Optional Backup Server
Monitoring Licenses
Viewing Your Current License
Monitoring the Shared License
Feature History for Licensing
Page
Page
Page
Page
Page
Page
Using the Startup Wizard
Information About the Startup Wizard
Licensing Requirements for the Startup Wizard
Startup Wizard Screens
Starting Point or Welcome
Basic Configuration
Interface Screens
Interface Selection (ASA 5505)
Switch Port Allocation (ASA 5505)
Interface IP Address Configuration (ASA 5505, Routed Mode)
Static Routes
Easy VPN Remote Configuration (ASA 5505, Single Mode, Routed Mode)
DHCP Server
Address Translation (NAT/PAT)
Administrative Access
IPS Basic Configuration (IPS SSP)
Time Zone and Clock Configuration (ASA 5585-X)
Auto Update Server (Single Mode)
Startup Wizard Summary
Feature History for the Startup Wizard
Page
VPN Wizards
VPN Overview
IPsec IKEv1 Remote Access Wizard
Remote Access Client
VPN Client Authentication Method and Tunnel Group Name
Client Authentication
User Accounts
Address Pool
Attributes Pushed to Client (Optional)
IKE Policy
IPsec Settings (Optional)
IPsec Site-to-Site VPN Wizard
Peer Device Identification
IKE Version
Traffic to Protects
Authentication Methods
Encryption Algorithm
Miscellaneous
AnyConnect VPN Wizard
Connection Profile Identification
VPN Protocols
Client Images
Authentication Methods
Client Address Assignment
Network Name Resolution Servers
NAT Exempt
Clientless SSL VPN Wizard
SSL VPN Interface
User Authentication
Group Policy
Bookmark List
Page
Page
Page
Using the
Information About the High Availability and Scalability Wizard
Licensing Requirements for the High Availability and Scalability
Prerequisites for the High Availability and Scalability Wizard
Configuring Failover with the High Availability and Scalability
Accessing the High Availability and Scalability Wizard
Configuring Active/Active Failover with the High Availability and Scalability
Configuring Active/Standby Failover with the High Availability and Scalability
High Availability and Scalability Wizard Screens
Configuration Type
Failover Peer Connectivity and Compatibility Check
Change a Device to Multiple Mode
Security Context Configuration
Failover Link Configuration
State Link Configuration
Standby Address Configuration
Summary
Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard
VPN Cluster Load Balancing Configuration
Page
Feature History for the High Availability and Scalability Wizard
Using the Cisco Unified Communication Wizard
Information about the Cisco Unified Communication Wizard
Page
Licensing Requirements for the Unified Communication Wizard
Configuring the Phone Proxy by using the Unified
Configuring the Private Network for the Phone Proxy
Configuring Servers for the Phone Proxy
Page
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones
Configuring the Public IP Phone Network
Configuring the Media Termination Address for Unified Communication Proxies
Configuring the Mobility Advantage by using the Unified
Configuring the Topology for the Cisco Mobility Advantage Proxy
Configuring the Server-Side Certificates for the Cisco Mobility Advantage
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy
Configuring the Presence Federation Proxy by using the Unified Communication Wizard
Configuring the Topology for the Cisco Presence Federation Proxy
Configuring the Local-Side Certificates for the Cisco Presence Federation
Configuring the Remote-Side Certificates for the Cisco Presence Federation
Configuring the UC-IME by using the Unified Communication
Configuring the Topology for the Cisco Intercompany Media Engine Proxy
Configuring the Private Network Settings for the Cisco Intercompany Media
Page
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy
Configuring the Public Network Settings for the Cisco Intercompany Media
Configuring the Local-Side Certificates for the Cisco Intercompany Media
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Working with Certificates in the Unified Communication Wizard
Exporting an Identity Certificate
Installing a Certificate
Generating a Certificate Signing Request (CSR) for a Unified Communications
Saving the Identity Certificate Request
Installing the ASA Identity Certificate on the Mobility Advantage Server
Page
Page
Configuring Trend Micro Content Security
Information About the CSC SSM
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
CSC SSM Setup
Activation/License
IP Configuration
Host/Notification Settings
Management Access Host/Networks
Password
Restoring the Default Password
Wizard Setup
CSC Setup Wizard Activation Codes Configuration
CSC Setup Wizard IP Configuration
CSC Setup Wizard Host Configuration
CSC Setup Wizard Management Access Configuration
CSC Setup Wizard Password Configuration
CSC Setup Wizard Traffic Selection for CSC Scan
Specifying Traffic for CSC Scanning
CSC Setup Wizard Summary
Using the CSC SSM GUI
Web
Mail
SMTP Tab
POP3 Tab
File Transfer
Updates
Feature History for the CSC SSM
Page
Page
Page
Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Information About the Firewall Mode
Information About Routed Firewall Mode
Information About Transparent Firewall Mode
Transparent Firewall Network
Bridge Groups
Management Interface (ASA 5510 and Higher)
Allowing Layer 3 Traffic
Allowed MAC Addresses
Passing Traffic Not Allowed in Routed Mode
Passing Traffic For Routed-Mode Features
BPDU Handling
MAC Address vs. Route Lookups
Using the Transparent Firewall in Your Network
Licensing Requirements for the Firewall Mode
Page
Setting the Firewall Mode
Feature History for Firewall Mode
Configuring ARP Inspection for the Transparent Firewall
Information About ARP Inspection
Licensing Requirements for ARP Inspection
Configuring ARP Inspection
Task Flow for Configuring ARP Inspection
Adding a Static ARP Entry
Enabling ARP Inspection
Feature History for ARP Inspection
Customizing the MAC Address Table for the Transparent Firewall
Information About the MAC Address Table
Licensing Requirements for the MAC Address Table
Configuring the MAC Address Table
Adding a Static MAC Address
Disabling MAC Address Learning
Feature History for the MAC Address Table
Firewall Mode Examples
How Data Moves Through the ASA in Routed Firewall Mode
An Inside User Visits a Web Server
An Outside User Visits a Web Server on the DMZ
An Inside User Visits a Web Server on the DMZ
An Outside User Attempts to Access an Inside Host
A DMZ User Attempts to Access an Inside Host
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server
An Inside User Visits a Web Server Using NAT
An Outside User Visits a Web Server on the Inside Network
An Outside User Attempts to Access an Inside Host
Configuring Multiple Context Mode
Information About Security Contexts
Common Uses for Security Contexts
Context Configuration Files
Context Configurations
System Configuration
Admin Context Configuration
How the ASA Classifies Packets
Valid Classifier Criteria
Unique Interfaces
Unique MAC Addresses
NAT Configuration
Classification Examples
11-5
Cascading Security Contexts
Management Access to Security Contexts
System Administrator Access
Context Administrator Access
Information About Resource Management
Resource Limits
Default Class
Class Members
Information About MAC Addresses
Default MAC Address
Interaction with Manual MAC Addresses
Failover MAC Addresses
Licensing Requirements for Multiple Context Mode
MAC Address Format
MAC Address Format Using a Prefix
MAC Address Format Without a Prefix (Legacy Method; Not Available in 8.6(1) and Later)
Page
Configuring Multiple Contexts
Task Flow for Configuring Multiple Context Mode
Enabling or Disabling Multiple Context Mode
Enabling Multiple Context Mode
Restoring Single Context Mode
Configuring a Class for Resource Management
Page
Page
Configuring a Security Context
Automatically Assigning MAC Addresses to Context Interfaces
Monitoring Security Contexts
Monitoring Context Resource Usage
Viewing Assigned MAC Addresses
Viewing MAC Addresses in the System Configuration
Viewing MAC Addresses Within a Context
Feature History for Multiple Context Mode
Page
Page
Page
Page
Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration
Auto-MDI/MDIX Feature
Interfaces in Transparent Mode
Management Interface
Management Interface Overview
Management Slot/Port Interface
Using Any Interface for Management-Only Traffic
Management Interface for Transparent Mode
No Support for Redundant Management Interfaces
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
Redundant Interfaces
Redundant Interface MAC Address
EtherChannels
Channel Group Interfaces
Connecting to an EtherChannel on Another Device
Link Aggregation Control Protocol
Load Balancing
EtherChannel MAC Address
Licensing Requirements for ASA 5510 and Higher Interfaces
Page
Page
Page
Starting Interface Configuration (ASA 5510 and Higher)
Task Flow for Starting Interface Configuration
Converting In-Use Interfaces to a Redundant or EtherChannel Interface
Detailed Steps (Single Mode)
Page
12-15
commands:
interface redundant number [1-8] interface port-channel channel_id [1-48]
For example:
command:
12-16
EtherChannel interfaceEnter the following command under each interface you want to add to the
12-17
shutdown command. For example, your final EtherChannel configuration is:
Detailed Steps (Multiple Mode)
Page
12-20
For example, you download the following context configurations (interface configuration shown):
CustomerA Context
CustomerB Context
Page
Page
Enabling the Physical Interface and Configuring Ethernet Parameters
Page
Page
Configuring a Redundant Interface
Configuring a Redundant Interface
Page
Page
Changing the Active Interface
Configuring an EtherChannel
Adding Interfaces to the EtherChannel
Page
Customizing the EtherChannel
Page
Page
Configuring VLAN Subinterfaces and 802.1Q Trunking
Page
Page
Enabling Jumbo Frame Support (Supported Models)
Page
Page
Page
Feature History for ASA 5510 and Higher Interfaces
Page
Page
Starting Interface Configuration (ASA 5505)
Information About ASA 5505 Interfaces
Understanding ASA 5505 Ports and Interfaces
Maximum Active VLAN Interfaces for Your License
Page
VLAN MAC Addresses
Licensing Requirements for ASA 5505 Interfaces
Power over Ethernet
Monitoring Traffic Using SPAN
Auto-MDI/MDIX Feature
Page
Starting ASA 5505 Interface Configuration
Task Flow for Starting Interface Configuration
Configuring VLAN Interfaces
Page
Configuring and Enabling Switch Ports as Access Ports
Page
Configuring and Enabling Switch Ports as Trunk Ports
Page
Page
Page
Page
Page
Feature History for ASA 5505 Interfaces
Completing Interface Configuration (Routed Mode)
Information About Completing Interface Configuration in Routed Mode
Dual IP Stack (IPv4 and IPv6)
Licensing Requirements for Completing Interface Configuration in Routed Mode
Page
Page
Completing Interface Configuration in Routed Mode
Page
Page
Page
Page
PPPoE IP Address and Route Settings
Page
Information About the MTU
Page
Configuring IPv6 Addressing
Page
Page
Page
Page
Page
(Optional) Configuring the Link-Local Addresses Automatically
(Optional) Configuring the Link-Local Addresses Manually
Information About Intra-Interface Communication
DHCP
DHCP Server Table
DHCP Client Lease Information
DHCP Statistics
Dynamic ACLs
Page
Page
PPPoE Client
Interface Connection
Track Status for
Monitoring Statistics for
Feature History for Interfaces in Routed Mode
Page
Completing Interface Configuration (Transparent Mode, 8.4 and Later)
Information About Completing Interface Configuration in Transparent Mode (8.4 and Later)
Bridge Groups in Transparent Mode
Licensing Requirements for Completing Interface Configuration in Transparent Mode
Page
Page
Completing Interface Configuration in Transparent Mode (8.4 and Later)
Configuring Bridge Groups
Page
Page
Page
Configuring a Management Interface (ASA 5510 and Higher)
Page
Page
Information About the MTU
Page
Configuring IPv6 Addressing
Page
Unsupported Commands
Page
(Optional) Configuring the Link-Local Addresses Automatically
(Optional) Configuring the Link-Local Addresses Manually
Page
DHCP
DHCP Server Table
DHCP Client Lease Information
DHCP Statistics
Dynamic ACLs
Page
Page
PPPoE Client
Interface Connection
Track Status for
Monitoring Statistics for
Feature History for Interfaces in Transparent Mode
Page
Completing Interface Configuration (Transparent Mode, 8.3 and Earlier)
Information About Completing Interface Configuration in Transparent Mode (8.3 and Earlier)
Information About the Global Management IP Address
Licensing Requirements for Completing Interface Configuration in Transparent Mode
Setting the Management IP Address for a Transparent Firewall (8.3 and Earlier)
Configuring the IPv4 Address
Configuring the IPv6 Address
Unsupported Commands
Configuring the Global Address
Configuring the Link-Local Addresses Automatically
Configuring the Link-Local Address on an Interface Manually
Configuring DAD Settings
Completing Interface Configuration in Transparent Mode (8.3 and Earlier)
Page
Configuring a Management Interface (ASA 5510 and Higher)
Configuring General Parameters and the IPv4 Address
Page
Page
Page
Page
Page
Page
Feature History for Interfaces in Transparent Mode
Page
Page
Page
Page
Configuring Basic Settings
Configuring the Hostname, Domain Name, and Passwords
Setting the Hostname, Domain Name, and the enable and Telnet Passwords
Setting the Date and Time
Setting the Date and Time Using an NTP Server
Adding or Editing the NTP Server Configuration
Setting the Date and Time Manually
Configuring the Master Passphrase
Information About the Master Passphrase
Licensing Requirements for the Master Passphrase
Adding or Changing the Master Passphrase
Disabling the Master Passphrase
Recovering the Master Passphrase
Feature History for the Master Passphrase
Configuring the DNS Server
Page
Monitoring DNS Cache
Feature History for DNS Cache
Page
Configuring DHCP
Information About DHCP
Licensing Requirements for DHCP
Configuring DHCP Relay Services
Page
Editing DHCP Relay Agent Settings
Adding or Editing Global DHCP Relay Server Settings
Configuring a DHCP Server
Editing DHCP Servers
Configuring Advanced DHCP Options
DHCP Monitoring
Feature History for DHCP
Page
Configuring Dynamic DNS
Information About DDNS
Licensing Requirements for DDNS
Configuring Dynamic DNS
Page
DDNS Monitoring
Feature History for DDNS
Page
Page
Configuring Objects
Configuring Network Objects and Groups
Network Object Overview
Configuring a Network Object
Configuring a Network Object Group
Using Network Objects and Groups in a Rule
Viewing the Usage of a Network Object or Group
Configuring Service Objects and Service Groups
Information about Service Objects and Service Groups
Adding and Editing a Service Object
Adding a Service Object
Editing a Service Object
Adding and Editing a Service Group
Adding a Service Group
Editing a Service Group
Browse Service Groups
Licensing Requirements for Objects and Groups
Guidelines and Limitations for Objects and Groups
Configuring Regular Expressions
Creating a Regular Expression
Page
Building a Regular Expression
Page
Testing a Regular Expression
Creating a Regular Expression Class Map
Configuring Time Ranges
Add/Edit Time Range
Adding a Time Range to an Access Rule
Add/Edit Recurring Time Range
Page
Using the ACL Manager
Information About the ACL Manager
Licensing Requirements for the ACL Manager
Adding ACLs and ACEs
Page
Using Standard ACLs in the ACL Manager
Feature History for the ACL Manager
Page
Adding a StandardACL
Information About Standard ACLs
Licensing Requirements for Standard ACLs
Using Standard ACLs
Adding a Standard ACL
Adding an ACE to a Standard ACL
Editing an ACE in a Standard ACL
Feature History for Standard ACLs
Adding a WebtypeACL
Licensing Requirements for Webtype ACLs
Using Webtype ACLs
Task Flow for Configuring Webtype ACLs
Adding a Webtype ACL and ACE
Editing Webtype ACLs and ACEs
Deleting Webtype ACLs and ACEs
Feature History for Webtype Access Lists
Page
Page
Page
Page
Page
Page
Page
Routing Overview
Information About Routing
Switching
Path Determination
Supported Route Types
Static Versus Dynamic
Single-Path Versus Multipath
Flat Versus Hierarchical
Link-State Versus Distance Vector
How Routing Behaves Within the ASA
Egress Interface Selection Process
Next Hop Selection Process
Supported Internet Protocols for Routing
Information About the Routing Table
Displaying the Routing Table
How the Routing Table Is Populated
Page
Backup Routes
How Forwarding Decisions Are Made
Dynamic Routing and Failover
Information About IPv6 Support
Features That Support IPv6
IPv6-Enabled Commands
Entering IPv6 Addresses in Commands
Disabling Proxy ARPs
Page
Configuring Static and Default Routes
Information About Static and Default Routes
Licensing Requirements for Static and Default Routes
Configuring Static and Default Routes
Configuring a Static Route
Adding or Editing a Static Route
Page
Configuring Static Route Tracking
Deleting Static Routes
Configuring a Default Static Route
Limitations on Configuring a Default Static Route
Configuring IPv6 Default and Static Routes
Monitoring a Static or Default Route
Configuration Examples for Static or Default Routes
Feature History for Static and Default Routes
Page
Defining Route Maps
Information About Route Maps
Permit and Deny Clauses
Match and Set Clause Values
Licensing Requirements for Route Maps
Defining a Route Map
Adding or Editing a Route Map
Customizing a Route Map
Defining a Route to Match a Specific Destination Address
Configuring Prefix Lists
Configuring Prefix Rules
Configuring the Metric Values for a Route Action
Configuration Example for Route Maps
Feature History for Route Maps
Configuring OSPF
Information About OSPF
Licensing Requirements for OSPF
Configuring OSPF
Customizing OSPF
Redistributing Routes Into OSPF
Page
Configuring Route Summarization When Redistributing Routes Into OSPF
Adding a Route Summary Address
Adding or Editing an OSPF Summary Address
Configuring Route Summarization Between OSPF Areas
Configuring OSPF Interface Parameters
Page
Page
Configuring OSPF Area Parameters
Configuring OSPF NSSA
Defining Static OSPF Neighbors
Configuring Route Calculation Timers
Logging Neighbors Going Up or Down
Configuring Filtering in OSPF
Configuring a Virtual Link in OSPF
Page
Restarting the OSPF Process
Configuration Example for OSPF
Monitoring OSPF
Feature History for OSPF
Page
Configuring RIP
Information About RIP
Routing Update Process
RIP Routing Metric
RIP Stability Features
RIP Timers
Licensing Requirements for RIP
Configuring RIP
Enabling RIP
Customizing RIP
Configuring the RIP Version
Configuring Interfaces for RIP
Editing a RIP Interface
Configuring the RIP Send and Receive Version on an Interface
Configuring Route Summarization
Filtering Networks in RIP
Adding or Editing a Filter Rule
Redistributing Routes into the RIP Routing Process
Enabling RIP Authentication
Restarting the RIP Process
Monitoring RIP
Configuration Example for RIP
Feature History for RIP
Page
Configuring Multicast Routing
Information About Multicast Routing
Stub Multicast Routing
PIM Multicast Routing
Multicast Group Concept
Licensing Requirements for Multicast Routing
Enabling Multicast Routing
Customizing Multicast Routing
Configuring Stub Multicast Routing and Forwarding IGMP Messages
Configuring a Static Multicast Route
Configuring IGMP Features
Disabling IGMP on an Interface
Configuring IGMP Group Membership
Configuring a Statically Joined IGMP Group
Controlling Access to Multicast Groups
Limiting the Number of IGMP States on an Interface
Modifying the Query Messages to Multicast Groups
Changing the IGMP Version
Configuring PIM Features
Enabling and Disabling PIM on an Interface
Configuring a Static Rendezvous Point Address
Configuring the Designated Router Priority
Configuring and Filtering PIM Register Messages
Configuring PIM Message Intervals
Configuring a Route Tree
Configuring a Multicast Group
Filtering PIM Neighbors
Configuring a Bidirectional Neighbor Filter
Configuring a Multicast Boundary
Configuration Example for Multicast Routing
Page
Related Documents
Feature History for Multicast Routing
Page
Configuring EIGRP
Information About EIGRP
Licensing Requirements for EIGRP
Task List to Configure an EIGRP Process
Configuring EIGRP
Enabling EIGRP
Enabling EIGRP Stub Routing
Customizing EIGRP
Defining a Network for an EIGRP Routing Process
Configuring Interfaces for EIGRP
Configuring Passive Interfaces
Configuring the Summary Aggregate Addresses on Interfaces
Changing the Interface Delay Value
Enabling EIGRP Authentication on an Interface
Defining an EIGRP Neighbor
Redistributing Routes Into EIGRP
Page
Filtering Networks in EIGRP
Customizing the EIGRP Hello Interval and Hold Time
Disabling Automatic Route Summarization
Configuring Default Information in EIGRP
Disabling EIGRP Split Horizon
Restarting the EIGRP Process
Monitoring EIGRP
Feature History for EIGRP
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Configuring IPv6 Neighbor Discovery
Information About IPv6 Neighbor Discovery
Neighbor Solicitation Messages
Neighbor Reachable Time
Router Advertisement Messages
Static IPv6 Neighbors
Licensing Requirements for IPv6 Neighbor Discovery
Guidelines and Limitations
Page
Default Settings for IPv6 Neighbor Discovery
Configuring the Neighbor Solicitation Message Interval
Configuring the Neighbor Reachable Time
Configuring the Router Advertisement Transmission Interval
Configuring the Router Lifetime Value
Configuring DAD Settings
Configuring IPv6 Addresses on an Interface
Suppressing Router Advertisement Messages
Configuring the IPv6 Prefix
Adding an IPv6 Static Neighbor
Editing Static Neighbors
Deleting Static Neighbors
Viewing and Clearing Dynamically Discovered Neighbors
Related Documents for IPv6 Prefixes RFCs for IPv6 Prefixes and Documentation
Feature History for IPv6 Neighbor Discovery
Page
Page
Page
Information About NAT
Why Use NAT?
NAT Terminology
NAT Types
NAT Types Overview
Static NAT
Information About Static NAT
Information About Static NAT with Port Translation
Information About Static NAT with Port Address Translation
Static NAT with Identity Port Translation
Static NAT with Port Translation for Non-Standard Ports
Static Interface NAT with Port Translation
Information About One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
Dynamic NAT
Information About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Dynamic PAT Disadvantages and Advantages
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode
NAT for VPN
32-15
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
32-18
Page
NAT Rule Order
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Page
Transparent Mode Routing Requirements for Remote Networks
Determining the Egress Interface
DNS and NAT
Page
32-26
Page
Page
Configuring Network Object NAT (ASA 8.3 and Later)
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Configuring Network Object NAT
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Page
Configuring Identity NAT
Page
Page
Monitoring Network Object NAT
Configuration Examples for Network Object NAT
Providing Access to an Inside Web Server (Static NAT)
Page
Page
33-22
Page
Page
Page
Page
33-27
Page
Page
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
Page
Page
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
33-34
Page
33-36
Page
Feature History for Network Object NAT
Page
Page
Configuring Twice NAT (ASA 8.3 and Later)
Information About Twice NAT
Licensing Requirements for Twice NAT Prerequisites for Twice NAT
Configuring Twice NAT
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool
Page
Page
Page
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Page
Page
Configuring Identity NAT
Page
Page
Page
Page
Monitoring Twice NAT
Configuration Examples for Twice NAT
Different Translation Depending on the Destination (Dynamic PAT)
34-29
Page
Page
Page
Page
Page
Page
Page
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
Page
Page
Page
Page
Page
Page
Page
Page
Feature History for Twice NAT
Page
Page
Page
Page
Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
Introduction to NAT
NAT in Routed Mode
NAT in Transparent Mode
35-4
NAT Control
Page
NAT Types
Dynamic NAT
35-7
PAT
Static NAT
Static PAT
Bypassing NAT When NAT Control is Enabled
Policy NAT
35-11
NAT and Same Security Level Interfaces
Order of NAT Rules Used to Match Real Addresses
Mapped Address Guidelines
DNS and NAT
Page
Configuring NAT Control
Using Dynamic NAT
Dynamic NAT Implementation
Real Addresses and Global Pools Paired Using a Pool ID
NAT Rules on Different Interfaces with the Same Global Pools
Global Pools on Different Interfaces with the Same Pool ID
Multiple NAT Rules with Different Global Pools on the Same Interface
Multiple Addresses in the Same Global Pool
Outside NAT
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
Managing Global Pools
Configuring Dynamic NAT, PAT, or Identity NAT
Page
Configuring Dynamic Policy NAT or PAT
Page
Using Static NAT
Configuring Static NAT, PAT, or Identity NAT
Page
Page
Configuring Static Policy NAT, PAT, or Identity NAT
Page
Using NAT Exemption
Page
Page
Page
Page
Configuring a Service Policy
Information About Service Policies
Supported Features for Through Traffic
Supported Features for Management Traffic
Feature Directionality
Feature Matching Within a Service Policy
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Feature Matching for Multiple Service Policies
Licensing Requirements for Service Policies
Page
Default Configuration
Default Traffic Classes
Task Flows for Configuring Service Policies
Task Flow for Configuring a Service Policy Rule
Adding a Service Policy Rule for Through Traffic
Page
Page
Page
Adding a Service Policy Rule for Management Traffic
Configuring a Service Policy Rule for Management Traffic
Page
Managing the Order of Service Policy Rules
Page
Feature History for Service Policies
Page
Page
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About Interface Access Rules and Global Access Rules
Using Access Rules and EtherType Rules on the Same Interface
Rule Order
Implicit Deny
Using Remarks
Inbound and Outbound Rules
Information About Access Rules
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Management Access Rules
Information About EtherType Rules
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS
Licensing Requirements for Access Rules
Configuring Access Rules
Adding an Access Rule
Adding an EtherType Rule (Transparent Mode Only)
Page
Add/Edit EtherType Rule
Configuring Management Access Rules
Advanced Access Rule Configuration
Access Rule Explosion
Configuring HTTP Redirect
Edit HTTP/HTTPS Settings
Feature History for Access Rules
Page
Configuring AAA Servers and the Local Database
Information About AAA
Information About Authentication
Information About Authorization
Information About Accounting
Summary of Server Support
RADIUS Server Support
Authentication Methods
Attribute Support
RADIUS Authorization Functions
TACACS+ Server Support
RSA/SDI Server Support
RSA/SDI Version Support
Two-step Authentication Process
RSA/SDI Primary and Replica Servers
NT Server Support
Kerberos Server Support
LDAP Server Support
Authentication with LDAP
LDAP Server Types
HTTP Forms Authentication for Clientless SSL VPN
Local Database Support, Including as a Falback Method
How Fallback Works with Multiple Servers in a Group
Using Certificates and User Login Credentials
Using User Login Credentials
Using Certificates
Licensing Requirements for AAA Servers
Configuring AAA
Task Flow for Configuring AAA
Configuring AAA Server Groups
Page
Adding a Server to a Group
Configuring AAA Server Parameters
RADIUS Server Fields
TACACS+ Server Fields
SDI Server Fields
Windows NT Domain Server Fields
Kerberos Server Fields
LDAP Server Fields
Page
HTTP Form Server Fields
Configuring LDAP Attribute Maps
Page
Adding a User Account to the Local Database
Guidelines
Limitations
Adding a User
Configuring VPN Policy Attributes for a User
Page
Adding an Authentication Prompt
Managing User Passwords
Changing User Passwords
Authenticating Users with a Public Key for SSH
Testing Server Authentication and Authorization
Monitoring AAA Servers
Page
Feature History for AAA Servers
Page
Configuring the Identity Firewall
Information About the Identity Firewall
Overview of the Identity Firewall
Architecture for Identity Firewall Deployments
Features of the Identity Firewall
LAN
Deployment Scenarios
39-5
Figure39-2 Deployment Scenario without Redundancy
No Redundancy
Figure39-3 Deployment Scenario with Redundant Components
LAN
Page
Cut-through Proxy and VPN Authentication
Licensing for the Identity Firewall
Prerequisites
Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall
Configuring the Active Directory Domain
Page
Configuring Active Directory Server Groups
Configuring Active Directory Agents
Configuring Active Directory Agent Groups
Configuring Identity Options
Page
Page
Configuring Identity-based Access Rules
Adding Users and Groups to Access Rules
Configuring Local User Groups
Configuring Cut-through Proxy Authentication
Page
Monitoring the Identity Firewall
Monitoring AD Agents
Monitoring Groups
Monitoring Memory Usage for the Identity Firewall
Monitoring Users for the Identity Firewall
Feature History for the Identity Firewall
Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH
Licensing Requirements for ASA Access for ASDM, Telnet, or SSH
Configuring Management Access
Using a Telnet Client
Using an SSH Client
Configuring CLI Parameters
Licensing Requirements for CLI Parameters
Configuring a Login Banner
Customizing a CLI Prompt
Changing the Console Timeout
Configuring File Access
Licensing Requirements for File Access
Configuring the FTP Client Mode
Configuring the ASA as a Secure Copy Server
Configuring the ASA as a TFTP Client
Adding Mount Points
Adding a CIFS Mount Point
Adding an FTP Mount Point
Configuring ICMP Access
Information About ICMP Access
Licensing Requirements for ICMP Access
Configuring ICMP Access
Configuring Management Access Over a VPN Tunnel
Licensing Requirements for a Management Interface
Configuring a Management Interface
Configuring AAA for System Administrators
Information About AAA for System Administrators
Information About Management Authentication
Comparing CLI Access with and without Authentication
Comparing ASDM Access with and without Authentication
Information About Command Authorization
Supported Command Authorization Methods
About Preserving User Credentials
Security Contexts and Command Authorization
Licensing Requirements for AAA for System Administrators
Prerequisites
Page
Configuring Authentication for CLI, ASDM, and enable command Access
Limiting User CLI and ASDM Access with Management Authorization
Configuring Command Authorization
Configuring Local Command Authorization
Viewing Local Command Privilege Levels
Configuring Commands on the TACACS+ Server
Page
Page
Configuring TACACS+ Command Authorization
Configuring Management Access Accounting
Viewing the Currently Logged-In User
Recovering from a Lockout
Setting a Management Session Quota
Monitoring Device Access
Page
Feature History for Management Access
Page
Page
Configuring AAA Rules for Network Access
AAA Performance
Licensing Requirements for AAA Rules
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
Static PAT and HTTP
Configuring Network Access Authentication
Enabling the Redirection Method of Authentication for HTTP and HTTPS
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating HTTP(S) Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Configuring the Authentication Proxy Limit
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
About the Downloadable Access List Feature and Cisco Secure ACS
Configuring Cisco Secure ACS for Downloadable Access Lists
Configuring Any RADIUS Server for Downloadable Access Lists
Converting Wildcard Netmask Expressions in Downloadable Access Lists
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Feature History for AAA Rules
Configuring Filtering Services
Information About Web Traffic Filtering
Filtering URLs and FTP Requests with an External Server
Information About URL Filtering
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
Identifying the Filtering Server
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Caching Server Addresses
Filtering HTTP URLs
Enabling Filtering of Long HTTP URLs
Configuring Filtering Rules
Page
Page
Page
Page
Filtering the Rule Table
Defining Queries
Feature History for URL Filtering
Configuring Web Cache Services Using WCCP
Information About WCCP
Licensing Requirements for WCCP
Configuring WCCP Service Groups
Adding or Editing WCCP Service Groups
Configuring Packet Redirection
Adding or Editing Packet Redirection
WCCP Monitoring
Feature History for WCCP
Page
Configuring Digital Certificates
Information About Digital Certificates
Public Key Cryptography
Certificate Scalability
Key Pairs
Trustpoints
Certificate Enrollment
Proxy for SCEP Requests
Revocation Checking
Supported CA Servers
CRLs
OCSP
The Local CA
Storage for Local CA Files
The Local CA Server
Licensing Requirements for Digital Certificates
Prerequisites for Local Certificates
Prerequisites for SCEP Proxy Support
Page
Configuring Digital Certificates
Configuring CA Certificate Authentication
Adding or Installing a CA Certificate
Editing or Removing a CA Certificate Configuration
Showing CA Certificate Details
Configuring CA Certificates for Revocation
Configuring CRL Retrieval Policy
Configuring CRL Retrieval Methods
Configuring OCSP Rules
Configuring Advanced CRL and OCSP Settings
Configuring Identity Certificates Authentication
Adding or Importing an Identity Certificate
Page
Showing Identity Certificate Details
Deleting an Identity Certificate
Exporting an Identity Certificate
Generating a Certificate Signing Request
Installing Identity Certificates
Configuring Code Signer Certificates
Showing Code Signer Certificate Details
Deleting a Code Signer Certificate
Importing a Code Signer Certificate
Exporting a Code Signer Certificate
Authenticating Using the Local CA
Configuring the Local CA Server
Page
Page
Deleting the Local CA Server
Managing the User Database
Adding a Local CA User
Sending an Initial OTP or Replacing OTPs
Editing a Local CA User
Deleting a Local CA User
Allowing User Enrollment
Viewing or Regenerating an OTP
Managing User Certificates
Monitoring CRLs
Feature History for Certificate Management
Page
Configuring Public Servers
Information About Public Servers
Licensing Requirements for Public Servers
Adding a Public Server that Enables Static NAT
Adding a Public Server that Enables Static NAT with PAT
Editing Settings for a Public Server
Feature History for Public Servers
Page
Page
Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
Page
Page
Page
Configuring Application Layer Protocol Inspection
Configuring Inspection of Basic Internet Protocols
DNS Inspection
How DNS Application Inspection Works
How DNS Rewrite Works
Configuring DNS Rewrite
Page
Select DNS Inspect Map
DNS Class Map
Add/Edit DNS Traffic Class Map
Add/Edit DNS Match Criterion
DNS Inspect Map
Page
Add/Edit DNS Policy Map (Security Level)
Add/Edit DNS Policy Map (Details)
Page
FTP Inspection
FTP Inspection Overview
Using Strict FTP
Select FTP Map
FTP Class Map
Add/Edit FTP Traffic Class Map
Add/Edit FTP Match Criterion
Page
FTP Inspect Map
File Type Filtering
Add/Edit FTP Policy Map (Security Level)
Add/Edit FTP Policy Map (Details)
Add/Edit FTP Map
Page
Verifying and Monitoring FTP Inspection
HTTP Inspection
HTTP Inspection Overview
Select HTTP Map
HTTP Class Map
Add/Edit HTTP Traffic Class Map
Add/Edit HTTP Match Criterion
Page
Page
Page
HTTP Inspect Map
Page
URI Filtering
Add/Edit HTTP Policy Map (Security Level)
Add/Edit HTTP Policy Map (Details)
Page
Add/Edit HTTP Map
Page
Page
Page
ICMP Inspection
ICMP Error Inspection
Instant Messaging Inspection
IM Inspection Overview
Adding a Class Map for IM Inspection
Select IM Map
IP Options Inspection
IP Options Inspection Overview
Configuring IP Options Inspection
Page
Select IP Options Inspect Map
IP Options Inspect Map
Add/Edit IP Options Inspect Map
IPsec Pass Through Inspection
IPsec Pass Through Inspection Overview
Select IPsec-Pass-Thru Map
IPsec Pass Through Inspect Map
Add/Edit IPsec Pass Thru Policy Map (Security Level)
Add/Edit IPsec Pass Thru Policy Map (Details)
IPv6 Inspection
Configuring an IPv6 Inspection Policy Map
NetBIOS Inspection
NetBIOS Inspection Overview
Select NETBIOS Map
NetBIOS Inspect Map
Add/Edit NetBIOS Policy Map
PPTP Inspection
SMTP and Extended SMTP Inspection
SMTP and ESMTP Inspection Overview
Select ESMTP Map
ESMTP Inspect Map
MIME File Type Filtering
Add/Edit ESMTP Policy Map (Security Level)
Add/Edit ESMTP Policy Map (Details)
Add/Edit ESMTP Inspect
Page
Page
Page
TFTP Inspection
Configuring Inspection for Voice and Video Protocols
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
H.239 Support in H.245 Messages
Limitations and Restrictions
Select H.323 Map
H.323 Class Map
Add/Edit H.323 Traffic Class Map
Add/Edit H.323 Match Criterion
H.323 Inspect Map
Page
Phone Number Filtering
Add/Edit H.323 Policy Map (Security Level)
Page
Add/Edit H.323 Policy Map (Details)
Add/Edit HSI Group
Add/Edit H.323 Map
MGCP Inspection
MGCP Inspection Overview
Page
Select MGCP Map
MGCP Inspect Map
Gateways and Call Agents
Add/Edit MGCP Policy Map
Add/Edit MGCP Group
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
Select RTSP Map
RTSP Inspect Map
Add/Edit RTSP Policy Map
Add/Edit RTSP Inspect
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Select SIP Map
SIP Class Map
Add/Edit SIP Traffic Class Map
Add/Edit SIP Match Criterion
Page
SIP Inspect Map
Add/Edit SIP Policy Map (Security Level)
Page
Add/Edit SIP Policy Map (Details)
Add/Edit SIP Inspect
Page
Page
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
Select SCCP (Skinny) Map
SCCP (Skinny) Inspect Map
Message ID Filtering
Add/Edit SCCP (Skinny) Policy Map (Security Level)
Add/Edit SCCP (Skinny) Policy Map (Details)
Add/Edit Message ID Filter
Page
Configuring Inspection of Database and Directory Protocols
ILS Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
SUNRPC Server
Add/Edit SUNRPC Service
Page
Page
Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC Overview
Select DCERPC Map
DCERPC Inspect Map
Page
Add/Edit DCERPC Policy Map
GTP Inspection
GTP Inspection Overview
Select GTP Map
GTP Inspect Map
IMSI Prefix Filtering
Add/Edit GTP Policy Map (Security Level)
Add/Edit GTP Policy Map (Details)
Page
Add/Edit GTP Map
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
Select RADIUS Accounting Map
Add RADIUS Accounting Policy Map
RADIUS Inspect Map
RADIUS Inspect Map Host
RADIUS Inspect Map Other
RSH Inspection
SNMP Inspection
SNMP Inspection Overview
Select SNMP Map
SNMP Inspect Map
Add/Edit SNMP Map
XDMCP Inspection
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Information About Cisco Unified Communications Proxy Features
Information About the Adaptive Security Appliance in Cisco Unified Communications
Page
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Page
Page
Configuring the Cisco Phone Proxy
Information About the Cisco Phone Proxy
Phone Proxy Functionality
Page
Supported Cisco UCM and IP Phones for the Phone Proxy
Licensing Requirements for the Phone Proxy
Page
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
Cisco Unified Communications Manager Prerequisites
Access List Rules
NAT and PAT Prerequisites
Prerequisites for IP Phones on Multiple Interfaces
7960 and 7940 IP Phones Support
Cisco IP Communicator Prerequisites
Prerequisites for Rate Limiting TFTP Requests
Rate Limiting Configuration Example
End-User Phone Provisioning
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
Task Flow for Configuring the Phone Proxy
Creating the CTL File
Page
Adding or Editing a Record Entry in a CTL File
Creating the Media Termination Instance
Creating the Phone Proxy Instance
Page
Adding or Editing the TFTP Server for a Phone Proxy
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
Configuring Your Router
Feature History for the Phone Proxy
Configuring the T
Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
Decryption and Inspection of Unified Communications Encrypted Signaling
Licensing for the TLS Proxy
Page
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
Add/Edit CTL Provider
Configure TLS Proxy Pane
Adding a TLS Proxy Instance
Add TLS Proxy Instance Wizard Server Configuration
Add TLS Proxy Instance Wizard Client Configuration
Page
Add TLS Proxy Instance Wizard Other Steps
Edit TLS Proxy Instance Server Configuration
Edit TLS Proxy Instance Client Configuration
TLS Proxy
Add/Edit TLS Proxy
Feature History for the TLS Proxy for Encrypted Voice Inspection
Page
Configuring Cisco Mobility Advantage
Information about the Cisco Mobility Advantage Proxy Feature
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Page
Mobility Advantage Proxy Using NAT/PAT
Trust Relationships for Cisco UMA Deployments
Page
Licensing for the Cisco Mobility Advantage Proxy Feature
Configuring Cisco Mobility Advantage
Task Flow for Configuring Cisco Mobility Advantage
Feature History for Cisco Mobility Advantage
Page
Configuring Cisco Unified Presence
Information About Cisco Unified Presence
Architecture for Cisco Unified Presence for SIP Federation Deployments
55-2
Page
Trust Relationship in the Presence Federation
Security Certificate Exchange Between Cisco UP and the Security Appliance
XMPP Federation Deployments
Configuration Requirements for XMPP Federation
Licensing for Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
Feature History for Cisco Unified Presence
Page
Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
Features of Cisco Intercompany Media Engine Proxy
How the UC-IME Works with the PSTN and the Internet
Tickets and Passwords
M
Call Fallback to the PSTN
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
Architecture
Basic Deployment
Off Path Deployment
M
V V
Internet
M
Licensing for Cisco Intercompany Media Engine
V
Page
Page
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
M
M
Configuring NAT for Cisco Intercompany Media Engine Proxy
M
M
Configuring PAT for the Cisco UCM Server
M
Page
Creating Access Lists for Cisco Intercompany Media Engine Proxy
Creating the Media Termination Instance
Creating the Cisco Intercompany Media Engine Proxy
Page
Page
Creating Trustpoints and Generating Certificates
Page
Page
Creating the TLS Proxy
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Page
(Optional) Configuring TLS within the Local Enterprise
Page
Page
(Optional) Configuring Off Path Signaling
M
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
Page
Configuring the Cisco UC-IMC Proxy by using the Unified Communications
Page
Page
Page
Feature History for Cisco Intercompany Media Engine Proxy
Page
Page
Page
Configuring Connection Settings
Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
Dead Connection Detection (DCD)
TCP Sequence Randomization
TCP Normalization
TCP State Bypass
Licensing Requirements for Connection Settings
TCP State Bypass Guidelines and Limitations
Configuring Connection Settings
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
Customizing the TCP Normalizer with a TCP Map
Page
Configuring Connection Settings
Configuring Global Timeouts
Page
Feature History for Connection Settings
Page
Configuring QoS
Information About QoS
Supported QoS Features
What is a Token Bucket?
Information About Policing
Information About Priority Queuing
Information About Traffic Shaping
How QoS Features Interact
DSCP and DiffServ Preservation
Licensing Requirements for QoS
Configuring QoS
Determining the Queue and TX Ring Limits for a Standard Priority Queue
Configuring the Standard Priority Queue for an Interface
Configuring a Service Rule for Standard Priority Queuing and Policing
Page
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
Monitoring QoS
Viewing QoS Police Statistics
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Queue Statistics
Feature History for QoS
Page
Page
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
How the ASA Uses the Dynamic Database
Database Files
Database Traffic Types
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
59-5
How the Botnet Traffic Filter Works
ASA 5550 40,000 ASA 5580 100,000
ASA Model Maximum Entries
Licensing Requirements for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling DNS Snooping
Default DNS Inspection Configuration and Recommended Configuration
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Recommended Configuration
Page
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Monitor Panes
Feature History for the Botnet Traffic Filter
Configuring Threat Detection
Information About Threat Detection
Licensing Requirements for Threat Detection
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Page
Configuring Basic Threat Detection Statistics
Monitoring Basic Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Monitoring Advanced Threat Detection Statistics
Feature History for Advanced Threat Detection Statistics
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
Configuring Scanning Threat Detection
Feature History for Scanning Threat Detection
Page
Using Protection Tools
Preventing IP Spoofing
Configuring the Fragment Size
Show Fragment
Configuring TCP Options
TCP Reset Settings
Configuring IP Audit for Basic IPS Support
IP Audit Policy
Add/Edit IP Audit Policy Configuration
IP Audit Signatures
IP Audit Signature List
Page
Page
Page
Page
Page
Page
Page
Page
Configuring the ASA IPS Module
Information About the ASA IPS module
How the ASA IPS module Works with the ASA
Operating Modes
Using Virtual Sensors (ASA 5510 and Higher)
Information About Management Access
Licensing Requirements for the ASA IPS module
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
Connecting Management Interface Cables
Ports 1 7 VLAN 1
Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)
ASA 5505
Management PC (IP Address from DHCP)
Page
Sessioning to the Module from the ASA (May Be Required)
Configuring Basic IPS Module Network Settings
(ASA 5510 and Higher) Configuring Basic Network Settings
Detailed StepsSingle Mode
Detailed StepsMultiple Mode Using the CLI
(ASA 5505) Configuring Basic Network Settings
(ASA 5512-X through ASA 5555-X) Installing the Software Module
Configuring the Security Policy on the ASA IPS module
Page
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
Diverting Traffic to the ASA IPS module
Monitoring the ASA IPS module
Troubleshooting the ASA IPS module
Installing an Image on the Module
Page
Uninstalling a Software Module Image
Page
Feature History for the ASA IPS module
Configuring the ASA CX Module
Information About the ASA CX Module
How the ASA CX Module Works with the ASA
Information About ASA CX Management
Initial Configuration
Policy Configuration and Management
Information About Authentication Proxy
Information About VPN and the ASA CX Module
Compatibility with ASA Features
Licensing Requirements for the ASA CX Module
Configuring the ASA CX Module
Task Flow for the ASA CX Module
Connecting Management Interface Cables
63-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter63 Configuring the ASA CX Module Configuring the ASA CX Module
Configuring the ASA CX Management IP Address
ASA 5585-X
SSP
ASA Management 0/0
Switch
Configuring Basic ASA CX Settings at the ASA CX CLI
Page
Configuring the Security Policy on the ASA CX Module Using PRSM
(Optional) Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Page
Monitoring the ASA CX Module
Showing Module Status
Showing Module Statistics
Monitoring Module Connections
63-15
The following is sample output from the show asp table classify domain cxsc command:
63-16
The following is sample output from the show asp event dp-cp cxsc-msg command:
The following is sample output from the show conn detail command:
Capturing Module Traffic
Troubleshooting the ASA CX Module
General Recovery Procedures
Page
Problems with the Authentication Proxy
Page
Feature History for the ASA CX Module
Page
Configuring the ASA CSC Module
Information About the CSC SSM
Page
Determining What Traffic to Scan
Page
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
Page
Configuring the CSC SSM
Before Configuring the CSC SSM
Connecting to the CSC SSM
Determining Service Policy Rule Actions for CSC Scanning
Monitoring the CSC SSM
Threats
Live Security Events
Live Security Events Log
Software Updates
Resource Graphs
CSC CPU
CSC Memory
Troubleshooting the CSC Module
Installing an Image on the Module
Page
Page
Feature History for the CSC SSM
Page
Page
Page
Information About High Availability
Introduction to Failover and High Availability
Failover System Requirements
Hardware Requirements
Software Requirements
License Requirements
Failover and Stateful Failover Links
Failover Link
Stateful Failover Link
Failover Interface Speed for Stateful Links
Avoiding Interrupted Failover Links
Page
65-7
Scenario 3Recommended
Scenario 4Recommended
Active/Active and Active/Standby Failover
Determining Which Type of Failover to Use
Stateless (Regular) and Stateful Failover
Stateless (Regular) Failover
Stateful Failover
Transparent Firewall Mode Requirements
Auto Update Server Support in Failover Configurations
Auto Update Process Overview
Monitoring the Auto Update Process
Failover Health Monitoring
Unit Health Monitoring
Interface Monitoring
Failover Times
Failover Messages
Failover System Messages
Debug Messages
SNMP
Page
Configuring Active/Standby Failover
Information About Active/Standby Failover
Active/Standby Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Optional Active/Standby Failover Settings
Licensing Requirements for Active/Standby Failover
Prerequisites for Active/Standby Failover
Page
Configuring Active/Standby Failover
Configuring Failover
Page
Configuring Interface Standby Addresses
Configuring Interface Standby Addresses in Routed Firewall Mode
Configuring the Management Interface Standby Address in Transparent Firewall Mode
Configuring Optional Active/Standby Failover Settings
Disabling and Enabling Interface Monitoring
Configuring Failover Criteria
Configuring the Unit and Interface Health Poll Times
Configuring Virtual MAC Addresses
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit
Monitoring Active/Standby Failover
Feature History for Active/Standby Failover
Configuring Active/Active Failover
Information About Active/Active Failover
Active/Active Failover Overview
Primary/Secondary Status and Active/Standby Status
Device Initialization and Configuration Synchronization
Command Replication
Failover Triggers
Failover Actions
Page
Optional Active/Active Failover Settings
Licensing Requirements for Active/Active Failover
Prerequisites for Active/Active Failover
Page
Configuring Active/Active Failover
Failover-Multiple Mode, Security Context
Failover - Routed
Edit Failover Interface Configuration
Failover - Transparent
Failover-Multiple Mode, System
Failover > Setup Tab
Failover > Criteria Tab
Failover > Active/Active Tab
Add/Edit Failover Group
Add/Edit Interface MAC Address
Failover > MAC Addresses Tab
Add/Edit Interface MAC Address
Configuring Asymmetric Routing Groups in Multiple Context Mode
Controlling Failover
Forcing Failover
Disabling Failover
Restoring a Failed Unit or Failover Group
Monitoring Active/Active Failover
System
Failover Group 1 and Failover Group 2
Feature History for Active/Active Failover
Page
Page
Page
Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters
Page
Page
Page
Creating IKE Policies
Add/Edit IKEv1 Policy
Page
Add/Edit IKEv2 Policy (Proposal)
Assignment Policy
Address Pools
Add/Edit IP Pool
Configuring IPsec
Adding Crypto Maps
Page
Creating an IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab
Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab
Creating IPsec Rule/Traffic Selection Tab
Page
Pre-Fragmentation
Edit IPsec Pre-Fragmentation Policy
IPsec Transform Sets
Add/Edit IPsec Proposal (Transform Set)
Add/Edit IPsec Proposal
Configuring Load Balancing
Eligible Clients
Enabling Load Balancing
Creating Virtual Clusters
Geographical Load Balancing
Mixed Cluster Scenarios
Comparing Load Balancing to Failover
Load Balancing Prerequisites
Page
Setting Global NAC Parameters
Configuring Network Admission Control Policies
About NAC
Uses, Requirements, and Limitations
Page
Add/Edit Posture Validation Exception
Page
General VPN Setup
Client Software
Page
Edit Client Update Entry
Default Tunnel Gateway
Group Policies
Add/Edit External Group Policy
Adding or Editing a Remote Access Internal Group Policy, General Attributes
Page
Page
AnyConnect Client Group Policy Attbributes
Key Regeneration
Dead Peer Detection
Customization
Configuring the Portal for a Group Policy
Page
Configuring Customization for a Group Policy
Adding or Editing a Site-to-Site Internal Group Policy
Add AAA Server Group
Browse Time Range
Add/Edit Time Range
Add/Edit Recurring Time Range
ACL Manager
Standard ACL
Extended ACL
Add/Edit/Paste ACE
Page
Browse Source/Destination Address
Browse Source/Destination Port
Add TCP Service Group
Browse ICMP
Add ICMP Group
Browse Other
Add Protocol Group
Add/Edit Internal Group Policy > Servers
Login Setting
Client Firewall with Local Printer and Tethered Device Support
Usage Notes about Firewall Behavior
Deploying a Client Firewall for Local Printer Support
Tethered Devices Support
ACLs
Add/Edit Internal Group Policy > IPsec Client
Client Access Rules
Add/Edit Client Access Rule
Add/Edit Internal Group Policy > Client Configuration Dialog Box
Add/Edit Internal Group Policy > Client Configuration > General Client Parameters
View/Config Banner
Add/Edit Internal Group Policy > Client Configuration > Cisco Client Parameters
Add or Edit Internal Group Policy > Advanced > IE Browser Proxy
Add/Edit Standard Access List Rule
Add/Edit Internal Group Policy > Client Firewall
Page
Add/Edit Internal Group Policy > Hardware Client
Page
Page
Add/Edit Server and URL List
Add/Edit Server or URL
Configuring AnyConnect VPN Client Connections
Page
Page
Using AnyConnect Client Profiles
Specifying an AnyConnect Client Profile
Importing an AnyConnect Client Profile
Exporting an AnyConnect Client Profile
Exempting AnyConnect Traffic from Network Address Translation
Page
Page
Page
Page
Configuring AnyConnect VPN Connections
Configuring Port Settings
Setting the Basic Attributes for an AnyConnect VPN Connection
Setting Advanced Attributes for a Connection Profile
Setting General Attributes for an AnyConnect SSL VPN Connection
Page
Setting Client Addressing Attributes for an AnyConnect SSL VPN Connection
Configuring Authentication Attributes for a Connection Profile
Page
Configuring Secondary Authentication Attributes for an SSL VPN Connection Profile
Page
Configuring Authorization Attributes for an SSL VPN Connection Profile
Adding or Editing Content to a Script for Certificate Pre-Fill-Username
Page
Page
Configuring AnyConnect Secure Mobility
Add or Edit MUS Access Control
Configuring Clientless SSL VPN Connections
Page
Add or Edit Clientless SSL VPN Connections
Add or Edit Clientless SSL VPN Connections > Basic
Add or Edit Clientless SSL VPN Connections > Advanced
Add or Edit Clientless SSL VPN Connections > Advanced > General
Assign Authentication Server Group to Interface
Add or Edit SSL VPN Connections > Advanced > Authorization
Assign Authorization Server Group to Interface
Add or Edit SSL VPN Connections > Advanced > SSL VPN
Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN
Add or Edit Clientless SSL VPN Connections > Advanced > NetBIOS Servers
Configure DNS Server Groups
Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN
IPsec Remote Access Connection Profiles
Add or Edit an IPsec Remote Access Connection Profile
Add or Edit IPsec Remote Access Connection Profile Basic
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Setting a Certificate Matching Policy
Add/Edit Certificate Matching Rule
Add/Edit Certificate Matching Rule Criterion
Page
Page
Site-to-Site Connection Profiles
Add/Edit Site-to-Site Connection
Page
Page
Adding or Editing a Site-to-Site Tunnel Group
Crypto Map Entry
Crypto Map Entry for Static Peer Address
Managing CA Certificates
Install Certificate
Configure Options for CA Certificate
Revocation Check Dialog Box
Add/Edit Remote Access Connections > Advanced > General
Configuring Client Addressing
Add IPsec Remote Access Connection and Add SSL VPN Access Connection
Assign Address Pools to Interface
Select Address Pools
Add or Edit IP Pool
Add/Edit Connection Profile > General > Authentication
Add/Edit SSL VPN Connection > General > Authorization
Page
Add/Edit SSL VPN Connections > Advanced > Accounting
Add/Edit Tunnel Group > General > Client Address Assignment
Add/Edit Tunnel Group > General > Advanced
Add/Edit Tunnel Group > IPsec for Remote Access > IPsec
Page
Add/Edit Tunnel Group for Site-to-Site VPN
Add/Edit Tunnel Group > PPP
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > General > Basic
Page
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec
Page
Clientless SSL VPN Access > Connection Profiles > Add/Edit > General > Basic
Configuring Internal Group Policy IPsec Client Attributes
Page
Configuring Client Addressing for SSL VPN Connections
Assign Address Pools to Interface
Select Address Pools
Add or Edit an IP Address Pool
Authenticating SSL VPN Connections
System Options
Configuring SSL VPN Connections, Advanced
Configuring Split Tunneling
Differences in Client Split Tunneling Behavior for Traffic within the Subnet
Zone Labs Integrity Server
Easy VPN Remote
Page
Advanced Easy VPN Properties
Page
AnyConnect Essentials
DTLS Settings
SSL VPN Client Settings
Add/Replace SSL VPN Client Image
Upload Image
Add/Edit SSL VPN Client Profiles
Upload Package
Bypass Interface Access List
Configuring AnyConnect Host Scan
Host Scan Dependencies and System Requirements
Dependencies
System Requirements
Licensing
Host Scan Packaging
Installing and Enabling Host Scan on the ASA
Installing or Upgrading Host Scan
Enabling or Disabling Host Scan
Enabling or Disabling CSD on the ASA
Viewing the Host Scan Version Enabled on the ASA
Uninstalling Host Scan
Uninstalling CSD from the ASA
Assigning AnyConnect Posture Module to a Group Policy
Other Important Documentation Addressing Host Scan
Configuring Dynamic Access Policies
Information About Dynamic Access Policies
DAP and Endpoint Security
DAP Support for Remote Access Connection Types
Remote Access Connection Sequence with DAPs
Licensing Requirements for Dynamic Access Policies
Advanced Endpoint Assessment license
SSL VPN license (client)
Page
Page
70-7
AnyConnect Mobile License
Dynamic Access Policies Interface
Page
Configuring Dynamic Access Policies
Page
Page
Testing Dynamic Access Policies
DAP and Authentication, Authorization, and Accounting Services
Configuring AAA Attributes in a DAP
Page
Retrieving Active Directory Groups
AAA Attribute Definitions
Configuring Endpoint Attributes Used in DAPs
Adding an Anti-Spyware or Anti-Virus Endpoint Attribute to a DAP
Adding an Application Attribute to a DAP
Adding Mobile Posture Attributes to a DAP
Licensing
Adding a File Endpoint Attribute to a DAP
Adding a Device Endpoint Attribute to a DAP
Adding a NAC Endpoint Attribute to a DAP
Adding an Operating System Endpoint Attribute to a DAP
Adding a Personal Firewall Endpoint Attribute to a DAP
Adding a Policy Endpoint Attribute to a DAP
Adding a Process Endpoint Attribute to a DAP
Adding a Registry Endpoint Attribute to a DAP
DAP and AntiVirus, AntiSpyware, and Personal Firewall Programs
Endpoint Attribute Definitions
Page
Page
Configuring DAP Access and Authorization Policy Attributes
Page
Page
Page
Performing a DAP Trace
Guide to Creating DAP Logical Expressions using LUA
Syntax for Creating Lua EVAL Expressions
Constructing DAP EVAL Expressions
The DAP CheckAndMsg Function
Checking for a Single Antivirus Program
Checking for Antivirus Definitions Within the Last 10 Days
Checking for a Hotfix on the User PC
Checking for Antivirus Programs
Checking for Antivirus Programs and Definitions Older than 1 1/2 Days
Additional Lua Functions
OU-Based Match Example
Group Membership Example
70-42
Antivirus Example
The following example uses a custom function to check if CSD detects any antivirus software.
Antispyware Example
The following example uses a custom function to check if CSD detects any antispyware.
Firewall Example
CheckAndMsg with Custom Function Example
Further Information on Lua
Operator for Endpoint Category
DAP Examples
Using DAP to Define Network Resources
Using DAP to Apply a WebVPN ACL
Enforcing CSD Checks and Applying Policies via DAP
Page
Page
Clientless SSL VPN End User Set-up
Requiring Usernames and Passwords
Communicating Security Tips
Configuring Remote Systems to Use Clientless SSL VPN Features
Page
Page
Page
Page
Capturing Clientless SSL VPN Data
Creating a Capture File
Using a Browser to Display Capture Data
Page
Page
Configuring Clientless SSL VPN
Information About Clientless SSL VPN
Licensing Requirements
Page
Page
Prerequisites for Clientless SSL VPN
Observing Clientless SSL VPN Security Precautions
Page
Configuring Clientless SSL VPN Access
Configuring ACLs
Adding or Editing ACEs
Configuration Examples for ACLs for Clientless SSL VPN
Configuring the Setup for Cisco Secure Desktop
Uploading Images
Configuring Application Helper
Uploading APCF Packages
Managing Passwords
Adding the Cisco Authentication Scheme to SiteMinder
Configuring the SAML POST SSO Server
Configuring SSO with the HTTP Form Protocol
Gathering HTTP Form Data
1 4 5
3
5
2
Page
Page
Using Auto Signon
Page
Configuring Session Settings
Java Code Signer
Encoding
Content Cache
Content Rewrite
Configuration Example for Content Rewrite Rules
Configuring Browser Access to Plug-ins
Page
Adding a New Environment Variable
Preparing the Security Appliance for a Plug-in
Installing Plug-ins Redistributed By Cisco
Page
Providing Access to Third-Party Plug-ins
Configuring and Applying the POST URL
Providing Access to a Citrix Java Presentation Server
Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access
Creating and Installing the Citrix Plug-in
Why a Microsoft Kerberos Constrained Delegation Solution
Requirements
Understanding How KCD Works
Authentication Flow with KCD
Page
Adding Windows Service Account in Active Directory
Configuring DNS for KCD
Configuring the ASA to Join the Active Directory Domain
Configuring Kerberos Server Groups
Page
Configuring Bookmarks to Access the Kerberos Authenticated Services
Configuring Application Access
Configuring Smart Tunnel Access
About Smart Tunnels
Why Smart Tunnels?
Page
Configuring a Smart Tunnel (Lotus example)
Simplifying Configuration of Which Applications to Tunnel
Page
Page
Assigning a Smart Tunnel List
Configuring and Applying Smart Tunnel Policy
Specifying Servers for Smart Tunnel Auto Sign-on
Adding or Editing a Smart Tunnel Auto Sign-on Server Entry
Enabling and Disabling Smart Tunnel Access
Logging Off Smart Tunnel
When Its Parent Process Terminates
With A Notification Icon
Configuring Port Forwarding
Information About Port Forwarding
Page
Configuring DNS for Port Forwarding
Page
Page
Adding Applications to Be Eligible for Port Forwarding
Adding/Editing Port Forwarding Entry
Assigning a Port Forwarding List
Enabling and Disabling Port Forwarding
Configuring the Use of External Proxy Servers
SSO Servers
Configuring SiteMinder and SAML Browser Post Profile
Adding the Cisco Authentication Scheme to SiteMinder
Adding or Editing SSO Servers
Application Access User Notes
Using Application Access on Vista
Closing Application Access to Prevent hosts File Errors
Recovering from hosts File Errors When Using Application Access
Understanding the hosts File
Stopping Application Access Improperly
Reconfiguring a Hosts File Automatically Using Clientless SSL VPN
Reconfiguring hosts File Manually
Configuring File Access
CIFS File Access Requirement and Limitation
Adding Support for File Access
Ensuring Clock Accuracy for SharePoint Access
Customizing the Clientless SSL VPN User Experience
Customizing the Logon Page with the Customization Editor
Page
Replacing the Logon Page with your own Fully Customized Page
Creating the Custom Login Screen File
Importing the File and Images
Configuring the Security Appliance to use the Custom Login Screen
Using Clientless SSL VPN with PDAs
Using E-Mail over Clientless SSL VPN
Configuring E-mail Proxies
Configuring Web E-mail: MS Outlook Web App
Configuring Portal Access Rules
Using Proxy Bypass
Configuring Application Profile Customization Framework
Uploading APCF Packages
APCF Syntax
Page
72-79
Configuration Examples for APCF
Table72-7 APCF XML Tags (continued)
Tag Use
Clientless SSL VPN End User Setup
Defining the End User Interface
Viewing the Clientless SSL VPN Home Page
Viewing the Clientless SSL VPN Application Access Panel
Viewing the Floating Toolbar
Customizing Clientless SSL VPN Pages
Information About Customization
Exporting a Customization Template
Editing the Customization Template
72-84
72-85
72-86
72-87
72-88
Login Screen Advanced Customization
72-90
Figure72-25 Example of Full Customization of Login Screens
The following HTML code is used as an example and is the code that displays:
Modifying Your HTML File
Customizing the Portal Page
Configuring Custom Portal Timeout Alerts
Specifying a Custom Timeout Alert in a Customization Object File
Configuration Example for Timeout-alert Element and Child Elements
Customizing the Logout Page
Adding Customization Object
Importing/Exporting Customization Object
Creating XML-Based Portal Customization Objects and URL Lists
Understanding the XML Customization File Structure
Page
Page
Configuration Example for Customization
72-101
72-102
Using the Customization Template
The Customization Template
72-104
72-105
72-106
72-107
72-108
72-109
72-110
72-111
72-112
72-113
72-114
Help Customization
Customizing a Help File Provided by Cisco
Page
Import/Export Application Help Content
Customizing a Help File Provided by Cisco
Configuring Browser Access to Client-Server Plug-ins
About Installing Browser Plug-ins
Requirements
RDP Plug-in ActiveX Debug Quick Reference
Preparing the Security Appliance for a Plug-in
Customizing Help
Customizing a Help File Provided By Cisco
Requiring Usernames and Passwords
Communicating Security Tips
Configuring Remote Systems to Use Clientless SSL VPN Features
Starting Clientless SSL VPN
Using the Clientless SSL VPN Floating Toolbar
Browsing the Web
Browsing the Network (File Management)
Using Port Forwarding
Using E-mail Via Port Forwarding
Using E-mail Via Web Access
Using E-mail Via E-mail Proxy
Using Smart Tunnel
Adding/Editing Localization Entry
Customizing the AnyConnect Client
Customizing AnyConnect by Importing Resource Files
Customizing Your Own AnyConnect GUI Text and Scripts
Importing your own GUI as a Binary Executable
Importing Scripts
Writing, Testing, and Deploying Scripts
Customizing AnyConnect GUI Text and Messages
Customizing the Installer Program Using Installer Transforms
Configuration Example for Transform
Localizing the Install Program using Installer Transforms
Importing/Exporting Language Localization
Configuring Bookmarks
Adding a Bookmark Entry
Importing/Exporting Bookmark List
Importing/Exporting GUI Customization Objects (Web Contents)
Adding/Editing Post Parameter
Using Variables 1 - 4
Using Variables 5 and 6
Using Variables 7 - 10
Example 1: Setting a Homepage
Configuration Example for Setting a Bookmark or URL Entry
Configuration Example for Configuring File Share (CIFS) URL Substitutions
Configuration Example for Customizing External Ports
Page
E-Mail Proxy
Configuring E-Mail Proxy
AAA
POP3S Tab
Page
IMAP4S Tab
SMTPS Tab
Page
Access
Edit E-Mail Proxy Access
Authentication
Page
Default Servers
Delimiters
Page
Monitoring VPN
VPN Connection Graphs
IPsec Tunnels
Sessions
VPN Statistics
Sessions
Page
Page
Sessions Details
Page
Cluster Loads
Crypto Statistics
Compression Statistics
Encryption Statistics
Global IKE/IPsec Statistics
NAC Session Summary
Protocol Statistics
VLAN Mapping Sessions
SSO Statistics for Clientless SSL VPN Session
VPN Connection Status for the Easy VPN Client
Page
Page
Page
Page
Configuring SSL Settings
SSL
Edit SSL Certificate
SSL Certificates
Page
Page
Page
Page
Configuring Logging
Information About Logging
Logging in Multiple Context Mode
Analyzing Syslog Messages
Syslog Message Format
Severity Levels
Message Classes and Range of Syslog IDs
Filtering Syslog Messages
Sorting in the Log Viewers
Using Custom Message Lists
Licensing Requirements for Logging
Prerequisites for Logging
Configuring Logging
Enabling Logging
Configuring an Output Destination
Sending Syslog Messages to an External Syslog Server
Configuring FTP Settings
Configuring Logging Flash Usage
Configuring Syslog Messaging
Editing Syslog ID Settings
Including a Device ID in Non-EMBLEM Formatted Syslog Messages
Sending Syslog Messages to the Internal Log Buffer
Sending Syslog Messages to an E-mail Address
Adding or Editing E-Mail Recipients
Configuring the Remote SMTP Server
Viewing Syslog Messages in ASDM
Applying Message Filters to a Logging Destination
Applying Logging Filters
Adding or Editing a Message Class and Severity Filter
Adding or Editing a Syslog Message ID Filter
Sending Syslog Messages to the Console Port
Sending Syslog Messages to a Telnet or SSH Session
Creating a Custom Event List
Generating Syslog Messages in EMBLEM Format to a Syslog Server
Adding or Editing Syslog Server Settings
Generating Syslog Messages in EMBLEM Format to Other Output Destinations
Changing the Amount of Internal Flash Memory Available for Logs
Configuring the Logging Queue
Sending All Syslog Messages in a Class to a Specified Output Destination
Enabling Secure Logging
Including the Device ID in Non-EMBLEM Format Syslog Messages
Including the Date and Time in Syslog Messages
Disabling a Syslog Message
Changing the Severity Level of a Syslog Message
Limiting the Rate of Syslog Message Generation
Assigning or Changing Rate Limits for Individual Syslog Messages
Adding or Editing the Rate Limit for a Syslog Message
Editing the Rate Limit for a Syslog Severity Level
Monitoring the Logs
Filtering Syslog Messages Through the Log Viewers
Page
Editing Filtering Settings
Executing Certain Commands Using the Log Viewers
Feature History for Logging
Page
Configuring
Information About NSEL
Using NSEL and Syslog Messages
Licensing Requirements for NSEL Prerequisites for NSEL
Configuring NSEL
Using NetFlow
Matching NetFlow Events to Configured Collectors
Monitoring NSEL
Page
Related Documents
Feature History for NSEL
Page
Page
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
SNMP Version 3
SNMP Version 3 Overview
Security Models
SNMP Groups
SNMP Users
SNMP Hosts
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
Licensing Requirements for SNMP
Prerequisites for SNMP
Configuring SNMP
Enabling SNMP
Configuring an SNMP Management Station
Configuring SNMP Traps
Using SNMP Version 1 or 2c
Using SNMP Version 3
SNMP Syslog Messaging
SNMP Monitoring
RFCs for SNMP Version 3
MIBs
78-12
Application Services and Third-Party Tools
Feature History for SNMP
Page
Configuring Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting and Smart Call Home
Information About Anonymous Reporting
What is Sent to Cisco?
DNS Requirement
Anonymous Reporting and Smart Call Home Prompt
Information About Smart Call Home
Licensing Requirements for Anonymous Reporting and Smart Call Home
Prerequisites for Smart Call Home and Anonymous Reporting
Configuring Anonymous Reporting and Smart Call Home
Configuring Anonymous Reporting
Configuring Smart Call Home
Page
Page
Page
Monitoring Smart Call Home
Feature History for Anonymous Reporting and Smart Call Home
Page
Page
Page
Managing Software and Configurations
Saving the Running Configuration to a TFTP Server
Managing Files
Accessing the File Management Tool
Managing Mount Points
Adding or Editing a CIFS/FTP Mount Point
Accessing a CIFS Mount Point
Transferring Files
Transferring Files Between Local PC and Flash
Transferring Files Between Remote Server and Flash
Configuring Auto Update
Setting the Polling Schedule
Adding or Editing an Auto Update Server
Configuring the Boot Image/Configuration Settings
Adding a Boot Image
Upgrading Software from Your Local Computer
Upgrading Software from the Cisco.com Wizard
Scheduling a System Restart
Backing Up and Restoring Configurations, Images, and Profiles (Single Mode)
Backing Up Configurations
Page
Page
Backing Up the Local CA Server
Restoring Configurations
Page
Page
Downgrading Your Software
Information About Activation Key Compatibility
Performing the Downgrade
Page
Troubleshooting
Testing Your Configuration
Pinging ASA Interfaces
81-2
If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:
Passing Traffic Through the ASA
Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping
?
Pinging From an ASA Interface
Pinging to an ASA Interface
Pinging Through the ASA Interface
Troubleshooting the Ping Tool
Using the Ping Tool
Determining Packet Routing with Traceroute
Tracing Packets with Packet Tracer
Handling TCP Packet Loss
Other Troubleshooting Tools
Configuring and Running Captures with the Packet Capture Wizard
Page
Ingress Traffic Selector
Egress Traffic Selector
Buffers
Summary
Run Captures
Sending an Administrators Alert to Clientless SSL VPN Users
Saving an Internal Log Buffer to Flash
Viewing and Copying Logged Entries with the ASDM Java Console
Monitoring Performance
Monitoring System Resources
Blocks
CPU
Memory
Monitoring Connections
Monitoring Per-Process CPU Usage
Common Problems
Additional Troubleshooting
Page
Page
APPENDIX
A
Addresses, Protocols, and Ports
IPv4 Addresses and Subnet Masks
Classes
Private Networks
Subnet Masks
Determining the Subnet Mask
Determining the Address to Use with the Subnet Mask
Class C-Size Network Address
Class B-Size Network Address
IPv6 Addresses
IPv6 Address Format
IPv6 Address Types
Unicast Addresses
Global Address
Site-Local Address
Link-Local Address
IPv4-Compatible IPv6 Addresses
Unspecified Address
Multicast Address
Anycast Address
Required Addresses
IPv6 Address Prefixes
Protocols and Applications
TCP and UDP Ports
Page
Page
Local Ports and Protocols
ICMP Types
Page
APPENDIX
B
Configuring an External Server for Authorization and Authentication
Understanding Policy Enforcement of Permissions and Attributes
Configuring an External LDAP Server
Organizing the ASA for LDAP Operations
Searching the LDAP Hierarchy
Binding the ASA to the LDAP Server
Defining the ASA LDAP Configuration
Supported Cisco Attributes for LDAP Authorization
Page
Page
Page
Page
Page
Page
Page
Cisco AV Pair Attribute Syntax
Cisco AV Pairs ACL Examples
URL Types Supported in ACLs
Guidelines for Using Cisco-AV Pairs (ACLs)
Active Directory/LDAP VPN Remote Access Authorization Examples
User-Based Attributes Policy Enforcement
Page
Placing LDAP Users in a Specific Group Policy
Page
Enforcing Static IP Address Assignment for AnyConnect Tunnels
Page
Enforcing Dial-in Allow or Deny Access
Page
Page
Enforcing Logon Hours and Time-of-Day Rules
Page
Configuring an External RADIUS Server
Reviewing the RADIUS Configuration Procedure
ASA RADIUS Authorization Attributes
Page
Page
Page
Page
Page
Page
Page
Page
ASA IETF RADIUS Authorization Attributes
RADIUS Accounting Disconnect Reason Codes
Configuring an External TACACS+ Server
Page
Page
GLOSSARY
Numerics
A
B
C
D
Page
E
F
G
H
I
Page
J
K
L
M
N
O
P
Page
Page
Q
R
S
Page
T
Page
U
V
W
X
Page
Page
INDEX
Symbols
Numerics
A
Page
Page
B
C
Page
Page
D
E
F
G
H
I
Page
J
K
L
M
Page
N
O
P
proxy ARP
Q
R
Page
S
Page
Page
T
U
V
W
X
Z