Main
Cisco Systems, Inc. www.cisco.com
Cisco ASA Series Firewall ASDM Configuration Guide
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
About This Guide
Document Objectives
Related Documentation
Conventions
Obtaining Documentation and Submitting a Service Request
Page
Page
Configuring a Service Policy
Information About Service Policies
Supported Features
Feature Directionality
Feature Matching Within a Service Policy
Order in Which Multiple Feature Actions are Applied
Incompatibility of Certain Feature Actions
Licensing Requirements for Service Policies
Feature Matching for Multiple Service Policies
Page
Default Configuration
Default Traffic Classes
Task Flows for Configuring Service Policies
Task Flow for Configuring a Service Policy Rule
Adding a Service Policy Rule for Through Traffic
Page
Page
Page
Page
Adding a Service Policy Rule for Management Traffic
Configuring a Service Policy Rule for Management Traffic
Page
Managing the Order of Service Policy Rules
Page
Feature History for Service Policies
Page
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Information About Inspection Policy Maps
Default Inspection Policy Maps
Defining Actions in an Inspection Policy Map
Identifying Traffic in an Inspection Class Map
Feature History for Inspection Policy Maps
Page
Page
Information About NAT (ASA 8.3 and Later)
Why Use NAT?
NAT Terminology
NAT Types
NAT Types Overview
Static NAT
Information About Static NAT
Information About Static NAT with Port Translation
Information About Static NAT with Port Address Translation
Static NAT with Identity Port Translation
Static NAT with Port Translation for Non-Standard Ports
Static Interface NAT with Port Translation
Information About One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
Dynamic NAT
Information About Dynamic NAT
Dynamic NAT Disadvantages and Advantages
Dynamic PAT
Information About Dynamic PAT
Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later)
Dynamic PAT Disadvantages and Advantages
Identity NAT
NAT in Routed and Transparent Mode
NAT in Routed Mode
NAT in Transparent Mode
Page
NAT and IPv6
How NAT is Implemented
Main Differences Between Network Object NAT and Twice NAT
Information About Network Object NAT
Information About Twice NAT
Page
Page
Page
NAT Rule Order
NAT Interfaces
Routing NAT Packets
Mapped Addresses and Routing
Page
Transparent Mode Routing Requirements for Remote Networks
Determining the Egress Interface
NAT for VPN
NAT and Remote Access VPN
Page
3-27
See the following sample NAT configuration for the above network:
NAT and Site-to-Site VPN
3-28
See the following sample NAT configuration for ASA1 (Boulder):
3-29
See the following sample NAT configuration for ASA2 (San Jose):
NAT and VPN Management Access
Page
Troubleshooting NAT and VPN
DNS and NAT
Page
3-33
Page
3-35
Page
Configuring Network Object NAT (ASA 8.3 and Later)
Information About Network Object NAT
Licensing Requirements for Network Object NAT
Prerequisites for Network Object NAT
Page
Configuring Network Object NAT
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Page
Configuring Identity NAT
Page
Page
Configuring Per-Session PAT Rules
Defaults
Monitoring Network Object NAT
Configuration Examples for Network Object NAT
Providing Access to an Inside Web Server (Static NAT)
Page
Page
4-24
Page
Page
Page
Page
4-29
Page
Page
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
Page
Page
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
4-36
Page
4-38
Page
4-40
Page
Page
Page
Page
Feature History for Network Object NAT
Page
Page
Page
Page
Page
Configuring Twice NAT (ASA 8.3 and Later)
Information About Twice NAT
Licensing Requirements for Twice NAT Prerequisites for Twice NAT
Page
Configuring Twice NAT
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool
Page
Page
Page
Page
Page
Page
Page
Configuring Dynamic PAT (Hide)
Page
Page
Page
Page
Page
Configuring Static NAT or Static NAT-with-Port-Translation
Page
Page
Page
Page
Page
Configuring Identity NAT
Page
Page
Page
Page
Configuring Per-Session PAT Rules
Monitoring Twice NAT
Configuration Examples for Twice NAT
Different Translation Depending on the Destination (Dynamic PAT)
5-31
Page
Page
Page
Page
Page
Page
Page
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
Page
Page
Page
Page
Page
Page
Page
Page
Feature History for Twice NAT
Page
Page
Page
Page
Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
Introduction to NAT
NAT in Routed Mode
NAT in Transparent Mode
6-4
NAT Control
Page
NAT Types
Dynamic NAT
6-7
PAT
Static NAT
Static PAT
Bypassing NAT When NAT Control is Enabled
Policy NAT
6-12
NAT and Same Security Level Interfaces
Order of NAT Rules Used to Match Real Addresses
Mapped Address Guidelines
DNS and NAT
Page
Configuring NAT Control
Using Dynamic NAT
Dynamic NAT Implementation
Real Addresses and Global Pools Paired Using a Pool ID
NAT Rules on Different Interfaces with the Same Global Pools
Global Pools on Different Interfaces with the Same Pool ID
Multiple NAT Rules with Different Global Pools on the Same Interface
Multiple Addresses in the Same Global Pool
Outside NAT
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
Managing Global Pools
Configuring Dynamic NAT, PAT, or Identity NAT
Page
Configuring Dynamic Policy NAT or PAT
Page
Using Static NAT
Configuring Static NAT, PAT, or Identity NAT
Page
Page
Configuring Static Policy NAT, PAT, or Identity NAT
Page
Using NAT Exemption
Page
Page
Page
Configuring Access Rules
Information About Access Rules
General Information About Rules
Implicit Permits
Information About Interface Access Rules and Global Access Rules
Using Access Rules and EtherType Rules on the Same Interface
Rule Order
Implicit Deny
Using Remarks
NAT and Access Rules
Inbound and Outbound Rules
Transactional-Commit Model
Guidelines and Limitations
Information About Access Rules
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Management Access Rules
Information About EtherType Rules
Supported EtherTypes and Other Traffic
Access Rules for Returning Traffic
Allowing MPLS
Licensing Requirements for Access Rules
Configuring Access Rules
Adding an Access Rule
Adding an EtherType Rule (Transparent Mode Only)
Configuring Management Access Rules
Advanced Access Rule Configuration
Access Rule Explosion
Configuring HTTP Redirect
Edit HTTP/HTTPS Settings
Configuring Transactional Commit Model
Feature History for Access Rules
Page
Page
Configuring AAA Rules for Network Access
AAA Performance
Licensing Requirements for AAA Rules
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
ASA Authentication Prompts
AAA Prompts and Identity Firewall
AAA Rules as a Backup Authentication Method
Static PAT and HTTP
Configuring Network Access Authentication
Enabling the Redirection Method of Authentication for HTTP and HTTPS
Enabling Secure Authentication of Web Clients
Authenticating Directly with the ASA
Authenticating HTTP(S) Connections with a Virtual Server
Authenticating Telnet Connections with a Virtual Server
Configuring the Authentication Proxy Limit
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
About the Downloadable ACL Feature and Cisco Secure ACS
Configuring Cisco Secure ACS for Downloadable ACLs
Configuring Any RADIUS Server for Downloadable ACLs
Converting Wildcard Netmask Expressions in Downloadable ACLs
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Page
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Feature History for AAA Rules
Configuring Public Servers
Information About Public Servers
Licensing Requirements for Public Servers
Adding a Public Server that Enables Static NAT
Adding a Public Server that Enables Static NAT with PAT
Editing Settings for a Public Server
Feature History for Public Servers
Page
Page
Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
How Inspection Engines Work
When to Use Application Protocol Inspection
3 4
Page
Default Settings and NAT Limitations
Page
Page
Configuring Application Layer Protocol Inspection
Page
Configuring Inspection of Basic Internet Protocols
DNS Inspection
Information About DNS Inspection
General Information About DNS
DNS Inspection Actions
Default Settings for DNS Inspection
(Optional) Configuring a DNS Inspection Policy Map and Class Map
Detailed StepsProtocol Conformance
Detailed StepsFiltering
Detailed StepsMismatch Rate
Detailed StepsInspections
Page
Page
Page
Page
Page
Page
Page
Page
Page
Configuring DNS Inspection
FTP Inspection
FTP Inspection Overview
Using Strict FTP
Select FTP Map
FTP Class Map
Add/Edit FTP Traffic Class Map
Add/Edit FTP Match Criterion
FTP Inspect Map
File Type Filtering
Add/Edit FTP Policy Map (Security Level)
Add/Edit FTP Policy Map (Details)
Add/Edit FTP Map
Verifying and Monitoring FTP Inspection
HTTP Inspection
HTTP Inspection Overview
Select HTTP Map
HTTP Class Map
Add/Edit HTTP Traffic Class Map
Add/Edit HTTP Match Criterion
Page
Page
Page
HTTP Inspect Map
URI Filtering
Add/Edit HTTP Policy Map (Security Level)
Add/Edit HTTP Policy Map (Details)
Add/Edit HTTP Map
Page
Page
Page
ICMP Inspection
ICMP Error Inspection
Instant Messaging Inspection
IM Inspection Overview
Adding a Class Map for IM Inspection
Select IM Map
IP Options Inspection
IP Options Inspection Overview
Configuring IP Options Inspection
Select IP Options Inspect Map
IP Options Inspect Map
Add/Edit IP Options Inspect Map
IPsec Pass Through Inspection
IPsec Pass Through Inspection Overview
Select IPsec-Pass-Thru Map
IPsec Pass Through Inspect Map
Add/Edit IPsec Pass Thru Policy Map (Security Level)
Add/Edit IPsec Pass Thru Policy Map (Details)
IPv6 Inspection
Information about IPv6 Inspection
Default Settings for IPv6 Inspection
(Optional) Configuring an IPv6 Inspection Policy Map
Configuring IPv6 Inspection
NetBIOS Inspection
NetBIOS Inspection Overview
Select NETBIOS Map
NetBIOS Inspect Map
Add/Edit NetBIOS Policy Map
PPTP Inspection
SMTP and Extended SMTP Inspection
SMTP and ESMTP Inspection Overview
Select ESMTP Map
ESMTP Inspect Map
MIME File Type Filtering
Add/Edit ESMTP Policy Map (Security Level)
Add/Edit ESMTP Policy Map (Details)
Add/Edit ESMTP Inspect
Page
Page
TFTP Inspection
Page
Page
Configuring Inspection for Voice and Video Protocols
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
H.239 Support in H.245 Messages
Limitations and Restrictions
Select H.323 Map
H.323 Class Map
Add/Edit H.323 Traffic Class Map
Add/Edit H.323 Match Criterion
H.323 Inspect Map
Phone Number Filtering
Add/Edit H.323 Policy Map (Security Level)
Add/Edit H.323 Policy Map (Details)
Page
Add/Edit HSI Group
Add/Edit H.323 Map
MGCP Inspection
MGCP Inspection Overview
Page
Select MGCP Map
MGCP Inspect Map
Gateways and Call Agents
Add/Edit MGCP Policy Map
Add/Edit MGCP Group
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
Select RTSP Map
RTSP Inspect Map
Add/Edit RTSP Policy Map
RTSP Class Map
Add/Edit RTSP Traffic Class Map
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Select SIP Map
SIP Class Map
Add/Edit SIP Traffic Class Map
Add/Edit SIP Match Criterion
Page
SIP Inspect Map
Add/Edit SIP Policy Map (Security Level)
Add/Edit SIP Policy Map (Details)
Page
Add/Edit SIP Inspect
Page
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
Select SCCP (Skinny) Map
SCCP (Skinny) Inspect Map
Message ID Filtering
Add/Edit SCCP (Skinny) Policy Map (Security Level)
Add/Edit SCCP (Skinny) Policy Map (Details)
Add/Edit Message ID Filter
Configuring Inspection of Database and Directory Protocols
ILS Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
SUNRPC Server
Add/Edit SUNRPC Service
Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC Overview
Select DCERPC Map
DCERPC Inspect Map
Add/Edit DCERPC Policy Map
GTP Inspection
GTP Inspection Overview
Select GTP Map
GTP Inspect Map
IMSI Prefix Filtering
Add/Edit GTP Policy Map (Security Level)
Add/Edit GTP Policy Map (Details)
Add/Edit GTP Map
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
Select RADIUS Accounting Map
Add RADIUS Accounting Policy Map
RADIUS Inspect Map
RADIUS Inspect Map Host
RADIUS Inspect Map Other
RSH Inspection
SNMP Inspection
SNMP Inspection Overview
Select SNMP Map
SNMP Inspect Map
Add/Edit SNMP Map
XDMCP Inspection
Page
Page
Page
Information About Cisco Unified Communications Proxy Features
Information About the Adaptive Security Appliance in Cisco Unified Communications
Page
TLS Proxy Applications in Cisco Unified Communications
Licensing for Cisco Unified Communications Proxy Features
Page
Page
Using the Cisco Unified Communication Wizard
Information about the Cisco Unified Communication Wizard
Page
Licensing Requirements for the Unified Communication Wizard
Configuring the Phone Proxy by using the Unified
Configuring the Private Network for the Phone Proxy
Configuring Servers for the Phone Proxy
Page
Enabling Certificate Authority Proxy Function (CAPF) for IP Phones
Configuring the Public IP Phone Network
Configuring the Media Termination Address for Unified Communication Proxies
Configuring the Mobility Advantage by using the Unified
Configuring the Topology for the Cisco Mobility Advantage Proxy
Configuring the Server-Side Certificates for the Cisco Mobility Advantage
Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy
Configuring the Presence Federation Proxy by using the Unified Communication Wizard
Configuring the Topology for the Cisco Presence Federation Proxy
Configuring the Local-Side Certificates for the Cisco Presence Federation
Configuring the Remote-Side Certificates for the Cisco Presence Federation
Configuring the UC-IME by using the Unified Communication Wizard
Configuring the Topology for the Cisco Intercompany Media Engine Proxy
Configuring the Private Network Settings for the Cisco Intercompany Media
Page
Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy
Configuring the Public Network Settings for the Cisco Intercompany Media
Configuring the Local-Side Certificates for the Cisco Intercompany Media
Configuring the Remote-Side Certificates for the Cisco Intercompany Media
Working with Certificates in the Unified Communication Wizard
Exporting an Identity Certificate
Installing a Certificate
Generating a Certificate Signing Request (CSR) for a Unified Communications
Saving the Identity Certificate Request
Installing the ASA Identity Certificate on the Mobility Advantage Server
Page
Page
Configuring the Cisco Phone Proxy
Information About the Cisco Phone Proxy
Phone Proxy Functionality
Page
Supported Cisco UCM and IP Phones for the Phone Proxy
Licensing Requirements for the Phone Proxy
Page
Prerequisites for the Phone Proxy
Media Termination Instance Prerequisites
Certificates from the Cisco UCM
DNS Lookup Prerequisites
Cisco Unified Communications Manager Prerequisites
ACL Rules
NAT and PAT Prerequisites
Prerequisites for IP Phones on Multiple Interfaces
7960 and 7940 IP Phones Support
Cisco IP Communicator Prerequisites
Prerequisites for Rate Limiting TFTP Requests
Rate Limiting Configuration Example
End-User Phone Provisioning
Ways to Deploy IP Phones to End Users
Phone Proxy Guidelines and Limitations
General Guidelines and Limitations
Media Termination Address Guidelines and Limitations
Configuring the Phone Proxy
Task Flow for Configuring the Phone Proxy
Creating the CTL File
Adding or Editing a Record Entry in a CTL File
Creating the Media Termination Instance
Creating the Phone Proxy Instance
Page
Adding or Editing the TFTP Server for a Phone Proxy
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
Configuring Your Router
Feature History for the Phone Proxy
Configuring the T
Inspection
Information about the TLS Proxy for Encrypted Voice Inspection
Decryption and Inspection of Unified Communications Encrypted Signaling
Supported Cisco UCM and IP Phones for the TLS Proxy
Licensing for the TLS Proxy
Page
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
Add/Edit CTL Provider
Configure TLS Proxy Pane
Adding a TLS Proxy Instance
Add TLS Proxy Instance Wizard Server Configuration
Add TLS Proxy Instance Wizard Client Configuration
Page
Add TLS Proxy Instance Wizard Other Steps
Edit TLS Proxy Instance Server Configuration
Edit TLS Proxy Instance Client Configuration
Page
TLS Proxy
Add/Edit TLS Proxy
Feature History for the TLS Proxy for Encrypted Voice Inspection
Page
Configuring Cisco Mobility Advantage
Information about the Cisco Mobility Advantage Proxy Feature
Cisco Mobility Advantage Proxy Functionality
Mobility Advantage Proxy Deployment Scenarios
Page
19-4
Mobility Advantage Proxy Using NAT/PAT
Trust Relationships for Cisco UMA Deployments
DMZ
Page
Licensing for the Cisco Mobility Advantage Proxy Feature
Configuring Cisco Mobility Advantage
Task Flow for Configuring Cisco Mobility Advantage
Feature History for Cisco Mobility Advantage
Page
Configuring Cisco Unified Presence
Information About Cisco Unified Presence
Architecture for Cisco Unified Presence for SIP Federation Deployments
20-2
Page
Trust Relationship in the Presence Federation
Security Certificate Exchange Between Cisco UP and the Security Appliance
XMPP Federation Deployments
Configuration Requirements for XMPP Federation
Licensing for Cisco Unified Presence
Configuring Cisco Unified Presence Proxy for SIP Federation
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
Feature History for Cisco Unified Presence
Page
Configuring Cisco Intercompany Media Engine Proxy
Information About Cisco Intercompany Media Engine Proxy
Features of Cisco Intercompany Media Engine Proxy
How the UC-IME Works with the PSTN and the Internet
Tickets and Passwords
M
Call Fallback to the PSTN
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
Architecture
Basic Deployment
Off Path Deployment
M
V V
Internet
M
Licensing for Cisco Intercompany Media Engine
V
Page
Page
Configuring Cisco Intercompany Media Engine Proxy
Task Flow for Configuring Cisco Intercompany Media Engine
M
M
Configuring NAT for Cisco Intercompany Media Engine Proxy
M
M
Configuring PAT for the Cisco UCM Server
M
Page
Creating ACLs for Cisco Intercompany Media Engine Proxy
Creating the Media Termination Instance
Creating the Cisco Intercompany Media Engine Proxy
Page
Page
Creating Trustpoints and Generating Certificates
Page
Page
Creating the TLS Proxy
Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy
Page
(Optional) Configuring TLS within the Local Enterprise
Page
Page
(Optional) Configuring Off Path Signaling
M
Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane
Page
Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard
Page
Page
Page
Feature History for Cisco Intercompany Media Engine Proxy
Page
Page
Page
Configuring Connection Settings
Information About Connection Settings
TCP Intercept and Limiting Embryonic Connections
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
Dead Connection Detection (DCD)
TCP Sequence Randomization
TCP Normalization
TCP State Bypass
Licensing Requirements for Connection Settings
TCP State Bypass
Configuring Connection Settings
Task Flow For Configuring Connection Settings
Customizing the TCP Normalizer with a TCP Map
Page
Configuring Connection Settings
Configuring Global Timeouts
Page
Feature History for Connection Settings
Page
Configuring QoS
Information About QoS
Supported QoS Features
What is a Token Bucket?
Information About Policing
Information About Priority Queuing
Information About Traffic Shaping
How QoS Features Interact
DSCP and DiffServ Preservation
Licensing Requirements for QoS
Configuring QoS
Determining the Queue and TX Ring Limits for a Standard Priority Queue
Configuring the Standard Priority Queue for an Interface
Configuring a Service Rule for Standard Priority Queuing and Policing
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
Monitoring QoS
Viewing QoS Police Statistics
Viewing QoS Standard Priority Statistics
Viewing QoS Shaping Statistics
Viewing QoS Standard Priority Queue Statistics
Feature History for QoS
Troubleshooting Connections and Resources
Testing Your Configuration
Pinging ASA Interfaces
24-2
If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:
?
ASA
Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping
Information About Ping
ASA
Appliance
Pinging From an ASA Interface
Pinging to an ASA Interface
Pinging Through the ASA Interface
Troubleshooting the Ping Tool
Using the Ping Tool
Determining Packet Routing with Traceroute
Tracing Packets with Packet Tracer
Monitoring Performance
Monitoring System Resources
Blocks
CPU
Memory
Monitoring Connections
Monitoring Per-Process CPU Usage
Page
Page
Configuring the ASA for Cisco Cloud Web Security
Information About Cisco Cloud Web Security
Redirection of Web Traffic to Cloud Web Security
User Authentication and Cloud Web Security
Authentication Keys
Company Authentication Key
Group Authentication Key
ScanCenter Policy
Directory Groups
Custom Groups
How Groups and the Authentication Key Interoperate
Cloud Web Security Actions
Bypassing Scanning with Whitelists
Licensing Requirements for Cisco Cloud Web Security
IPv4 and IPv6 Support
Failover from Primary to Backup Proxy Server
Prerequisites for Cloud Web Security
Configuring Cisco Cloud Web Security
Configuring Communication with the Cloud Web Security Proxy Server
Page
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context
Configuring a Service Policy to Send Traffic to Cloud Web Security
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
(Optional) Configuring Whitelisted Traffic
Page
(Optional) Configuring the User Identity Monitor
Configuring the Cloud Web Security Policy
Monitoring Cloud Web Security
Related Documents Feature History for Cisco Cloud Web Security
Page
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Types
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
How the ASA Uses the Dynamic Database
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
26-5
How the Botnet Traffic Filter Works
Figure 26-2 shows how the Botnet Traffic Filter works with the static database.
Licensing Requirements for the Botnet Traffic Filter
Prerequisites for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling DNS Snooping
Default DNS Inspection Configuration and Recommended Configuration
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Recommended Configuration
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Monitor Panes
Feature History for the Botnet Traffic Filter
Configuring Threat Detection
Information About Threat Detection
Licensing Requirements for Threat Detection
Configuring Basic Threat Detection Statistics
Information About Basic Threat Detection Statistics
Page
Configuring Basic Threat Detection Statistics
Monitoring Basic Threat Detection Statistics
Feature History for Basic Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Information About Advanced Threat Detection Statistics
Configuring Advanced Threat Detection Statistics
Monitoring Advanced Threat Detection Statistics
Feature History for Advanced Threat Detection Statistics
Configuring Scanning Threat Detection
Information About Scanning Threat Detection
Configuring Scanning Threat Detection
Feature History for Scanning Threat Detection
Page
Using Protection Tools
Preventing IP Spoofing
Configuring the Fragment Size
Show Fragment
Configuring TCP Options
TCP Reset Settings
Configuring IP Audit for Basic IPS Support
IP Audit Policy
Add/Edit IP Audit Policy Configuration
IP Audit Signatures
IP Audit Signature List
Page
Page
Page
Page
Page
Page
Configuring Filtering Services
Information About Web Traffic Filtering
Filtering URLs and FTP Requests with an External Server
Information About URL Filtering
Licensing Requirements for URL Filtering
Guidelines and Limitations for URL Filtering
Identifying the Filtering Server
Configuring Additional URL Filtering Settings
Buffering the Content Server Response
Caching Server Addresses
Filtering HTTP URLs
Enabling Filtering of Long HTTP URLs
Configuring Filtering Rules
Page
Page
Page
Page
Filtering the Rule Table
Defining Queries
Feature History for URL Filtering
Page
Page
Configuring the ASA CX Module
Information About the ASA CX Module
How the ASA CX Module Works with the ASA
Monitor-Only Mode
Service Policy in Monitor-Only Mode
Traffic-Forwarding Interface in Monitor-Only Mode
Information About ASA CX Management
Initial Configuration
Policy Configuration and Management
Information About Authentication Proxy
Information About VPN and the ASA CX Module
Compatibility with ASA Features
Licensing Requirements for the ASA CX Module
Prerequisites
Page
Configuring the ASA CX Module
Task Flow for the ASA CX Module
Connecting the ASA CX Management Interface
ASA 5585-X (Hardware Module)
SSP
ASA 5585-X
ASA Management 0/0
Page
ASA 5512-X through ASA 5555-X (Software Module)
ASA 5545-X ASA CX Management 0/0
ASA Management 0/0
(ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module
Page
(ASA 5585-X) Changing the ASA CX Management IP Address
Page
Configuring Basic ASA CX Settings at the ASA CX CLI
Configuring the Security Policy on the ASA CX Module Using PRSM
(Optional) Configuring the Authentication Proxy Port
Redirecting Traffic to the ASA CX Module
Creating the ASA CX Service Policy
Page
Page
Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode)
Managing the ASA CX Module
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
(ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image
(ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA
Monitoring the ASA CX Module
Showing Module Status
Showing Module Statistics
Monitoring Module Connections
Page
30-30
30-31
The following is sample output from the show asp event dp-cp cxsc-msg command:
The following is sample output from the show conn detail command:
Capturing Module Traffic
Troubleshooting the ASA CX Module
Problems with the Authentication Proxy
Feature History for the ASA CX Module
Page
Configuring the ASA IPS Module
Information About the ASA IPS Module
How the ASA IPS Module Works with the ASA
Operating Modes
Using Virtual Sensors (ASA 5510 and Higher)
Information About Management Access
Licensing Requirements for the ASA IPS module
Page
Configuring the ASA IPS module
Task Flow for the ASA IPS Module
31-8
Cisco ASA Series Firewall ASDM Configuration Guide
Management PC
Connecting the ASA IPS Management Interface
SSP
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module)
The IPS module includes a separate management interface from the ASA.
If you have an inside router
ASA 5512-X through ASA 5555-X (Software Module)
ASA 5545-X IPS Management 0/0
ASA Management 0/0
ASA 5505
Ports 1 7 VLAN 1
Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA)
ASA 5505
Management PC (IP Address from DHCP)
Sessioning to the Module from the ASA (May Be Required)
(ASA 5512-X through ASA 5555-X) Booting the Software Module
Configuring Basic IPS Module Network Settings
(ASA 5510 and Higher) Configuring Basic Network Settings
Detailed StepsSingle Mode
Detailed StepsMultiple Mode Using the CLI
(ASA 5505) Configuring Basic Network Settings
Configuring the Security Policy on the ASA IPS Module
Page
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
Diverting Traffic to the ASA IPS module
Managing the ASA IPS module
Installing and Booting an Image on the Module
Page
Shutting Down the Module
Uninstalling a Software Module Image
Resetting the Password
Reloading or Resetting the Module
Monitoring the ASA IPS module
Feature History for the ASA IPS module
Page
Configuring the ASA CSC Module
Information About the CSC SSM
Page
Determining What Traffic to Scan
Page
Licensing Requirements for the CSC SSM
Prerequisites for the CSC SSM
Page
Configuring the CSC SSM
Before Configuring the CSC SSM
Connecting to the CSC SSM
Determining Service Policy Rule Actions for CSC Scanning
CSC SSM Setup Wizard
Activation/License
IP Configuration
Host/Notification Settings
Management Access Host/Networks
Password
Restoring the Default Password
Wizard Setup
CSC Setup Wizard Activation Codes Configuration
CSC Setup Wizard IP Configuration
CSC Setup Wizard Host Configuration
CSC Setup Wizard Management Access Configuration
CSC Setup Wizard Password Configuration
CSC Setup Wizard Traffic Selection for CSC Scan
Specifying Traffic for CSC Scanning
CSC Setup Wizard Summary
Using the CSC SSM GUI
Web
Mail
SMTP Tab
POP3 Tab
File Transfer
Updates
Monitoring the CSC SSM
Threats
Live Security Events
Live Security Events Log
Software Updates
Resource Graphs
CSC CPU
CSC Memory
Troubleshooting the CSC Module
Installing an Image on the Module
Resetting the Password
Reloading or Resetting the Module
Shutting Down the Module
Additional References
Feature History for the CSC SSM
Page
INDEX
A
B
C
D
E
F
G
H
L
M
N
O
P
Q
R
S
T
U
V
W