Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Bypassing NAT When NAT Control is Enabled

6-10

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter6 Configuring NAT (ASA 8.2 and Earlier)

NAT Overview

For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP,

but these are all actually different servers on the real network, you can specify static PAT statements for

each server that uses the same mapped IP address, but different ports (see Figure6-8).

Figure6-8 Static PAT

You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For

example, if inside web servers use port 8080, you can allow outside users to connect to port 80, and then

undo translation to the original port 8080. Similarly, to provide extra security, you can tell web users to

connect to non-standard port 6785, and then undo translation to port 80.

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If

you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts or you can

disable NAT control. You might want to bypass NAT, for example, if you are using an application that

does not support NAT. See the “When to Use Application Protocol Inspection” section on page10-2 for

information about inspection engines that do not support NAT.

You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility

with inspection engines. However, each method offers slightly different capabilities, as follows:

•Identity NAT—When you configure identity NAT (which is similar to dynamic NAT), you do not

limit translation for a host on specific interfaces; you must use identity NAT for connections through

all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when

you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on

Host

Outside

Inside

Undo Translation

10.1.2.27209.165.201.3:21

Undo Translation

10.1.2.28209.165.201.3:80

Undo Translation

10.1.2.29209.165.201.3:25

FTP server

10.1.2.27

HTTP server

10.1.2.28

SMTP server

10.1.2.29

130031

Contents

Main Cisco Systems, Inc. www.cisco.com Cisco ASA Series Firewall ASDM Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page About This Guide Document Objectives Related Documentation Conventions Obtaining Documentation and Submitting a Service Request Page Page Configuring a Service Policy Information About Service Policies Supported Features Feature Directionality Feature Matching Within a Service Policy Order in Which Multiple Feature Actions are Applied Incompatibility of Certain Feature Actions Licensing Requirements for Service Policies Feature Matching for Multiple Service Policies Page Default Configuration Default Traffic Classes Task Flows for Configuring Service Policies Task Flow for Configuring a Service Policy Rule Adding a Service Policy Rule for Through Traffic Page Page Page Page Adding a Service Policy Rule for Management Traffic Configuring a Service Policy Rule for Management Traffic Page Managing the Order of Service Policy Rules Page Feature History for Service Policies Page Configuring Special Actions for Application Inspections (Inspection Policy Map) Information About Inspection Policy Maps Default Inspection Policy Maps Defining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class Map Feature History for Inspection Policy Maps Page Page Information About NAT (ASA 8.3 and Later) Why Use NAT? NAT Terminology NAT Types NAT Types Overview Static NAT Information About Static NAT Information About Static NAT with Port Translation Information About Static NAT with Port Address Translation Static NAT with Identity Port Translation Static NAT with Port Translation for Non-Standard Ports Static Interface NAT with Port Translation Information About One-to-Many Static NAT Information About Other Mapping Scenarios (Not Recommended) Dynamic NAT Information About Dynamic NAT Dynamic NAT Disadvantages and Advantages Dynamic PAT Information About Dynamic PAT Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later) Dynamic PAT Disadvantages and Advantages Identity NAT NAT in Routed and Transparent Mode NAT in Routed Mode NAT in Transparent Mode Page NAT and IPv6 How NAT is Implemented Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT Page Page Page NAT Rule Order NAT Interfaces Routing NAT Packets Mapped Addresses and Routing Page Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface NAT for VPN NAT and Remote Access VPN Page 3-27 See the following sample NAT configuration for the above network: NAT and Site-to-Site VPN 3-28 See the following sample NAT configuration for ASA1 (Boulder): 3-29 See the following sample NAT configuration for ASA2 (San Jose): NAT and VPN Management Access Page Troubleshooting NAT and VPN DNS and NAT Page 3-33 Page 3-35 Page Configuring Network Object NAT (ASA 8.3 and Later) Information About Network Object NAT Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Page Configuring Network Object NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Page Page Page Configuring Dynamic PAT (Hide) Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Page Configuring Identity NAT Page Page Configuring Per-Session PAT Rules Defaults Monitoring Network Object NAT Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) Page Page 4-24 Page Page Page Page 4-29 Page Page Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) Page Page DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) 4-36 Page 4-38 Page 4-40 Page Page Page Page Feature History for Network Object NAT Page Page Page Page Page Configuring Twice NAT (ASA 8.3 and Later) Information About Twice NAT Licensing Requirements for Twice NAT Prerequisites for Twice NAT Page Configuring Twice NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Page Page Page Page Page Page Page Configuring Dynamic PAT (Hide) Page Page Page Page Page Configuring Static NAT or Static NAT-with-Port-Translation Page Page Page Page Page Configuring Identity NAT Page Page Page Page Configuring Per-Session PAT Rules Monitoring Twice NAT Configuration Examples for Twice NAT Different Translation Depending on the Destination (Dynamic PAT) 5-31 Page Page Page Page Page Page Page Different Translation Depending on the Destination Address and Port (Dynamic PAT) Page Page Page Page Page Page Page Page Feature History for Twice NAT Page Page Page Page Configuring NAT (ASA 8.2 and Earlier) NAT Overview Introduction to NAT NAT in Routed Mode NAT in Transparent Mode 6-4 NAT Control Page NAT Types Dynamic NAT 6-7 PAT Static NAT Static PAT Bypassing NAT When NAT Control is Enabled Policy NAT 6-12 NAT and Same Security Level Interfaces Order of NAT Rules Used to Match Real Addresses Mapped Address Guidelines DNS and NAT Page Configuring NAT Control Using Dynamic NAT Dynamic NAT Implementation Real Addresses and Global Pools Paired Using a Pool ID NAT Rules on Different Interfaces with the Same Global Pools Global Pools on Different Interfaces with the Same Pool ID Multiple NAT Rules with Different Global Pools on the Same Interface Multiple Addresses in the Same Global Pool Outside NAT Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces Managing Global Pools Configuring Dynamic NAT, PAT, or Identity NAT Page Configuring Dynamic Policy NAT or PAT Page Using Static NAT Configuring Static NAT, PAT, or Identity NAT Page Page Configuring Static Policy NAT, PAT, or Identity NAT Page Using NAT Exemption Page Page Page Configuring Access Rules Information About Access Rules General Information About Rules Implicit Permits Information About Interface Access Rules and Global Access Rules Using Access Rules and EtherType Rules on the Same Interface Rule Order Implicit Deny Using Remarks NAT and Access Rules Inbound and Outbound Rules Transactional-Commit Model Guidelines and Limitations Information About Access Rules Access Rules for Returning Traffic Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules Management Access Rules Information About EtherType Rules Supported EtherTypes and Other Traffic Access Rules for Returning Traffic Allowing MPLS Licensing Requirements for Access Rules Configuring Access Rules Adding an Access Rule Adding an EtherType Rule (Transparent Mode Only) Configuring Management Access Rules Advanced Access Rule Configuration Access Rule Explosion Configuring HTTP Redirect Edit HTTP/HTTPS Settings Configuring Transactional Commit Model Feature History for Access Rules Page Page Configuring AAA Rules for Network Access AAA Performance Licensing Requirements for AAA Rules Configuring Authentication for Network Access Information About Authentication One-Time Authentication Applications Required to Receive an Authentication Challenge ASA Authentication Prompts AAA Prompts and Identity Firewall AAA Rules as a Backup Authentication Method Static PAT and HTTP Configuring Network Access Authentication Enabling the Redirection Method of Authentication for HTTP and HTTPS Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating HTTP(S) Connections with a Virtual Server Authenticating Telnet Connections with a Virtual Server Configuring the Authentication Proxy Limit Configuring Authorization for Network Access Configuring TACACS+ Authorization Configuring RADIUS Authorization Configuring a RADIUS Server to Send Downloadable Access Control Lists About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any RADIUS Server for Downloadable ACLs Converting Wildcard Netmask Expressions in Downloadable ACLs Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access Page Using MAC Addresses to Exempt Traffic from Authentication and Authorization Feature History for AAA Rules Configuring Public Servers Information About Public Servers Licensing Requirements for Public Servers Adding a Public Server that Enables Static NAT Adding a Public Server that Enables Static NAT with PAT Editing Settings for a Public Server Feature History for Public Servers Page Page Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work When to Use Application Protocol Inspection 3 4 Page Default Settings and NAT Limitations Page Page Configuring Application Layer Protocol Inspection Page Configuring Inspection of Basic Internet Protocols DNS Inspection Information About DNS Inspection General Information About DNS DNS Inspection Actions Default Settings for DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map Detailed StepsProtocol Conformance Detailed StepsFiltering Detailed StepsMismatch Rate Detailed StepsInspections Page Page Page Page Page Page Page Page Page Configuring DNS Inspection FTP Inspection FTP Inspection Overview Using Strict FTP Select FTP Map FTP Class Map Add/Edit FTP Traffic Class Map Add/Edit FTP Match Criterion FTP Inspect Map File Type Filtering Add/Edit FTP Policy Map (Security Level) Add/Edit FTP Policy Map (Details) Add/Edit FTP Map Verifying and Monitoring FTP Inspection HTTP Inspection HTTP Inspection Overview Select HTTP Map HTTP Class Map Add/Edit HTTP Traffic Class Map Add/Edit HTTP Match Criterion Page Page Page HTTP Inspect Map URI Filtering Add/Edit HTTP Policy Map (Security Level) Add/Edit HTTP Policy Map (Details) Add/Edit HTTP Map Page Page Page ICMP Inspection ICMP Error Inspection Instant Messaging Inspection IM Inspection Overview Adding a Class Map for IM Inspection Select IM Map IP Options Inspection IP Options Inspection Overview Configuring IP Options Inspection Select IP Options Inspect Map IP Options Inspect Map Add/Edit IP Options Inspect Map IPsec Pass Through Inspection IPsec Pass Through Inspection Overview Select IPsec-Pass-Thru Map IPsec Pass Through Inspect Map Add/Edit IPsec Pass Thru Policy Map (Security Level) Add/Edit IPsec Pass Thru Policy Map (Details) IPv6 Inspection Information about IPv6 Inspection Default Settings for IPv6 Inspection (Optional) Configuring an IPv6 Inspection Policy Map Configuring IPv6 Inspection NetBIOS Inspection NetBIOS Inspection Overview Select NETBIOS Map NetBIOS Inspect Map Add/Edit NetBIOS Policy Map PPTP Inspection SMTP and Extended SMTP Inspection SMTP and ESMTP Inspection Overview Select ESMTP Map ESMTP Inspect Map MIME File Type Filtering Add/Edit ESMTP Policy Map (Security Level) Add/Edit ESMTP Policy Map (Details) Add/Edit ESMTP Inspect Page Page TFTP Inspection Page Page Configuring Inspection for Voice and Video Protocols CTIQBE Inspection CTIQBE Inspection Overview Limitations and Restrictions H.323 Inspection H.323 Inspection Overview How H.323 Works H.239 Support in H.245 Messages Limitations and Restrictions Select H.323 Map H.323 Class Map Add/Edit H.323 Traffic Class Map Add/Edit H.323 Match Criterion H.323 Inspect Map Phone Number Filtering Add/Edit H.323 Policy Map (Security Level) Add/Edit H.323 Policy Map (Details) Page Add/Edit HSI Group Add/Edit H.323 Map MGCP Inspection MGCP Inspection Overview Page Select MGCP Map MGCP Inspect Map Gateways and Call Agents Add/Edit MGCP Policy Map Add/Edit MGCP Group RTSP Inspection RTSP Inspection Overview Using RealPlayer Restrictions and Limitations Select RTSP Map RTSP Inspect Map Add/Edit RTSP Policy Map RTSP Class Map Add/Edit RTSP Traffic Class Map SIP Inspection SIP Inspection Overview SIP Instant Messaging Select SIP Map SIP Class Map Add/Edit SIP Traffic Class Map Add/Edit SIP Match Criterion Page SIP Inspect Map Add/Edit SIP Policy Map (Security Level) Add/Edit SIP Policy Map (Details) Page Add/Edit SIP Inspect Page Skinny (SCCP) Inspection SCCP Inspection Overview Supporting Cisco IP Phones Restrictions and Limitations Select SCCP (Skinny) Map SCCP (Skinny) Inspect Map Message ID Filtering Add/Edit SCCP (Skinny) Policy Map (Security Level) Add/Edit SCCP (Skinny) Policy Map (Details) Add/Edit Message ID Filter Configuring Inspection of Database and Directory Protocols ILS Inspection SQL*Net Inspection Sun RPC Inspection Sun RPC Inspection Overview SUNRPC Server Add/Edit SUNRPC Service Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC Overview Select DCERPC Map DCERPC Inspect Map Add/Edit DCERPC Policy Map GTP Inspection GTP Inspection Overview Select GTP Map GTP Inspect Map IMSI Prefix Filtering Add/Edit GTP Policy Map (Security Level) Add/Edit GTP Policy Map (Details) Add/Edit GTP Map RADIUS Accounting Inspection RADIUS Accounting Inspection Overview Select RADIUS Accounting Map Add RADIUS Accounting Policy Map RADIUS Inspect Map RADIUS Inspect Map Host RADIUS Inspect Map Other RSH Inspection SNMP Inspection SNMP Inspection Overview Select SNMP Map SNMP Inspect Map Add/Edit SNMP Map XDMCP Inspection Page Page Page Information About Cisco Unified Communications Proxy Features Information About the Adaptive Security Appliance in Cisco Unified Communications Page TLS Proxy Applications in Cisco Unified Communications Licensing for Cisco Unified Communications Proxy Features Page Page Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard Page Licensing Requirements for the Unified Communication Wizard Configuring the Phone Proxy by using the Unified Configuring the Private Network for the Phone Proxy Configuring Servers for the Phone Proxy Page Enabling Certificate Authority Proxy Function (CAPF) for IP Phones Configuring the Public IP Phone Network Configuring the Media Termination Address for Unified Communication Proxies Configuring the Mobility Advantage by using the Unified Configuring the Topology for the Cisco Mobility Advantage Proxy Configuring the Server-Side Certificates for the Cisco Mobility Advantage Configuring the Client-Side Certificates for the Cisco Mobility Advantage Proxy Configuring the Presence Federation Proxy by using the Unified Communication Wizard Configuring the Topology for the Cisco Presence Federation Proxy Configuring the Local-Side Certificates for the Cisco Presence Federation Configuring the Remote-Side Certificates for the Cisco Presence Federation Configuring the UC-IME by using the Unified Communication Wizard Configuring the Topology for the Cisco Intercompany Media Engine Proxy Configuring the Private Network Settings for the Cisco Intercompany Media Page Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy Configuring the Public Network Settings for the Cisco Intercompany Media Configuring the Local-Side Certificates for the Cisco Intercompany Media Configuring the Remote-Side Certificates for the Cisco Intercompany Media Working with Certificates in the Unified Communication Wizard Exporting an Identity Certificate Installing a Certificate Generating a Certificate Signing Request (CSR) for a Unified Communications Saving the Identity Certificate Request Installing the ASA Identity Certificate on the Mobility Advantage Server Page Page Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Phone Proxy Functionality Page Supported Cisco UCM and IP Phones for the Phone Proxy Licensing Requirements for the Phone Proxy Page Prerequisites for the Phone Proxy Media Termination Instance Prerequisites Certificates from the Cisco UCM DNS Lookup Prerequisites Cisco Unified Communications Manager Prerequisites ACL Rules NAT and PAT Prerequisites Prerequisites for IP Phones on Multiple Interfaces 7960 and 7940 IP Phones Support Cisco IP Communicator Prerequisites Prerequisites for Rate Limiting TFTP Requests Rate Limiting Configuration Example End-User Phone Provisioning Ways to Deploy IP Phones to End Users Phone Proxy Guidelines and Limitations General Guidelines and Limitations Media Termination Address Guidelines and Limitations Configuring the Phone Proxy Task Flow for Configuring the Phone Proxy Creating the CTL File Adding or Editing a Record Entry in a CTL File Creating the Media Termination Instance Creating the Phone Proxy Instance Page Adding or Editing the TFTP Server for a Phone Proxy Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy Configuring Your Router Feature History for the Phone Proxy Configuring the T Inspection Information about the TLS Proxy for Encrypted Voice Inspection Decryption and Inspection of Unified Communications Encrypted Signaling Supported Cisco UCM and IP Phones for the TLS Proxy Licensing for the TLS Proxy Page Prerequisites for the TLS Proxy for Encrypted Voice Inspection Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Add/Edit CTL Provider Configure TLS Proxy Pane Adding a TLS Proxy Instance Add TLS Proxy Instance Wizard Server Configuration Add TLS Proxy Instance Wizard Client Configuration Page Add TLS Proxy Instance Wizard Other Steps Edit TLS Proxy Instance Server Configuration Edit TLS Proxy Instance Client Configuration Page TLS Proxy Add/Edit TLS Proxy Feature History for the TLS Proxy for Encrypted Voice Inspection Page Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Cisco Mobility Advantage Proxy Functionality Mobility Advantage Proxy Deployment Scenarios Page 19-4 Mobility Advantage Proxy Using NAT/PAT Trust Relationships for Cisco UMA Deployments DMZ Page Licensing for the Cisco Mobility Advantage Proxy Feature Configuring Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Page Configuring Cisco Unified Presence Information About Cisco Unified Presence Architecture for Cisco Unified Presence for SIP Federation Deployments 20-2 Page Trust Relationship in the Presence Federation Security Certificate Exchange Between Cisco UP and the Security Appliance XMPP Federation Deployments Configuration Requirements for XMPP Federation Licensing for Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Feature History for Cisco Unified Presence Page Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Features of Cisco Intercompany Media Engine Proxy How the UC-IME Works with the PSTN and the Internet Tickets and Passwords M Call Fallback to the PSTN Architecture and Deployment Scenarios for Cisco Intercompany Media Engine Architecture Basic Deployment Off Path Deployment M V V Internet M Licensing for Cisco Intercompany Media Engine V Page Page Configuring Cisco Intercompany Media Engine Proxy Task Flow for Configuring Cisco Intercompany Media Engine M M Configuring NAT for Cisco Intercompany Media Engine Proxy M M Configuring PAT for the Cisco UCM Server M Page Creating ACLs for Cisco Intercompany Media Engine Proxy Creating the Media Termination Instance Creating the Cisco Intercompany Media Engine Proxy Page Page Creating Trustpoints and Generating Certificates Page Page Creating the TLS Proxy Enabling SIP Inspection for the Cisco Intercompany Media Engine Proxy Page (Optional) Configuring TLS within the Local Enterprise Page Page (Optional) Configuring Off Path Signaling M Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane Page Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard Page Page Page Feature History for Cisco Intercompany Media Engine Proxy Page Page Page Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility Dead Connection Detection (DCD) TCP Sequence Randomization TCP Normalization TCP State Bypass Licensing Requirements for Connection Settings TCP State Bypass Configuring Connection Settings Task Flow For Configuring Connection Settings Customizing the TCP Normalizer with a TCP Map Page Configuring Connection Settings Configuring Global Timeouts Page Feature History for Connection Settings Page Configuring QoS Information About QoS Supported QoS Features What is a Token Bucket? Information About Policing Information About Priority Queuing Information About Traffic Shaping How QoS Features Interact DSCP and DiffServ Preservation Licensing Requirements for QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue Configuring the Standard Priority Queue for an Interface Configuring a Service Rule for Standard Priority Queuing and Policing Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing Monitoring QoS Viewing QoS Police Statistics Viewing QoS Standard Priority Statistics Viewing QoS Shaping Statistics Viewing QoS Standard Priority Queue Statistics Feature History for QoS Troubleshooting Connections and Resources Testing Your Configuration Pinging ASA Interfaces 24-2 If the ping reaches the ASA, and it responds, debugging messages similar to the following appear: ? ASA Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping Information About Ping ASA Appliance Pinging From an ASA Interface Pinging to an ASA Interface Pinging Through the ASA Interface Troubleshooting the Ping Tool Using the Ping Tool Determining Packet Routing with Traceroute Tracing Packets with Packet Tracer Monitoring Performance Monitoring System Resources Blocks CPU Memory Monitoring Connections Monitoring Per-Process CPU Usage Page Page Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security Redirection of Web Traffic to Cloud Web Security User Authentication and Cloud Web Security Authentication Keys Company Authentication Key Group Authentication Key ScanCenter Policy Directory Groups Custom Groups How Groups and the Authentication Key Interoperate Cloud Web Security Actions Bypassing Scanning with Whitelists Licensing Requirements for Cisco Cloud Web Security IPv4 and IPv6 Support Failover from Primary to Backup Proxy Server Prerequisites for Cloud Web Security Configuring Cisco Cloud Web Security Configuring Communication with the Cloud Web Security Proxy Server Page (Multiple Context Mode) Allowing Cloud Web Security Per Security Context Configuring a Service Policy to Send Traffic to Cloud Web Security Page Page Page Page Page Page Page Page Page Page Page Page (Optional) Configuring Whitelisted Traffic Page (Optional) Configuring the User Identity Monitor Configuring the Cloud Web Security Policy Monitoring Cloud Web Security Related Documents Feature History for Cisco Cloud Web Security Page Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases Information About the Dynamic Database How the ASA Uses the Dynamic Database Information About the Static Database Information About the DNS Reverse Lookup Cache and DNS Host Cache 26-5 How the Botnet Traffic Filter Works Figure 26-2 shows how the Botnet Traffic Filter works with the static database. Licensing Requirements for the Botnet Traffic Filter Prerequisites for the Botnet Traffic Filter Configuring the Botnet Traffic Filter Task Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database Adding Entries to the Static Database Enabling DNS Snooping Default DNS Inspection Configuration and Recommended Configuration Enabling Traffic Classification and Actions for the Botnet Traffic Filter Recommended Configuration Blocking Botnet Traffic Manually Searching the Dynamic Database Monitoring the Botnet Traffic Filter Botnet Traffic Filter Syslog Messaging Botnet Traffic Filter Monitor Panes Feature History for the Botnet Traffic Filter Configuring Threat Detection Information About Threat Detection Licensing Requirements for Threat Detection Configuring Basic Threat Detection Statistics Information About Basic Threat Detection Statistics Page Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection Statistics Feature History for Basic Threat Detection Statistics Configuring Advanced Threat Detection Statistics Information About Advanced Threat Detection Statistics Configuring Advanced Threat Detection Statistics Monitoring Advanced Threat Detection Statistics Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection Information About Scanning Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection Page Using Protection Tools Preventing IP Spoofing Configuring the Fragment Size Show Fragment Configuring TCP Options TCP Reset Settings Configuring IP Audit for Basic IPS Support IP Audit Policy Add/Edit IP Audit Policy Configuration IP Audit Signatures IP Audit Signature List Page Page Page Page Page Page Configuring Filtering Services Information About Web Traffic Filtering Filtering URLs and FTP Requests with an External Server Information About URL Filtering Licensing Requirements for URL Filtering Guidelines and Limitations for URL Filtering Identifying the Filtering Server Configuring Additional URL Filtering Settings Buffering the Content Server Response Caching Server Addresses Filtering HTTP URLs Enabling Filtering of Long HTTP URLs Configuring Filtering Rules Page Page Page Page Filtering the Rule Table Defining Queries Feature History for URL Filtering Page Page Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA Monitor-Only Mode Service Policy in Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only Mode Information About ASA CX Management Initial Configuration Policy Configuration and Management Information About Authentication Proxy Information About VPN and the ASA CX Module Compatibility with ASA Features Licensing Requirements for the ASA CX Module Prerequisites Page Configuring the ASA CX Module Task Flow for the ASA CX Module Connecting the ASA CX Management Interface ASA 5585-X (Hardware Module) SSP ASA 5585-X ASA Management 0/0 Page ASA 5512-X through ASA 5555-X (Software Module) ASA 5545-X ASA CX Management 0/0 ASA Management 0/0 (ASA 5512-X through ASA 5555-X; May Be Required) Installing the Software Module Page (ASA 5585-X) Changing the ASA CX Management IP Address Page Configuring Basic ASA CX Settings at the ASA CX CLI Configuring the Security Policy on the ASA CX Module Using PRSM (Optional) Configuring the Authentication Proxy Port Redirecting Traffic to the ASA CX Module Creating the ASA CX Service Policy Page Page Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) Managing the ASA CX Module Resetting the Password Reloading or Resetting the Module Shutting Down the Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image (ASA 5512-X through ASA 5555-X) Sessioning to the Module From the ASA Monitoring the ASA CX Module Showing Module Status Showing Module Statistics Monitoring Module Connections Page 30-30 30-31 The following is sample output from the show asp event dp-cp cxsc-msg command: The following is sample output from the show conn detail command: Capturing Module Traffic Troubleshooting the ASA CX Module Problems with the Authentication Proxy Feature History for the ASA CX Module Page Configuring the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA Operating Modes Using Virtual Sensors (ASA 5510 and Higher) Information About Management Access Licensing Requirements for the ASA IPS module Page Configuring the ASA IPS module Task Flow for the ASA IPS Module 31-8 Cisco ASA Series Firewall ASDM Configuration Guide Management PC Connecting the ASA IPS Management Interface SSP ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Hardware Module) The IPS module includes a separate management interface from the ASA. If you have an inside router ASA 5512-X through ASA 5555-X (Software Module) ASA 5545-X IPS Management 0/0 ASA Management 0/0 ASA 5505 Ports 1 7 VLAN 1 Default ASA IP: 192.168.1.1/IPS IP: 192.168.1.2 Default IPS Gateway: 192.168.1.1 (ASA) ASA 5505 Management PC (IP Address from DHCP) Sessioning to the Module from the ASA (May Be Required) (ASA 5512-X through ASA 5555-X) Booting the Software Module Configuring Basic IPS Module Network Settings (ASA 5510 and Higher) Configuring Basic Network Settings Detailed StepsSingle Mode Detailed StepsMultiple Mode Using the CLI (ASA 5505) Configuring Basic Network Settings Configuring the Security Policy on the ASA IPS Module Page Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher) Diverting Traffic to the ASA IPS module Managing the ASA IPS module Installing and Booting an Image on the Module Page Shutting Down the Module Uninstalling a Software Module Image Resetting the Password Reloading or Resetting the Module Monitoring the ASA IPS module Feature History for the ASA IPS module Page Configuring the ASA CSC Module Information About the CSC SSM Page Determining What Traffic to Scan Page Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM Page Configuring the CSC SSM Before Configuring the CSC SSM Connecting to the CSC SSM Determining Service Policy Rule Actions for CSC Scanning CSC SSM Setup Wizard Activation/License IP Configuration Host/Notification Settings Management Access Host/Networks Password Restoring the Default Password Wizard Setup CSC Setup Wizard Activation Codes Configuration CSC Setup Wizard IP Configuration CSC Setup Wizard Host Configuration CSC Setup Wizard Management Access Configuration CSC Setup Wizard Password Configuration CSC Setup Wizard Traffic Selection for CSC Scan Specifying Traffic for CSC Scanning CSC Setup Wizard Summary Using the CSC SSM GUI Web Mail SMTP Tab POP3 Tab File Transfer Updates Monitoring the CSC SSM Threats Live Security Events Live Security Events Log Software Updates Resource Graphs CSC CPU CSC Memory Troubleshooting the CSC Module Installing an Image on the Module Resetting the Password Reloading or Resetting the Module Shutting Down the Module Additional References Feature History for the CSC SSM Page INDEX A B C D E F G H L M N O P Q R S T U V W