25-7

Chapter 25 Configuring the ASA for Cisco Cloud Web Security

Prerequisites for Cloud Web Security

Model	License Requirement

All models	Strong Encryption (3DES/AES) License to encrypt traffic between the security appliance and the
	Cloud Web Security server.

On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication keys.

Prerequisites for Cloud Web Security

(Optional) User Authentication Prerequisites

To send user identity information to Cloud Web Security, configure one of the following on the ASA:

•AAA rules (username only)—SeeChapter 8, “Configuring AAA Rules for Network Access.”

•IDFW (username and group)—SeeChapter 38, “Configuring the Identity Firewall,” in the general operations configuration guide.

(Optional) Fully Qualified Domain Name Prerequisites

If you use FQDNs in ACLs for your service policy rule, or for the Cloud Web Security server, you must configure a DNS server for the ASA according to the “Configuring the DNS Server” section on page 16-8in the general operations configuration guide.

Guidelines and Limitations

Context Mode Guidelines

Supported in single and multiple context modes.

In multiple context mode, the server configuration is allowed only in the system, and the service policy rule configuration is allowed only in the security contexts.

Each context can have its own authentication key, if desired.

Firewall Mode Guidelines

Supported in routed firewall mode only. Does not support transparent firewall mode.

IPv6 Guidelines

Does not support IPv6. See the “IPv4 and IPv6 Support” section on page 25-6.

Additional Guidelines

•Cloud Web Security is not supported with ASA clustering.

•Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security.

Cisco ASA Series Firewall ASDM Configuration Guide

Page 575

Image 575

Cisco Systems ASA Services Module Prerequisites for Cloud Web Security, Optional User Authentication Prerequisites, 25-7

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.

Contents

Software Version Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide N T E N T S NAT for VPN Guidelines and Limitations Default Settings NAT and Same Security Level Interfaces Configuring Access Rules Getting Started with Application Layer Protocol Inspection Select IM Map Add/Edit H.323 Match Criterion SIP Class Map Select Radius Accounting Map Cisco Unified Communications Manager Prerequisites ACL Rules Configuring the TLS Proxy for Encrypted Voice Inspection Creating the TLS Proxy TCP Intercept and Limiting Embryonic Connections Blocks Monitoring Cloud Web Security Related Documents IP Audit Policy Licensing Requirements for the ASA CX Module Operating Modes Management Access Host/Networks Related Documentation About This GuideDocument Objectives Bold font ConventionsConvention Indication Configuring Service Policies Page Supported Features Configuring a Service PolicyInformation About Service Policies Accounting only Feature DirectionalityFeature Traffic? See For Through Global Direction Feature Matching Within a Service PolicyFeature ASA IPS ASA CX Order in Which Multiple Feature Actions are Applied Feature Matching for Multiple Service Policies Licensing Requirements for Service PoliciesIncompatibility of Certain Feature Actions Guidelines and Limitations Default Configuration Default Settings Task Flow for Configuring a Service Policy Rule Task Flows for Configuring Service PoliciesAdding a Service Policy Rule for Through Traffic Default Traffic Classes Cisco ASA Series Firewall Asdm Configuration Guide Click Next Click Match or Do Not Match Cisco ASA Series Firewall Asdm Configuration Guide Configuring a Service Policy Rule for Management Traffic Adding a Service Policy Rule for Management Traffic Click Match or Do Not Match Managing the Order of Service Policy Rules Moving an ACE Radius-accounting Feature History for Service PoliciesFeature Name Releases Feature Information Introduced class-map type management, and inspectPage Information About Inspection Policy Maps Default Inspection Policy Maps Identifying Traffic in an Inspection Class Map Choose Configuration Firewall Objects Inspect MapsChoose Configuration Firewall Objects Class Maps Defining Actions in an Inspection Policy Map Feature History for Inspection Policy Maps Where to Go Next Configuring Network Address Translation Page Information About NAT ASA 8.3 and Later Why Use NAT? NAT Terminology Information About Static NAT NAT TypesNAT Types Overview Static NAT Information About Static NAT with Port Address Translation Information About Static NAT with Port Translation Static NAT with Identity Port Translation Static Interface NAT with Port Translation Information About One-to-Many Static NAT Information About Other Mapping Scenarios Not Recommended 6shows a typical few-to-many static NAT scenario Dynamic NAT 209.165.201.10 Information About Dynamic NAT Information About Dynamic PAT Dynamic PATDynamic NAT Disadvantages and Advantages Dynamic PAT Disadvantages and Advantages Per-Session PAT vs. Multi-Session PAT Version 9.01 and Later Identity NAT NAT in Routed and Transparent Mode NAT in Transparent Mode NAT in Routed Mode 13 NAT Example Transparent Mode Main Differences Between Network Object NAT and Twice NAT NAT and IPv6How NAT is Implemented Information About Twice NAT Information About Network Object NAT 14 Twice NAT with Different Destination Addresses 15 Twice NAT with Different Destination Ports 16 Twice Static NAT with Destination Address Translation Rule Type Order of Rules within the Section NAT Rule Order 10.1.2.0 NAT Interfaces Mapped Addresses and Routing Routing NAT Packets 18 Proxy ARP Problems with Identity NAT Determining the Egress Interface Transparent Mode Routing Requirements for Remote Networks NAT for VPN NAT and Remote Access VPN Src 203.0.113.16070 4. Http request to Dst NAT and Site-to-Site VPN See the following sample NAT configuration for ASA1 Boulder Subnet 10.2.2.0 NAT and VPN Management Access 25 VPN Management Access Repeat show nat detail and show conn all Troubleshooting NAT and VPNDNS and NAT Enter show nat detail and show conn all 26 DNS Reply Modification, DNS Server on Outside 192.168.1.10 28 DNS Reply Modification, DNS Server on Host Network 2001DB8D1A5C8E1 30 PTR Modification, DNS Server on Host Network Information About Network Object NAT Configuring Network Object NAT ASA 8.3 and Later Prerequisites for Network Object NAT Licensing Requirements for Network Object NAT Additional Guidelines Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool Configuring Network Object NAT Detailed Steps Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Dynamic PAT Hide Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Add NAT to a new or existing network object Configuring Static NAT or Static NAT-with-Port-Translation Configuring Network Object NAT ASA 8.3 and Later Check the Add Automatic Translation Rules check box Configuring Network Object NAT ASA 8.3 and Later Configuring Identity NAT From the Type drop-down list, choose Static Configuring Network Object NAT ASA 8.3 and Later Defaults Configuring Per-Session PAT Rules Fields Monitoring Network Object NAT Configuration Examples for Network Object NAT Static NAT for an Inside Web Server Providing Access to an Inside Web Server Static NAT Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Dynamic NAT for Inside, Static NAT for Outside Web Server Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT with One-to-Many for an Inside Load Balancer Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Static NAT-with-Port-Translation Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Create a network object for the FTP server address Cisco ASA Series Firewall Asdm Configuration Guide DNS Reply Modification Using Outside NAT Cisco ASA Series Firewall Asdm Configuration Guide 2001DB8D1A5C8E1 IPv6 Net DNS Reply Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide No-proxy-arp and route-lookup keywords, to maintain Feature History for Network Object NATPlatform Feature Name Releases Feature Information This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Information About Twice NAT Configuring Twice NAT ASA 8.3 and Later Prerequisites for Twice NAT Licensing Requirements for Twice NAT IPv6 Guidelines Configuring Twice NAT Choose Configuration Firewall NAT Rules, and then click Add Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later Click OK To configure dynamic PAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later Source Destination Configuring Twice NAT ASA 8.3 and Later To configure static NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later Source Destination Source Destination Configuring Twice NAT ASA 8.3 and Later Configuring Twice NAT ASA 8.3 and Later To configure identity NAT, perform the following steps Configuring Twice NAT ASA 8.3 and Later 10.1.2.2 Source Destination Configuring Twice NAT ASA 8.3 and Later Monitoring Twice NAT Configuration Examples for Twice NAT Twice NAT with Different Destination Addresses Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Twice NAT with Different Destination Ports Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Cisco ASA Series Firewall Asdm Configuration Guide Click Apply Feature History for Twice NAT This feature is not available in 8.51 or Platform Feature Name Releases Feature Information Platform Feature Name Releases Feature Information Page Introduction to NAT Configuring NAT ASA 8.2 and EarlierNAT Overview NAT Example Routed Mode NAT in Transparent Mode 209.165.201.1 NAT Control NAT Control and Same Security Traffic Dynamic NAT NAT Types Remote Host Attempts to Connect to the Real Address PAT Static PAT Static NAT Bypassing NAT When NAT Control is Enabled Policy NAT Policy NAT with Different Destination Addresses 11 Policy Static NAT with Destination Address Translation NAT and Same Security Level Interfaces DNS and NAT Order of NAT Rules Used to Match Real AddressesMapped Address Guidelines 12 DNS Reply Modification 13 DNS Reply Modification Using Outside NAT Configuring NAT Control Dynamic NAT Implementation Using Dynamic NAT Global Pools on Different Interfaces with the Same Pool ID Real Addresses and Global Pools Paired Using a Pool ID Global 1 16 Different NAT IDs Multiple Addresses in the Same Global Pool 17 NAT and PAT Together Outside NAT 18 Outside NAT and Inside NAT Combined Managing Global Pools 19 Dynamic NAT Scenarios Configuring Dynamic NAT, PAT, or Identity NAT Configuring NAT ASA 8.2 and Earlier Using Dynamic NAT 20 Dynamic Policy NAT Scenarios Configuring Dynamic Policy NAT or PAT Configuring NAT ASA 8.2 and Earlier Using Dynamic NAT Using Static NAT Inside Configuring Static NAT, PAT, or Identity NAT Use Interface IP Address Use IP Address Click OK 22 Static Policy NAT Scenarios Configuring Static Policy NAT, PAT, or Identity NAT Use IP Address Click Action Exempt Using NAT Exemption Click Action Do not exempt Configuring Access Control Page Information About Access Rules Configuring Access Rules Implicit Permits General Information About Rules Implicit Deny Using RemarksNAT and Access Rules Rule Order Outbound ACL Transactional-Commit Model Additional Guidelines and Limitations Information About Access RulesAccess Rules for Returning Traffic Traffic Type Protocol or Port Management Access RulesInformation About EtherType Rules Supported EtherTypes and Other Traffic Allowing Mpls Licensing Requirements for Access RulesDefault Settings Choose Configuration Firewall Access Rules Configuring Access RulesAdding an Access Rule Adding an EtherType Rule Transparent Mode Only Configuring Management Access Rules Prerequisites Advanced Access Rule Configuration Check the Enable Object Group Search Algorithm check box Configuring Http RedirectAccess Rule Explosion Configuring Transactional Commit Model Edit HTTP/HTTPS Settings Feature History for Access Rules Platform Feature Name Releases Feature Information Page Licensing Requirements for AAA Rules Configuring AAA Rules for Network AccessAAA Performance Information About Authentication Configuring Authentication for Network Access ASA Authentication Prompts One-Time Authentication AAA Prompts and Identity Firewall Deployment Supporting Cut-through Proxy Authentication Static PAT and Http AAA Rules as a Backup Authentication Method Authenticate Do not Authenticate Configuring Network Access Authentication Click OK Enabling Secure Authentication of Web Clients Authenticating Https Connections with a Virtual Server Authenticating Directly with the ASA Authenticating Telnet Connections with a Virtual Server Choose Configuration Firewall AAA Rules, then click Advanced Configuring the Authentication Proxy Limit Authorize Do not Authorize Configuring Authorization for Network AccessConfiguring TACACS+ Authorization Configuring Radius Authorization About the Downloadable ACL Feature and Cisco Secure ACS Configuring Cisco Secure ACS for Downloadable ACLs Configuring Any Radius Server for Downloadable ACLs Configuring Accounting for Network Access Account Do not Account MAC Exempt No MAC Exempt Feature History for AAA Rules Licensing Requirements for Public Servers Configuring Public ServersInformation About Public Servers Adding a Public Server that Enables Static NAT with PAT Adding a Public Server that Enables Static NAT Editing Settings for a Public Server Feature History for Public Servers Configuring Application Inspection Page 10-1 Getting Started with Application Layer Protocol InspectionHow Inspection Engines Work 10-2 When to Use Application Protocol Inspection 10-3 Failover Guidelines 10-4 Default Settings and NAT Limitations323 H.225 10-5 NetBIOS NameIP Options Server over IP 10-6 SmtpSQL*Net Sun RPC over 10-7 Configuring Application Layer Protocol InspectionChoose Configuration Firewall Service Policy Rules 10-8 11-1 Configuring Inspection of Basic Internet ProtocolsDNS Inspection DNS Inspection Actions Default Settings for DNS InspectionInformation About DNS Inspection General Information About DNS 11-3 Choose Configuration Firewall Objects Inspect Maps DNS 11-4 Detailed Steps-Protocol Conformance 11-5 Detailed Steps-Filtering 11-6 Detailed Steps-Inspections 11-7 11-8 11-9 11-10 Header Flag 11-11 DNS Type Field ValueClass 11-12 11-13 Resource Record 11-14 Domain Name 11-15 11-16 Configuring DNS InspectionClick Configure 11-17 Using Strict FTPFTP Inspection FTP Inspection Overview 11-18 Select FTP Map 11-19 Configuration Global Objects Class Maps FTPFTP Class Map Add/Edit FTP Traffic Class Map 11-20 Add/Edit FTP Match Criterion 11-21 Configuration Global Objects Inspect Maps FTPFTP Inspect Map 11-22 File Type FilteringAdd/Edit FTP Policy Map Security Level 11-23 Add/Edit FTP Policy Map Details 11-24 Add/Edit FTP Map 11-25 Verifying and Monitoring FTP Inspection 11-26 Http InspectionHttp Inspection Overview Select Http Map 11-27 Configuration Global Objects Class Maps HttpHttp Class Map Add/Edit Http Traffic Class Map 11-28 Add/Edit Http Match Criterion 11-29 11-30 11-31 11-32 Configuration Global Objects Inspect Maps HttpHttp Inspect Map 11-33 URI FilteringAdd/Edit Http Policy Map Security Level 11-34 Add/Edit Http Policy Map Details 11-35 Add/Edit Http Map 11-36 11-37 11-38 11-39 Icmp Error InspectionIcmp Inspection Instant Messaging Inspection 11-40 IM Inspection OverviewAdding a Class Map for IM Inspection 11-41 IP Options InspectionSelect IM Map IP Options Inspection Overview 11-42 Configuring IP Options Inspection 11-43 Select IP Options Inspect Map 11-44 IP Options Inspect MapAdd/Edit IP Options Inspect Map 11-45 IPsec Pass Through InspectionIPsec Pass Through Inspection Overview 11-46 Select IPsec-Pass-Thru MapIPsec Pass Through Inspect Map 11-47 Add/Edit IPsec Pass Thru Policy Map Security LevelAdd/Edit IPsec Pass Thru Policy Map Details Information about IPv6 Inspection Default Settings for IPv6 InspectionOptional Configuring an IPv6 Inspection Policy Map IPv6 Inspection 11-49 Configuring IPv6 Inspection 11-50 NetBIOS InspectionNetBIOS Inspection Overview Select Netbios Map Pptp Inspection NetBIOS Inspect MapAdd/Edit NetBIOS Policy Map Configuration Global Objects Inspect Maps NetBIOS 11-52 Smtp and Extended Smtp InspectionSmtp and Esmtp Inspection Overview 11-53 Select Esmtp Map 11-54 Configuration Global Objects Inspect Maps EsmtpEsmtp Inspect Map 11-55 Mime File Type FilteringAdd/Edit Esmtp Policy Map Security Level 11-56 Add/Edit Esmtp Policy Map Details 11-57 Add/Edit Esmtp Inspect 11-58 11-59 11-60 Tftp Inspection 11-61 11-62 12-1 Configuring Inspection for Voice and Video ProtocolsCtiqbe Inspection Ctiqbe Inspection Overview 12-2 InspectionLimitations and Restrictions 12-3 Inspection OverviewHow H.323 Works 12-4 Support in H.245 Messages 12-5 Configuration Global Objects Class Maps H.323Select H.323 Map Class Map 12-6 Add/Edit H.323 Traffic Class MapAdd/Edit H.323 Match Criterion 12-7 Configuration Global Objects Inspect Maps H.323Inspect Map 12-8 Phone Number FilteringAdd/Edit H.323 Policy Map Security Level 12-9 Add/Edit H.323 Policy Map Details 12-10 12-11 Add/Edit HSI GroupAdd/Edit H.323 Map 12-12 Mgcp InspectionMgcp Inspection Overview 12-13 Using NAT with Mgcp 12-14 Configuration Global Objects Inspect Maps MgcpSelect Mgcp Map Mgcp Inspect Map 12-15 Gateways and Call AgentsAdd/Edit Mgcp Policy Map 12-16 Rtsp InspectionAdd/Edit Mgcp Group 12-17 Using RealPlayerRtsp Inspection Overview Rtsp Inspect Map Configuration Global Objects Inspect Maps RadiusRestrictions and Limitations Select Rtsp Map 12-19 Configuration Firewall Objects Class Maps RtspAdd/Edit Rtsp Policy Map Rtsp Class Map 12-20 SIP InspectionAdd/Edit Rtsp Traffic Class Map 12-21 SIP Inspection Overview 12-22 SIP Instant MessagingSelect SIP Map 12-23 Configuration Global Objects Class Maps SIPSIP Class Map 12-24 Add/Edit SIP Traffic Class MapAdd/Edit SIP Match Criterion 12-25 12-26 Configuration Global Objects Inspect Maps SIPSIP Inspect Map 12-27 Add/Edit SIP Policy Map Security Level 12-28 Add/Edit SIP Policy Map Details 12-29 12-30 Add/Edit SIP Inspect 12-31 12-32 Skinny Sccp InspectionSccp Inspection Overview 12-33 Supporting Cisco IP Phones 12-34 Configuration Global Objects Inspect Maps Sccp SkinnySelect Sccp Skinny Map Sccp Skinny Inspect Map 12-35 Message ID Filtering 12-36 Add/Edit Sccp Skinny Policy Map Security Level 12-37 Add/Edit Sccp Skinny Policy Map Details 12-38 Add/Edit Message ID Filter 13-1 Configuring Inspection of Database Directory ProtocolsILS Inspection 13-2 SQL*Net Inspection Sunrpc Server Configuration Properties Sunrpc ServerSun RPC Inspection Sun RPC Inspection Overview 13-4 Add/Edit Sunrpc Service 14-1 Configuring Inspection for Management Application ProtocolsDcerpc Inspection Dcerpc Overview 14-2 Configuration Global Objects Inspect Maps DcerpcSelect Dcerpc Map Dcerpc Inspect Map 14-3 Add/Edit Dcerpc Policy Map 14-4 GTP Inspection 14-5 GTP Inspection OverviewSelect GTP Map 14-6 Configuration Global Objects Inspect Maps GTPGTP Inspect Map 14-7 Imsi Prefix FilteringAdd/Edit GTP Policy Map Security Level 14-8 Add/Edit GTP Policy Map Details 14-9 Add/Edit GTP Map 14-10 Radius Accounting Inspection 14-11 Radius Accounting Inspection OverviewSelect Radius Accounting Map Add Radius Accounting Policy Map 14-12 Radius Inspect MapRadius Inspect Map Host 14-13 RSH InspectionSnmp Inspection Radius Inspect Map Other Add/Edit Snmp Map Snmp Inspection OverviewSelect Snmp Map Snmp Inspect Map 14-15 Xdmcp Inspection 14-16 Configuring Unified Communications Page 15-1 15-2 15-3 TLS Proxy Applications in Cisco Unified Communications 15-4 Model License Requirement1 15-5 15-6 16-1 Using the Cisco Unified Communication Wizard 16-2 16-3 Licensing Requirements for the Unified Communication Wizard 16-4 16-5 Configuring the Private Network for the Phone Proxy 16-6 Configuring Servers for the Phone ProxyClick the Generate and Export LDC Certificate button 16-7 Address Default Port Description 16-8 16-9 Configuring the Public IP Phone Network 16-10 16-11 16-12 16-13 16-14 16-15 Certificate, 16-16 16-17 16-18 Basic DeploymentOff-path Deployment 16-19 16-20 16-21 16-22 16-23 Installing a CertificateExporting an Identity Certificate 16-24 Click Install Certificate 16-25 Saving the Identity Certificate Request 16-26 16-27 16-28 17-1 Configuring the Cisco Phone ProxyInformation About the Cisco Phone Proxy Phone Proxy Functionality TCP/RTP TLS/SRTP 17-2 17-3 Supported Cisco UCM and IP Phones for the Phone ProxyCisco Unified Communications Manager Cisco Unified IP Phones 17-4 Licensing Requirements for the Phone Proxy 17-5 17-6 Prerequisites for the Phone ProxyMedia Termination Instance Prerequisites ACL Rules Certificates from the Cisco UCMDNS Lookup Prerequisites Cisco Unified Communications Manager Prerequisites PAT Prerequisites NAT and PAT PrerequisitesAddress Port Protocol Description NAT Prerequisites 17-9 Prerequisites for IP Phones on Multiple Interfaces7940 IP Phones Support 17-10 Cisco IP Communicator PrerequisitesPrerequisites for Rate Limiting Tftp Requests 17-11 Rate Limiting Configuration ExampleEnd-User Phone Provisioning Ways to Deploy IP Phones to End Users 17-12 Phone Proxy Guidelines and LimitationsGeneral Guidelines and Limitations 17-13 Media Termination Address Guidelines and Limitations 17-14 Configuring the Phone ProxyTask Flow for Configuring the Phone Proxy 17-15 Creating the CTL File 17-16 Adding or Editing a Record Entry in a CTL File 17-17 Creating the Media Termination Instance 17-18 Creating the Phone Proxy Instance 17-19 17-20 Adding or Editing the Tftp Server for a Phone Proxy 17-21 Configuring Your RouterLinksys Routers 17-22 Feature History for the Phone ProxyApplication Start End Protocol IP Address Enabled Checked 18-1 TLS Proxy Flow Cisco IP Phone Cisco ASA 18-2 18-3 Supported Cisco UCM and IP Phones for the TLS Proxy 18-4 Licensing for the TLS Proxy 18-5 18-6 CTL Provider 18-7 Add/Edit CTL Provider 18-8 Configure TLS Proxy Pane 18-9 Add TLS Proxy Instance Wizard Server ConfigurationAdding a TLS Proxy Instance 18-10 Add TLS Proxy Instance Wizard Client Configuration 18-11 18-12 Add TLS Proxy Instance Wizard Other Steps 18-13 Edit TLS Proxy Instance Server Configuration 18-14 Edit TLS Proxy Instance Client Configuration 18-15 18-16 TLS ProxyAdd/Edit TLS Proxy 18-17 18-18 19-1 Configuring Cisco Mobility AdvantageCisco Mobility Advantage Proxy Functionality 19-2 Mobility Advantage Proxy Deployment Scenarios MMP/SSL/TLS 19-3 19-4 Mobility Advantage Proxy Using NAT/PATTrust Relationships for Cisco UMA Deployments 19-5 19-6 Configuring Cisco Mobility Advantage 19-7 Feature History for Cisco Mobility AdvantageTask Flow for Configuring Cisco Mobility Advantage 19-8 20-1 Configuring Cisco Unified PresenceInformation About Cisco Unified Presence Typical Cisco Unified Presence/LCS Federation Scenario 20-2 SIP/TLS 20-3 20-4 Trust Relationship in the Presence Federation 20-5 Xmpp Federation Deployments 20-6 Configuration Requirements for Xmpp Federation 20-7 Licensing for Cisco Unified Presence 20-8 Configuring Cisco Unified Presence Proxy for SIP Federation 20-9 Feature History for Cisco Unified Presence 20-10 21-1 Configuring Cisco Intercompany Media Engine ProxyFeatures of Cisco Intercompany Media Engine Proxy 21-2 How the UC-IME Works with the Pstn and the Internet 21-3 Tickets and Passwords 21-4 21-5 Call Fallback to the PstnArchitecture 21-6 Basic Deployment 21-7 Off Path Deployment 21-8 Licensing for Cisco Intercompany Media Engine 21-9 21-10 21-11 Configuring Cisco Intercompany Media Engine ProxyTask Flow for Configuring Cisco Intercompany Media Engine 21-12 Configuring NAT for Cisco Intercompany Media Engine Proxy 21-13 Command Purpose 21-14 Configuring PAT for the Cisco UCM ServerCommand Purpose What to Do Next 21-15 Address of Cisco UCM that you want to translate 21-16 Creating ACLs for Cisco Intercompany Media Engine Proxy 21-17 ProcedureGuidelines 21-18 Creating the Cisco Intercompany Media Engine Proxy 21-19 See Creating the Media Termination Instance 21-20 Show running-config uc-ime command 21-21 Creating Trustpoints and Generating Certificates 21-22 Prerequisites for Installing Certificates 21-23 Certified 21-24 Creating the TLS Proxy 21-25 21-26 ACLs for Cisco Intercompany Media Engine Proxy 21-27 Optional Configuring TLS within the Local Enterprise 21-28 Commands Purpose 21-29 Where proxytrustpoint for the server trust-pointWhere proxytrustpoint for the client trust-point 21-30 Optional Configuring Off Path Signaling 21-31 Engine Proxy, 21-32 21-33 21-34 Show uc-ime signaling-sessions 21-35 Show uc-ime signaling-sessions statisticsShow uc-ime media-sessions detail 21-36 Show uc-ime mapping-service-sessionsShow uc-ime mapping-service-sessions statistics Show uc-ime fallback-notification statistics 21-37 Feature History for Cisco Intercompany Media Engine Proxy 21-38 Configuring Connection Settings and QoS Page 22-1 Configuring Connection SettingsInformation About Connection Settings 22-2 TCP Intercept and Limiting Embryonic ConnectionsDead Connection Detection DCD 22-3 TCP Sequence RandomizationTCP Normalization TCP State Bypass 22-4 Licensing Requirements for Connection Settings 22-5 TCP State Bypass Unsupported FeaturesMaximum Concurrent and Embryonic Connection Guidelines TCP State Bypass 22-6 Configuring Connection SettingsTask Flow For Configuring Connection Settings Customizing the TCP Normalizer with a TCP Map 22-7 22-8 Configuring Connection Settings 22-9 Configuring Global Timeouts 22-10 22-11 Feature History for Connection SettingsIntroduced set connection advanced-options Tcp-state-bypass 22-12 23-1 Configuring QoSInformation About QoS 23-2 Supported QoS FeaturesWhat is a Token Bucket? 23-3 Information About PolicingInformation About Priority Queuing 23-4 How QoS Features InteractInformation About Traffic Shaping 23-5 Licensing Requirements for QoSDscp and DiffServ Preservation Model Guidelines 23-6 Configuring QoS 23-7 125 23-8 Configuring the Standard Priority Queue for an Interface 23-9 Click Enable priority for this flow 23-10 23-11 Monitoring QoSClick Enforce priority to selected shape traffic 23-12 Viewing QoS Police StatisticsViewing QoS Standard Priority Statistics 23-13 Viewing QoS Shaping StatisticsViewing QoS Standard Priority Queue Statistics 23-14 Feature History for QoS 24-1 Troubleshooting Connections and ResourcesTesting Your Configuration Pinging ASA Interfaces 24-2 Network Diagram with Interfaces, Routers, and Hosts 24-3 Information About Ping Pinging Through the ASA Interface Troubleshooting the Ping ToolPinging From an ASA Interface Pinging to an ASA Interface 24-5 Using the Ping Tool 24-6 Output Symbol DescriptionDetermining Packet Routing with Traceroute 24-7 Tracing Packets with Packet Tracer 24-8 Monitoring Performance 24-9 Monitoring System ResourcesBlocks 24-10 Memory 24-11 Monitoring Connections 24-12 Monitoring Per-Process CPU Usage Configuring Advanced Network Protection Page 25-1 Configuring the ASA for Cisco Cloud Web Security 25-2 User Authentication and Cloud Web SecurityInformation About Cisco Cloud Web Security Redirection of Web Traffic to Cloud Web Security 25-3 Authentication KeysCompany Authentication Key Group Authentication Key 25-4 ScanCenter PolicyDirectory Groups Custom Groups 25-5 How Groups and the Authentication Key InteroperateCloud Web Security Actions IPv4 and IPv6 Support Failover from Primary to Backup Proxy ServerLicensing Requirements for Cisco Cloud Web Security Bypassing Scanning with Whitelists 25-7 Optional User Authentication PrerequisitesPrerequisites for Cloud Web Security Optional Fully Qualified Domain Name Prerequisites 25-8 Configuring Cisco Cloud Web Security 25-9 Choose Configuration Device Management Cloud Web Security 25-10 25-11 25-12 25-13 25-14 25-15 25-16 25-17 Examples 25-18 25-19 Check Cloud Web Security and click Configure 25-20 25-21 Tcp/http 25-22 25-23 Optional Configuring Whitelisted Traffic 25-24 25-25 Optional Configuring the User Identity Monitor 25-26 Configuring the Cloud Web Security PolicyMonitoring Cloud Web Security 25-27 Feature History for Cisco Cloud Web SecurityRelated Documents Related Documents 25-28 26-1 Configuring the Botnet Traffic FilterInformation About the Botnet Traffic Filter Information About the Dynamic Database Botnet Traffic Filter Address TypesBotnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases 26-3 Information About the Static Database 26-4 26-5 How the Botnet Traffic Filter Works 26-6 Licensing Requirements for the Botnet Traffic FilterPrerequisites for the Botnet Traffic Filter 26-7 Configuring the Botnet Traffic FilterTask Flow for Configuring the Botnet Traffic Filter 26-8 Configuring the Dynamic Database 26-9 Adding Entries to the Static DatabaseEnabling DNS Snooping 26-10 26-11 Recommended Configuration 26-12 Blocking Botnet Traffic ManuallyVery Low Moderate High Very High 26-13 Searching the Dynamic Database 26-14 Monitoring the Botnet Traffic FilterBotnet Traffic Filter Syslog Messaging 26-15 Botnet Traffic Filter Monitor Panes 26-16 Feature History for the Botnet Traffic Filter 27-1 Configuring Threat DetectionInformation About Threat Detection Licensing Requirements for Threat Detection 27-2 Configuring Basic Threat Detection StatisticsInformation About Basic Threat Detection Statistics Types of Traffic Monitored Trigger Settings Packet Drop Reason Average Rate Burst RateGuidelines and Limitations Security Context Guidelines 27-4 Configuring Basic Threat Detection StatisticsMonitoring Basic Threat Detection Statistics Path Purpose 27-5 Configuring Advanced Threat Detection StatisticsFeature History for Basic Threat Detection Statistics Information About Advanced Threat Detection Statistics 27-6 Configuring Advanced Threat Detection StatisticsChoose the Configuration Firewall Threat Detection pane 27-7 Monitoring Advanced Threat Detection StatisticsLast 24 hour 27-8 Configuring Scanning Threat DetectionFeature History for Advanced Threat Detection Statistics 27-9 Information About Scanning Threat Detection 27-10 Configuring Scanning Threat DetectionAverage Rate Burst Rate 27-11 Feature History for Scanning Threat Detection 27-12 28-1 Using Protection ToolsConfiguration Firewall Advanced Anti-Spoofing Fields Preventing IP Spoofing 28-2 Configuring the Fragment SizeShow Fragment 28-3 Configuring TCP Options 28-4 TCP Reset Settings 28-5 Configuring IP Audit for Basic IPS SupportAdd/Edit IP Audit Policy Configuration IP Audit Policy 28-6 IP Audit SignaturesIP Audit Signature List Signature Message Number Signature Title 28-7 28-8 Message Number Signature Title 28-9 28-10 28-11 28-12 29-1 Configuring Filtering ServicesInformation About Web Traffic Filtering 29-2 Filtering URLs and FTP Requests with an External ServerInformation About URL Filtering 29-3 Licensing Requirements for URL FilteringGuidelines and Limitations for URL Filtering Identifying the Filtering Server 29-4 Configuring Additional URL Filtering Settings 29-5 Buffering the Content Server ResponseCaching Server Addresses 29-6 Configuring Filtering RulesFiltering Http URLs 29-7 29-8 29-9 29-10 29-11 Filtering the Rule Table 29-12 Feature History for URL FilteringDefining Queries Configuring Modules Page 30-1 Configuring the ASA CX ModuleInformation About the ASA CX Module 30-2 How the ASA CX Module Works with the ASA 30-3 Monitor-Only ModeService Policy in Monitor-Only Mode Traffic-Forwarding Interface in Monitor-Only Mode 30-4 Initial ConfigurationInformation About ASA CX Management Information About VPN and the ASA CX Module Information About Authentication ProxyCompatibility with ASA Features Policy Configuration and Management 30-6 Licensing Requirements for the ASA CX ModulePrerequisites 30-7 Monitor-Only Mode GuidelinesASA Clustering Guidelines 30-8 Configuring the ASA CX ModuleParameters Default Task Flow for the ASA CX Module 30-9 Connecting the ASA CX Management InterfaceASA 5585-X Hardware Module 30-10 If you have an inside routerIf you do not have an inside router 30-11 ASA 5512-X through ASA 5555-X Software Module 30-12 30-13 Example 30-14 Multiple Context ModeASA 5585-X Changing the ASA CX Management IP Address ASDM, choose Wizards Startup Wizard Single Context ModeSets the ASA CX management IP address, mask, and gateway Example 30-16 Configuring Basic ASA CX Settings at the ASA CX CLI 30-17 30-18 Optional Configuring the Authentication Proxy Port 30-19 Creating the ASA CX Service PolicyRedirecting Traffic to the ASA CX Module 30-20 Click the ASA CX Inspection tab 30-21 Check the Enable ASA CX for this traffic flow check box 30-22 Configuring Traffic-Forwarding Interfaces Monitor-Only ModeChoose Tools Command Line Interface 30-23 Resetting the PasswordManaging the ASA CX Module 30-24 Reloading or Resetting the Module 30-25 Shutting Down the Module 30-26 30-27 Admin123Monitoring the ASA CX Module Module Showing Module StatusShowing Module Statistics Monitoring Module Connections Ciscoasa# show asp table classify domain cxsc Input Table 30-29 30-30 Ciscoasa# show asp drop 30-31 30-32 Troubleshooting the ASA CX ModuleProblems with the Authentication Proxy Capturing Module Traffic 30-33 Feature History for the ASA CX Module 30-34 Capture interface asadataplane command 31-1 Configuring the ASA IPS ModuleInformation About the ASA IPS Module 31-2 How the ASA IPS Module Works with the ASA 31-3 Using Virtual Sensors ASA 5510 and HigherOperating Modes 31-4 Information About Management Access 31-5 Licensing Requirements for the ASA IPS module 31-6 Vlan 31-7 Configuring the ASA IPS moduleTask Flow for the ASA IPS Module 31-8 Connecting the ASA IPS Management Interface 31-9 31-10 ASA 31-11 Sessioning to the Module from the ASA May Be Required 31-12 ASA 5512-X through ASA 5555-X Booting the Software ModuleConfiguring Basic IPS Module Network Settings 31-13 ASA 5510 and Higher Configuring Basic Network SettingsChoose Wizards Startup Wizard 31-14 ASA 5505 Configuring Basic Network SettingsASDM, choose Configuration Device Setup SSC Setup 31-15 Configuring the Security Policy on the ASA IPS Module 31-16 Click Continue 31-17 31-18 Diverting Traffic to the ASA IPS module 31-19 Managing the ASA IPS module 31-20 Installing and Booting an Image on the Module 31-21 31-22 Uninstalling a Software Module Image 31-23 31-24 Monitoring the ASA IPS module 31-25 Feature History for the ASA IPS module 31-26 32-1 Configuring the ASA CSC ModuleInformation About the CSC SSM 32-2 ASA 32-3 Determining What Traffic to Scan 32-4 Common Network Configuration for CSC SSM Scanning 32-5 Licensing Requirements for the CSC SSMPrerequisites for the CSC SSM 32-6 Parameter Default 32-7 Configuring the CSC SSMBefore Configuring the CSC SSM 32-8 Connecting to the CSC SSM 32-9 Determining Service Policy Rule Actions for CSC Scanning 32-10 CSC SSM Setup Wizard 32-11 IP ConfigurationActivation/License 32-12 Host/Notification Settings 32-13 Management Access Host/NetworksPassword 32-14 Restoring the Default PasswordChoose Tools CSC Password Reset 32-15 Wizard SetupCSC Setup Wizard Activation Codes Configuration 32-16 CSC Setup Wizard IP ConfigurationCSC Setup Wizard Host Configuration 32-17 CSC Setup Wizard Management Access ConfigurationCSC Setup Wizard Password Configuration CSC Setup Wizard Traffic Selection for CSC Scan 32-18 Specifying Traffic for CSC Scanning 32-19 CSC Setup Wizard Summary 32-20 Using the CSC SSM GUIChoose Configuration Trend Micro Content Security Web Web 32-21 MailSmtp Tab 32-22 File Transfer 32-23 Updates 32-24 Choose Monitoring Trend Micro Content Security ThreatsMonitoring the CSC SSM Threats 32-25 Live Security EventsLive Security Events Log 32-26 Software Updates 32-27 Troubleshooting the CSC ModuleResource Graphs CSC Memory 32-28 Installing an Image on the ModuleRecover command 32-29 Resetting the Password 32-30 Reloading or Resetting the ModuleShutting Down the Module Shuts down the module Related Topic Document Title Feature History for the CSC SSMFeature Name Platform Releases Feature Information Additional References 32-32 IN-1 D E IN-2 FTP Http IN-3 CSC CPU IN-4 CSC SSM GUI IN-5 Application inspection IN-6 IPS IN-7 See also class map IN-8 See Icmp IN-9 See QoS IN-10 See PAT IN-11 URL IN-12

Cisco Systems ASA Services Module, ASA 5505, ASA 5545-X Prerequisites for Cloud Web Security, 25-7

Models: ASA Services Module ASA 5555-X ASA 5545-X ASA 5585-X ASA 5580 ASA 5505

Model

Prerequisites for Cloud Web Security

(Optional) User Authentication Prerequisites

(Optional) Fully Qualified Domain Name Prerequisites

Guidelines and Limitations

IPv6 Guidelines

Additional Guidelines

Cisco ASA Series Firewall ASDM Configuration Guide

25-7

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications