24-2 | Cisco Systems ASA 5580, ASA 5505, ASA 5545-X, ASA 5555-X

Chapter 24 Troubleshooting Connections and Resources

Testing Your Configuration

The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. (See Figure 24-1.)

Figure 24-1

Network Diagram with Interfaces, Routers, and Hosts

Host

Host

Host

Host

10.1.1.56

209.265.200.230

10.1.3.6

209.165.201.24

Router

Router

Router

Router

outside

dmz1

dmz3

outside

192.1

209.165.201.1

192.1

68.1.

security0

68.3.

security0

Transp. ASA

Routed ASA

10.1.0.3

dmz2

inside

dmz4

inside

192.168.2.1

192.168.4.1

192.168.0.1

security100

security40

security80

security100

Router

Router

Router

Router

10.1.2.90

10.1.0.34

10.1.4.67

	Host	Host	Host
				Host

10.1.1.5	330857

Step 2 Ping each ASA interface from the directly connected routers. For transparent mode, ping the management IP address. This test ensures that the ASA interfaces are active and that the interface configuration is correct.

A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch between the ASA and a router is down (see Figure 24-2). In this case, no debugging messages or syslog messages appear, because the packet never reaches the ASA.

Figure 24-2 Ping Failure at the ASA Interface

Ping

			Router
Host			Router
Host

?

ASA

330858

If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 24-3).

Cisco ASA Series Firewall ASDM Configuration Guide

24-2

Image 556

Cisco Systems ASA 5580, ASA 5505, ASA 5545-X, ASA 5555-X manual 24-2, Network Diagram with Interfaces, Routers, and Hosts

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.

Contents

Cisco ASA Series Firewall Asdm Configuration Guide Software Version Cisco ASA Series Firewall Asdm Configuration Guide N T E N T S NAT for VPN Guidelines and Limitations Default Settings NAT and Same Security Level Interfaces Configuring Access Rules Getting Started with Application Layer Protocol Inspection Select IM Map Add/Edit H.323 Match Criterion SIP Class Map Select Radius Accounting Map Cisco Unified Communications Manager Prerequisites ACL Rules Configuring the TLS Proxy for Encrypted Voice Inspection Creating the TLS Proxy TCP Intercept and Limiting Embryonic Connections Blocks Monitoring Cloud Web Security Related Documents IP Audit Policy Licensing Requirements for the ASA CX Module Operating Modes Management Access Host/Networks Document Objectives About This GuideRelated Documentation Convention Indication ConventionsBold font Configuring Service Policies Page Information About Service Policies Configuring a Service PolicySupported Features Feature Directionality Feature Traffic? SeeFor Through Accounting only Feature Feature Matching Within a Service PolicyGlobal Direction Order in Which Multiple Feature Actions are Applied ASA IPS ASA CX Incompatibility of Certain Feature Actions Licensing Requirements for Service PoliciesFeature Matching for Multiple Service Policies Guidelines and Limitations Default Settings Default Configuration Task Flows for Configuring Service Policies Adding a Service Policy Rule for Through TrafficDefault Traffic Classes Task Flow for Configuring a Service Policy Rule Cisco ASA Series Firewall Asdm Configuration Guide Click Next Click Match or Do Not Match Cisco ASA Series Firewall Asdm Configuration Guide Adding a Service Policy Rule for Management Traffic Configuring a Service Policy Rule for Management Traffic Click Match or Do Not Match Managing the Order of Service Policy Rules Moving an ACE Feature History for Service Policies Feature Name Releases Feature InformationIntroduced class-map type management, and inspect Radius-accountingPage Information About Inspection Policy Maps Default Inspection Policy Maps Choose Configuration Firewall Objects Inspect Maps Choose Configuration Firewall Objects Class MapsDefining Actions in an Inspection Policy Map Identifying Traffic in an Inspection Class Map Where to Go Next Feature History for Inspection Policy Maps Configuring Network Address Translation Page Why Use NAT? Information About NAT ASA 8.3 and Later NAT Terminology NAT Types NAT Types OverviewStatic NAT Information About Static NAT Information About Static NAT with Port Translation Information About Static NAT with Port Address Translation Static NAT with Identity Port Translation Information About One-to-Many Static NAT Static Interface NAT with Port Translation Information About Other Mapping Scenarios Not Recommended Dynamic NAT 6shows a typical few-to-many static NAT scenario Information About Dynamic NAT 209.165.201.10 Dynamic NAT Disadvantages and Advantages Dynamic PATInformation About Dynamic PAT Per-Session PAT vs. Multi-Session PAT Version 9.01 and Later Dynamic PAT Disadvantages and Advantages NAT in Routed and Transparent Mode Identity NAT NAT in Routed Mode NAT in Transparent Mode 13 NAT Example Transparent Mode How NAT is Implemented NAT and IPv6Main Differences Between Network Object NAT and Twice NAT Information About Network Object NAT Information About Twice NAT 14 Twice NAT with Different Destination Addresses 15 Twice NAT with Different Destination Ports 16 Twice Static NAT with Destination Address Translation NAT Rule Order Rule Type Order of Rules within the Section NAT Interfaces 10.1.2.0 Routing NAT Packets Mapped Addresses and Routing 18 Proxy ARP Problems with Identity NAT Transparent Mode Routing Requirements for Remote Networks Determining the Egress Interface NAT and Remote Access VPN NAT for VPN Src 203.0.113.16070 4. Http request to NAT and Site-to-Site VPN Dst See the following sample NAT configuration for ASA1 Boulder NAT and VPN Management Access Subnet 10.2.2.0 25 VPN Management Access Troubleshooting NAT and VPN DNS and NATEnter show nat detail and show conn all Repeat show nat detail and show conn all 26 DNS Reply Modification, DNS Server on Outside 192.168.1.10 28 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 30 PTR Modification, DNS Server on Host Network Configuring Network Object NAT ASA 8.3 and Later Information About Network Object NAT Licensing Requirements for Network Object NAT Prerequisites for Network Object NAT Additional Guidelines Configuring Network Object NAT Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Detailed Steps Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Dynamic PAT Hide Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Static NAT or Static NAT-with-Port-Translation Add NAT to a new or existing network object Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Identity NAT From the Type drop-down list, choose Static Configuring Network Object NAT ASA 8.3 and Later Configuring Per-Session PAT Rules Defaults Monitoring Network Object NAT Fields Configuration Examples for Network Object NAT Providing Access to an Inside Web Server Static NAT Static NAT for an Inside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Dynamic NAT for Inside, Static NAT for Outside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT with One-to-Many for an Inside Load Balancer Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT-with-Port-Translation Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Create a network object for the FTP server address Cisco ASA Series Firewall Asdm Configuration Guide DNS Reply Modification Using Outside NAT Cisco ASA Series Firewall Asdm Configuration Guide 2001DB8D1A5C8E1 IPv6 Net DNS Reply Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Platform Feature Name Releases Feature Information Feature History for Network Object NATNo-proxy-arp and route-lookup keywords, to maintain This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Configuring Twice NAT ASA 8.3 and Later Information About Twice NAT Licensing Requirements for Twice NAT Prerequisites for Twice NAT IPv6 Guidelines Configuring Twice NAT Choose Configuration Firewall NAT Rules, and then click Add Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later Click OK To configure dynamic PAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later To configure static NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later To configure identity NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later 10.1.2.2 Source Destination Configuring Twice NAT ASA 8.3 and Later Monitoring Twice NAT Configuration Examples for Twice NAT Twice NAT with Different Destination Addresses Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Twice NAT with Different Destination Ports Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Feature History for Twice NAT This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page NAT Overview Configuring NAT ASA 8.2 and EarlierIntroduction to NAT NAT Example Routed Mode NAT in Transparent Mode NAT Control 209.165.201.1 NAT Control and Same Security Traffic NAT Types Dynamic NAT Remote Host Attempts to Connect to the Real Address PAT Static NAT Static PAT Bypassing NAT When NAT Control is Enabled Policy NAT Policy NAT with Different Destination Addresses NAT and Same Security Level Interfaces 11 Policy Static NAT with Destination Address Translation Mapped Address Guidelines Order of NAT Rules Used to Match Real AddressesDNS and NAT 12 DNS Reply Modification Configuring NAT Control 13 DNS Reply Modification Using Outside NAT Using Dynamic NAT Dynamic NAT Implementation Real Addresses and Global Pools Paired Using a Pool ID Global Pools on Different Interfaces with the Same Pool ID Global 1 Multiple Addresses in the Same Global Pool 16 Different NAT IDs Outside NAT 17 NAT and PAT Together Managing Global Pools 18 Outside NAT and Inside NAT Combined Configuring Dynamic NAT, PAT, or Identity NAT 19 Dynamic NAT Scenarios Configuring NAT ASA 8.2 and Earlier Using Dynamic NAT Configuring Dynamic Policy NAT or PAT 20 Dynamic Policy NAT Scenarios Configuring NAT ASA 8.2 and Earlier Using Dynamic NAT Using Static NAT Configuring Static NAT, PAT, or Identity NAT Inside Use IP Address Use Interface IP Address Click OK Configuring Static Policy NAT, PAT, or Identity NAT 22 Static Policy NAT Scenarios Use IP Address Using NAT Exemption Click Action Exempt Click Action Do not exempt Configuring Access Control Page Configuring Access Rules Information About Access Rules General Information About Rules Implicit Permits Using Remarks NAT and Access RulesRule Order Implicit Deny Transactional-Commit Model Outbound ACL Access Rules for Returning Traffic Information About Access RulesAdditional Guidelines and Limitations Management Access Rules Information About EtherType RulesSupported EtherTypes and Other Traffic Traffic Type Protocol or Port Default Settings Licensing Requirements for Access RulesAllowing Mpls Adding an Access Rule Configuring Access RulesChoose Configuration Firewall Access Rules Adding an EtherType Rule Transparent Mode Only Configuring Management Access Rules Advanced Access Rule Configuration Prerequisites Access Rule Explosion Configuring Http RedirectCheck the Enable Object Group Search Algorithm check box Edit HTTP/HTTPS Settings Configuring Transactional Commit Model Feature History for Access Rules Platform Feature Name Releases Feature Information Page AAA Performance Configuring AAA Rules for Network AccessLicensing Requirements for AAA Rules Configuring Authentication for Network Access Information About Authentication One-Time Authentication ASA Authentication Prompts Deployment Supporting Cut-through Proxy Authentication AAA Prompts and Identity Firewall AAA Rules as a Backup Authentication Method Static PAT and Http Configuring Network Access Authentication Authenticate Do not Authenticate Click OK Enabling Secure Authentication of Web Clients Authenticating Directly with the ASA Authenticating Https Connections with a Virtual Server Authenticating Telnet Connections with a Virtual Server Configuring the Authentication Proxy Limit Choose Configuration Firewall AAA Rules, then click Advanced Configuring TACACS+ Authorization Configuring Authorization for Network AccessAuthorize Do not Authorize Configuring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any Radius Server for Downloadable ACLs Configuring Accounting for Network Access Account Do not Account MAC Exempt No MAC Exempt Feature History for AAA Rules Information About Public Servers Configuring Public ServersLicensing Requirements for Public Servers Adding a Public Server that Enables Static NAT Adding a Public Server that Enables Static NAT with PAT Editing Settings for a Public Server Feature History for Public Servers Configuring Application Inspection Page How Inspection Engines Work Getting Started with Application Layer Protocol Inspection10-1 When to Use Application Protocol Inspection 10-2 Failover Guidelines 10-3 323 H.225 Default Settings and NAT Limitations10-4 NetBIOS Name IP OptionsServer over IP 10-5 Smtp SQL*NetSun RPC over 10-6 Choose Configuration Firewall Service Policy Rules Configuring Application Layer Protocol Inspection10-7 10-8 DNS Inspection Configuring Inspection of Basic Internet Protocols11-1 Default Settings for DNS Inspection Information About DNS InspectionGeneral Information About DNS DNS Inspection Actions Choose Configuration Firewall Objects Inspect Maps DNS 11-3 Detailed Steps-Protocol Conformance 11-4 Detailed Steps-Filtering 11-5 Detailed Steps-Inspections 11-6 11-7 11-8 11-9 Header Flag 11-10 Class DNS Type Field Value11-11 11-12 Resource Record 11-13 Domain Name 11-14 11-15 Click Configure Configuring DNS Inspection11-16 Using Strict FTP FTP InspectionFTP Inspection Overview 11-17 Select FTP Map 11-18 Configuration Global Objects Class Maps FTP FTP Class MapAdd/Edit FTP Traffic Class Map 11-19 Add/Edit FTP Match Criterion 11-20 FTP Inspect Map Configuration Global Objects Inspect Maps FTP11-21 Add/Edit FTP Policy Map Security Level File Type Filtering11-22 Add/Edit FTP Policy Map Details 11-23 Add/Edit FTP Map 11-24 Verifying and Monitoring FTP Inspection 11-25 Http Inspection Http Inspection OverviewSelect Http Map 11-26 Configuration Global Objects Class Maps Http Http Class MapAdd/Edit Http Traffic Class Map 11-27 Add/Edit Http Match Criterion 11-28 11-29 11-30 11-31 Http Inspect Map Configuration Global Objects Inspect Maps Http11-32 Add/Edit Http Policy Map Security Level URI Filtering11-33 Add/Edit Http Policy Map Details 11-34 Add/Edit Http Map 11-35 11-36 11-37 11-38 Icmp Error Inspection Icmp InspectionInstant Messaging Inspection 11-39 Adding a Class Map for IM Inspection IM Inspection Overview11-40 IP Options Inspection Select IM MapIP Options Inspection Overview 11-41 Configuring IP Options Inspection 11-42 Select IP Options Inspect Map 11-43 Add/Edit IP Options Inspect Map IP Options Inspect Map11-44 IPsec Pass Through Inspection Overview IPsec Pass Through Inspection11-45 IPsec Pass Through Inspect Map Select IPsec-Pass-Thru Map11-46 Add/Edit IPsec Pass Thru Policy Map Details Add/Edit IPsec Pass Thru Policy Map Security Level11-47 Default Settings for IPv6 Inspection Optional Configuring an IPv6 Inspection Policy MapIPv6 Inspection Information about IPv6 Inspection Configuring IPv6 Inspection 11-49 NetBIOS Inspection NetBIOS Inspection OverviewSelect Netbios Map 11-50 NetBIOS Inspect Map Add/Edit NetBIOS Policy MapConfiguration Global Objects Inspect Maps NetBIOS Pptp Inspection Smtp and Esmtp Inspection Overview Smtp and Extended Smtp Inspection11-52 Select Esmtp Map 11-53 Esmtp Inspect Map Configuration Global Objects Inspect Maps Esmtp11-54 Add/Edit Esmtp Policy Map Security Level Mime File Type Filtering11-55 Add/Edit Esmtp Policy Map Details 11-56 Add/Edit Esmtp Inspect 11-57 11-58 11-59 Tftp Inspection 11-60 11-61 11-62 Configuring Inspection for Voice and Video Protocols Ctiqbe InspectionCtiqbe Inspection Overview 12-1 Limitations and Restrictions Inspection12-2 How H.323 Works Inspection Overview12-3 Support in H.245 Messages 12-4 Configuration Global Objects Class Maps H.323 Select H.323 MapClass Map 12-5 Add/Edit H.323 Match Criterion Add/Edit H.323 Traffic Class Map12-6 Inspect Map Configuration Global Objects Inspect Maps H.32312-7 Add/Edit H.323 Policy Map Security Level Phone Number Filtering12-8 Add/Edit H.323 Policy Map Details 12-9 12-10 Add/Edit H.323 Map Add/Edit HSI Group12-11 Mgcp Inspection Overview Mgcp Inspection12-12 Using NAT with Mgcp 12-13 Configuration Global Objects Inspect Maps Mgcp Select Mgcp MapMgcp Inspect Map 12-14 Add/Edit Mgcp Policy Map Gateways and Call Agents12-15 Add/Edit Mgcp Group Rtsp Inspection12-16 Rtsp Inspection Overview Using RealPlayer12-17 Configuration Global Objects Inspect Maps Radius Restrictions and LimitationsSelect Rtsp Map Rtsp Inspect Map Configuration Firewall Objects Class Maps Rtsp Add/Edit Rtsp Policy MapRtsp Class Map 12-19 Add/Edit Rtsp Traffic Class Map SIP Inspection12-20 SIP Inspection Overview 12-21 Select SIP Map SIP Instant Messaging12-22 SIP Class Map Configuration Global Objects Class Maps SIP12-23 Add/Edit SIP Match Criterion Add/Edit SIP Traffic Class Map12-24 12-25 SIP Inspect Map Configuration Global Objects Inspect Maps SIP12-26 Add/Edit SIP Policy Map Security Level 12-27 Add/Edit SIP Policy Map Details 12-28 12-29 Add/Edit SIP Inspect 12-30 12-31 Sccp Inspection Overview Skinny Sccp Inspection12-32 Supporting Cisco IP Phones 12-33 Configuration Global Objects Inspect Maps Sccp Skinny Select Sccp Skinny MapSccp Skinny Inspect Map 12-34 Message ID Filtering 12-35 Add/Edit Sccp Skinny Policy Map Security Level 12-36 Add/Edit Sccp Skinny Policy Map Details 12-37 Add/Edit Message ID Filter 12-38 ILS Inspection Configuring Inspection of Database Directory Protocols13-1 SQL*Net Inspection 13-2 Configuration Properties Sunrpc Server Sun RPC InspectionSun RPC Inspection Overview Sunrpc Server Add/Edit Sunrpc Service 13-4 Configuring Inspection for Management Application Protocols Dcerpc InspectionDcerpc Overview 14-1 Configuration Global Objects Inspect Maps Dcerpc Select Dcerpc MapDcerpc Inspect Map 14-2 Add/Edit Dcerpc Policy Map 14-3 GTP Inspection 14-4 Select GTP Map GTP Inspection Overview14-5 GTP Inspect Map Configuration Global Objects Inspect Maps GTP14-6 Add/Edit GTP Policy Map Security Level Imsi Prefix Filtering14-7 Add/Edit GTP Policy Map Details 14-8 Add/Edit GTP Map 14-9 Radius Accounting Inspection 14-10 Radius Accounting Inspection Overview Select Radius Accounting MapAdd Radius Accounting Policy Map 14-11 Radius Inspect Map Host Radius Inspect Map14-12 RSH Inspection Snmp InspectionRadius Inspect Map Other 14-13 Snmp Inspection Overview Select Snmp MapSnmp Inspect Map Add/Edit Snmp Map Xdmcp Inspection 14-15 14-16 Configuring Unified Communications Page 15-1 15-2 TLS Proxy Applications in Cisco Unified Communications 15-3 Model License Requirement1 15-4 15-5 15-6 Using the Cisco Unified Communication Wizard 16-1 16-2 Licensing Requirements for the Unified Communication Wizard 16-3 16-4 Configuring the Private Network for the Phone Proxy 16-5 Click the Generate and Export LDC Certificate button Configuring Servers for the Phone Proxy16-6 Address Default Port Description 16-7 16-8 Configuring the Public IP Phone Network 16-9 16-10 16-11 16-12 16-13 16-14 Certificate, 16-15 16-16 16-17 Off-path Deployment Basic Deployment16-18 16-19 16-20 16-21 16-22 Exporting an Identity Certificate Installing a Certificate16-23 Click Install Certificate 16-24 Saving the Identity Certificate Request 16-25 16-26 16-27 16-28 Configuring the Cisco Phone Proxy Information About the Cisco Phone ProxyPhone Proxy Functionality 17-1 17-2 TCP/RTP TLS/SRTP Supported Cisco UCM and IP Phones for the Phone Proxy Cisco Unified Communications ManagerCisco Unified IP Phones 17-3 Licensing Requirements for the Phone Proxy 17-4 17-5 Media Termination Instance Prerequisites Prerequisites for the Phone Proxy17-6 Certificates from the Cisco UCM DNS Lookup PrerequisitesCisco Unified Communications Manager Prerequisites ACL Rules NAT and PAT Prerequisites Address Port Protocol DescriptionNAT Prerequisites PAT Prerequisites 7940 IP Phones Support Prerequisites for IP Phones on Multiple Interfaces17-9 Prerequisites for Rate Limiting Tftp Requests Cisco IP Communicator Prerequisites17-10 Rate Limiting Configuration Example End-User Phone ProvisioningWays to Deploy IP Phones to End Users 17-11 General Guidelines and Limitations Phone Proxy Guidelines and Limitations17-12 Media Termination Address Guidelines and Limitations 17-13 Task Flow for Configuring the Phone Proxy Configuring the Phone Proxy17-14 Creating the CTL File 17-15 Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17-17 Creating the Phone Proxy Instance 17-18 17-19 Adding or Editing the Tftp Server for a Phone Proxy 17-20 Linksys Routers Configuring Your Router17-21 Feature History for the Phone Proxy Application Start End Protocol IP Address EnabledChecked 17-22 18-1 18-2 TLS Proxy Flow Cisco IP Phone Cisco ASA Supported Cisco UCM and IP Phones for the TLS Proxy 18-3 Licensing for the TLS Proxy 18-4 18-5 CTL Provider 18-6 Add/Edit CTL Provider 18-7 Configure TLS Proxy Pane 18-8 Adding a TLS Proxy Instance Add TLS Proxy Instance Wizard Server Configuration18-9 Add TLS Proxy Instance Wizard Client Configuration 18-10 18-11 Add TLS Proxy Instance Wizard Other Steps 18-12 Edit TLS Proxy Instance Server Configuration 18-13 Edit TLS Proxy Instance Client Configuration 18-14 18-15 Add/Edit TLS Proxy TLS Proxy18-16 18-17 18-18 Cisco Mobility Advantage Proxy Functionality Configuring Cisco Mobility Advantage19-1 Mobility Advantage Proxy Deployment Scenarios 19-2 19-3 MMP/SSL/TLS Trust Relationships for Cisco UMA Deployments Mobility Advantage Proxy Using NAT/PAT19-4 19-5 Configuring Cisco Mobility Advantage 19-6 Task Flow for Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage19-7 19-8 Information About Cisco Unified Presence Configuring Cisco Unified Presence20-1 20-2 Typical Cisco Unified Presence/LCS Federation Scenario 20-3 SIP/TLS Trust Relationship in the Presence Federation 20-4 Xmpp Federation Deployments 20-5 Configuration Requirements for Xmpp Federation 20-6 Licensing for Cisco Unified Presence 20-7 Configuring Cisco Unified Presence Proxy for SIP Federation 20-8 Feature History for Cisco Unified Presence 20-9 20-10 Features of Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy21-1 How the UC-IME Works with the Pstn and the Internet 21-2 Tickets and Passwords 21-3 21-4 Architecture Call Fallback to the Pstn21-5 Basic Deployment 21-6 Off Path Deployment 21-7 Licensing for Cisco Intercompany Media Engine 21-8 21-9 21-10 Task Flow for Configuring Cisco Intercompany Media Engine Configuring Cisco Intercompany Media Engine Proxy21-11 Configuring NAT for Cisco Intercompany Media Engine Proxy 21-12 Command Purpose 21-13 Configuring PAT for the Cisco UCM Server Command PurposeWhat to Do Next 21-14 Address of Cisco UCM that you want to translate 21-15 Creating ACLs for Cisco Intercompany Media Engine Proxy 21-16 Guidelines Procedure21-17 Creating the Cisco Intercompany Media Engine Proxy 21-18 See Creating the Media Termination Instance 21-19 Show running-config uc-ime command 21-20 Creating Trustpoints and Generating Certificates 21-21 Prerequisites for Installing Certificates 21-22 Certified 21-23 Creating the TLS Proxy 21-24 21-25 ACLs for Cisco Intercompany Media Engine Proxy 21-26 Optional Configuring TLS within the Local Enterprise 21-27 Commands Purpose 21-28 Where proxytrustpoint for the client trust-point Where proxytrustpoint for the server trust-point21-29 Optional Configuring Off Path Signaling 21-30 Engine Proxy, 21-31 21-32 21-33 Show uc-ime signaling-sessions 21-34 Show uc-ime media-sessions detail Show uc-ime signaling-sessions statistics21-35 Show uc-ime mapping-service-sessions Show uc-ime mapping-service-sessions statisticsShow uc-ime fallback-notification statistics 21-36 Feature History for Cisco Intercompany Media Engine Proxy 21-37 21-38 Configuring Connection Settings and QoS Page Information About Connection Settings Configuring Connection Settings22-1 Dead Connection Detection DCD TCP Intercept and Limiting Embryonic Connections22-2 TCP Sequence Randomization TCP NormalizationTCP State Bypass 22-3 Licensing Requirements for Connection Settings 22-4 TCP State Bypass Unsupported Features Maximum Concurrent and Embryonic Connection GuidelinesTCP State Bypass 22-5 Configuring Connection Settings Task Flow For Configuring Connection SettingsCustomizing the TCP Normalizer with a TCP Map 22-6 22-7 Configuring Connection Settings 22-8 Configuring Global Timeouts 22-9 22-10 Feature History for Connection Settings Introduced set connection advanced-optionsTcp-state-bypass 22-11 22-12 Information About QoS Configuring QoS23-1 What is a Token Bucket? Supported QoS Features23-2 Information About Priority Queuing Information About Policing23-3 Information About Traffic Shaping How QoS Features Interact23-4 Licensing Requirements for QoS Dscp and DiffServ PreservationModel Guidelines 23-5 Configuring QoS 23-6 125 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Click Enable priority for this flow 23-9 23-10 Click Enforce priority to selected shape traffic Monitoring QoS23-11 Viewing QoS Standard Priority Statistics Viewing QoS Police Statistics23-12 Viewing QoS Standard Priority Queue Statistics Viewing QoS Shaping Statistics23-13 Feature History for QoS 23-14 Troubleshooting Connections and Resources Testing Your ConfigurationPinging ASA Interfaces 24-1 Network Diagram with Interfaces, Routers, and Hosts 24-2 Information About Ping 24-3 Troubleshooting the Ping Tool Pinging From an ASA InterfacePinging to an ASA Interface Pinging Through the ASA Interface Using the Ping Tool 24-5 Determining Packet Routing with Traceroute Output Symbol Description24-6 Tracing Packets with Packet Tracer 24-7 Monitoring Performance 24-8 Blocks Monitoring System Resources24-9 Memory 24-10 Monitoring Connections 24-11 Monitoring Per-Process CPU Usage 24-12 Configuring Advanced Network Protection Page Configuring the ASA for Cisco Cloud Web Security 25-1 User Authentication and Cloud Web Security Information About Cisco Cloud Web SecurityRedirection of Web Traffic to Cloud Web Security 25-2 Company Authentication Key Group Authentication Key Authentication Keys25-3 ScanCenter Policy Directory GroupsCustom Groups 25-4 Cloud Web Security Actions How Groups and the Authentication Key Interoperate25-5 Failover from Primary to Backup Proxy Server Licensing Requirements for Cisco Cloud Web SecurityBypassing Scanning with Whitelists IPv4 and IPv6 Support Optional User Authentication Prerequisites Prerequisites for Cloud Web SecurityOptional Fully Qualified Domain Name Prerequisites 25-7 Configuring Cisco Cloud Web Security 25-8 Choose Configuration Device Management Cloud Web Security 25-9 25-10 25-11 25-12 25-13 25-14 25-15 25-16 Examples 25-17 25-18 Check Cloud Web Security and click Configure 25-19 25-20 Tcp/http 25-21 25-22 Optional Configuring Whitelisted Traffic 25-23 25-24 Optional Configuring the User Identity Monitor 25-25 Monitoring Cloud Web Security Configuring the Cloud Web Security Policy25-26 Feature History for Cisco Cloud Web Security Related DocumentsRelated Documents 25-27 25-28 Information About the Botnet Traffic Filter Configuring the Botnet Traffic Filter26-1 Botnet Traffic Filter Address Types Botnet Traffic Filter Actions for Known AddressesBotnet Traffic Filter Databases Information About the Dynamic Database Information About the Static Database 26-3 26-4 How the Botnet Traffic Filter Works 26-5 Prerequisites for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter26-6 Task Flow for Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter26-7 Configuring the Dynamic Database 26-8 Enabling DNS Snooping Adding Entries to the Static Database26-9 26-10 Recommended Configuration 26-11 Very Low Moderate High Very High Blocking Botnet Traffic Manually26-12 Searching the Dynamic Database 26-13 Botnet Traffic Filter Syslog Messaging Monitoring the Botnet Traffic Filter26-14 Botnet Traffic Filter Monitor Panes 26-15 Feature History for the Botnet Traffic Filter 26-16 Configuring Threat Detection Information About Threat DetectionLicensing Requirements for Threat Detection 27-1 Information About Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics27-2 Trigger Settings Packet Drop Reason Average Rate Burst Rate Guidelines and LimitationsSecurity Context Guidelines Types of Traffic Monitored Configuring Basic Threat Detection Statistics Monitoring Basic Threat Detection StatisticsPath Purpose 27-4 Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection StatisticsInformation About Advanced Threat Detection Statistics 27-5 Choose the Configuration Firewall Threat Detection pane Configuring Advanced Threat Detection Statistics27-6 Last 24 hour Monitoring Advanced Threat Detection Statistics27-7 Feature History for Advanced Threat Detection Statistics Configuring Scanning Threat Detection27-8 Information About Scanning Threat Detection 27-9 Average Rate Burst Rate Configuring Scanning Threat Detection27-10 Feature History for Scanning Threat Detection 27-11 27-12 Using Protection Tools Configuration Firewall Advanced Anti-Spoofing FieldsPreventing IP Spoofing 28-1 Show Fragment Configuring the Fragment Size28-2 Configuring TCP Options 28-3 TCP Reset Settings 28-4 Configuring IP Audit for Basic IPS Support Add/Edit IP Audit Policy ConfigurationIP Audit Policy 28-5 IP Audit Signatures IP Audit Signature ListSignature Message Number Signature Title 28-6 28-7 Message Number Signature Title 28-8 28-9 28-10 28-11 28-12 Information About Web Traffic Filtering Configuring Filtering Services29-1 Information About URL Filtering Filtering URLs and FTP Requests with an External Server29-2 Licensing Requirements for URL Filtering Guidelines and Limitations for URL FilteringIdentifying the Filtering Server 29-3 Configuring Additional URL Filtering Settings 29-4 Caching Server Addresses Buffering the Content Server Response29-5 Filtering Http URLs Configuring Filtering Rules29-6 29-7 29-8 29-9 29-10 Filtering the Rule Table 29-11 Defining Queries Feature History for URL Filtering29-12 Configuring Modules Page Information About the ASA CX Module Configuring the ASA CX Module30-1 How the ASA CX Module Works with the ASA 30-2 Monitor-Only Mode Service Policy in Monitor-Only ModeTraffic-Forwarding Interface in Monitor-Only Mode 30-3 Information About ASA CX Management Initial Configuration30-4 Information About Authentication Proxy Compatibility with ASA FeaturesPolicy Configuration and Management Information About VPN and the ASA CX Module Prerequisites Licensing Requirements for the ASA CX Module30-6 ASA Clustering Guidelines Monitor-Only Mode Guidelines30-7 Configuring the ASA CX Module Parameters DefaultTask Flow for the ASA CX Module 30-8 ASA 5585-X Hardware Module Connecting the ASA CX Management Interface30-9 If you do not have an inside router If you have an inside router30-10 ASA 5512-X through ASA 5555-X Software Module 30-11 30-12 Example 30-13 ASA 5585-X Changing the ASA CX Management IP Address Multiple Context Mode30-14 Single Context Mode Sets the ASA CX management IP address, mask, and gatewayExample ASDM, choose Wizards Startup Wizard Configuring Basic ASA CX Settings at the ASA CX CLI 30-16 30-17 Optional Configuring the Authentication Proxy Port 30-18 Redirecting Traffic to the ASA CX Module Creating the ASA CX Service Policy30-19 Click the ASA CX Inspection tab 30-20 Check the Enable ASA CX for this traffic flow check box 30-21 Choose Tools Command Line Interface Configuring Traffic-Forwarding Interfaces Monitor-Only Mode30-22 Managing the ASA CX Module Resetting the Password30-23 Reloading or Resetting the Module 30-24 Shutting Down the Module 30-25 30-26 Monitoring the ASA CX Module Admin12330-27 Showing Module Status Showing Module StatisticsMonitoring Module Connections Module 30-29 Ciscoasa# show asp table classify domain cxsc Input Table 30-30 30-31 Ciscoasa# show asp drop Troubleshooting the ASA CX Module Problems with the Authentication ProxyCapturing Module Traffic 30-32 Feature History for the ASA CX Module 30-33 Capture interface asadataplane command 30-34 Information About the ASA IPS Module Configuring the ASA IPS Module31-1 How the ASA IPS Module Works with the ASA 31-2 Operating Modes Using Virtual Sensors ASA 5510 and Higher31-3 Information About Management Access 31-4 Licensing Requirements for the ASA IPS module 31-5 Vlan 31-6 Task Flow for the ASA IPS Module Configuring the ASA IPS module31-7 Connecting the ASA IPS Management Interface 31-8 31-9 ASA 31-10 Sessioning to the Module from the ASA May Be Required 31-11 Configuring Basic IPS Module Network Settings ASA 5512-X through ASA 5555-X Booting the Software Module31-12 Choose Wizards Startup Wizard ASA 5510 and Higher Configuring Basic Network Settings31-13 ASDM, choose Configuration Device Setup SSC Setup ASA 5505 Configuring Basic Network Settings31-14 Configuring the Security Policy on the ASA IPS Module 31-15 Click Continue 31-16 31-17 Diverting Traffic to the ASA IPS module 31-18 Managing the ASA IPS module 31-19 Installing and Booting an Image on the Module 31-20 31-21 Uninstalling a Software Module Image 31-22 31-23 Monitoring the ASA IPS module 31-24 Feature History for the ASA IPS module 31-25 31-26 Information About the CSC SSM Configuring the ASA CSC Module32-1 ASA 32-2 Determining What Traffic to Scan 32-3 Common Network Configuration for CSC SSM Scanning 32-4 Prerequisites for the CSC SSM Licensing Requirements for the CSC SSM32-5 Parameter Default 32-6 Before Configuring the CSC SSM Configuring the CSC SSM32-7 Connecting to the CSC SSM 32-8 Determining Service Policy Rule Actions for CSC Scanning 32-9 CSC SSM Setup Wizard 32-10 Activation/License IP Configuration32-11 Host/Notification Settings 32-12 Password Management Access Host/Networks32-13 Choose Tools CSC Password Reset Restoring the Default Password32-14 CSC Setup Wizard Activation Codes Configuration Wizard Setup32-15 CSC Setup Wizard Host Configuration CSC Setup Wizard IP Configuration32-16 CSC Setup Wizard Management Access Configuration CSC Setup Wizard Password ConfigurationCSC Setup Wizard Traffic Selection for CSC Scan 32-17 Specifying Traffic for CSC Scanning 32-18 CSC Setup Wizard Summary 32-19 Using the CSC SSM GUI Choose Configuration Trend Micro Content Security WebWeb 32-20 Smtp Tab Mail32-21 File Transfer 32-22 Updates 32-23 Choose Monitoring Trend Micro Content Security Threats Monitoring the CSC SSMThreats 32-24 Live Security Events Log Live Security Events32-25 Software Updates 32-26 Troubleshooting the CSC Module Resource GraphsCSC Memory 32-27 Recover command Installing an Image on the Module32-28 Resetting the Password 32-29 Reloading or Resetting the Module Shutting Down the ModuleShuts down the module 32-30 Feature History for the CSC SSM Feature Name Platform Releases Feature InformationAdditional References Related Topic Document Title 32-32 D E IN-1 FTP Http IN-2 CSC CPU IN-3 CSC SSM GUI IN-4 Application inspection IN-5 IPS IN-6 See also class map IN-7 See Icmp IN-8 See QoS IN-9 See PAT IN-10 URL IN-11 IN-12