Main
Cisco ASDM User Guide
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
Related Documentation
Document Conventions
Obtaining Documentation and Submitting a Service Request
Page
Page
Welcome to ASDM
ASDM Client Operating System and Browser Requirements
VPN Specifications
Supported Platforms and SSMs
Page
New ASDM Features
Multiple ASDM Session Support
Unsupported Commands
Ignored and View-Only Commands
Effects of Unsupported Commands
Discontinuous Subnet Masks Not Supported
Interactive User Commands Not Supported by the ASDM CLI Tool
About the ASDM Interface
Menus
File Menu
View Menu
Tools Menu
Wizards Menu
Window Menu
Help Menu
Toolbar
ASDM Assistant
How Do I? Tab
Search Tab
Status Bar
Connection to Device
Device List
Common Buttons
Keyboard Shortcuts
Page
Enabling Extended Screen Reader Support
Organizational Folder
About the Help Window
Header Buttons
Browser Window
Home Pane
Device Dashboard Tab
Page
Firewall Dashboard Tab
Content Security Tab
Page
Intrusion Prevention Tab
Connecting to IPS
Page
System Home Pane
Page
Introduction to the Security Appliance
New Features by Platform Release
New Features in Version 8.1(2)
Page
Page
New Features in Version 8.1(1)
New Features in Version 8.0(4)
Page
Page
Page
New Features in Version 8.0(3)
New Features in Version 8.0(2)
Page
Page
Page
Page
Page
Firewall Functional Overview
Security Policy Overview
Permitting or Denying Traffic with Access Lists
Applying NAT
Protecting from IP Fragments
Using AAA for Through Traffic
Applying HTTP, HTTPS, or FTP Filtering
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
Sending Traffic to the Content Security and Control Security Services Module
Applying QoS Policies
Applying Connection Limits and TCP Normalization
Enabling Threat Detection
Firewall Mode Overview
Stateful Inspection Overview
VPN Functional Overview
Security Context Overview
Page
Page
Defining Preferences and Using Configuration, Diagnostic, and File Management Tools
Preferences
Page
Configuration Tools
Reset Device to the Factory Default Configuration
Save Running Configuration to TFTP Server
Save Internal Log Buffer to Flash
Command Line Interface
Command Errors
Interactive Commands
Avoiding Conflicts with Other Administrators
Show Commands Ignored by ASDM on Device
Diagnostic Tools
Packet Tracer
Ping
Using the Ping Tool
Troubleshooting the Ping Tool
Pinging from a Security Appliance Interface
Pinging to a Security Appliance Interface
Pinging Through the Security Appliance
Traceroute
Administrators Alert to Clientless SSL VPN Users
ASDM Java Console
Packet Capture Wizard
Page
Field Information for the Packet Capture Wizard
Ingress Traffic Selector
Egress Traffic Selector
Buffers
Summary
Run Captures
Save Captures
File Management Tools
File Management
Manage Mount Points
Add/Edit a CIFS/FTP Mount Point
Upgrade Software from Local Computer
File Transfer
Upgrade Software from Cisco.com Wizard
Page
ASDM Assistant
System Reload
Backup and Restore
Backing Up Configurations
Page
Page
Restoring Configurations
Page
Before You Start
Factory Default Configurations
Restoring the Factory Default Configuration
ASA 5505 Default Configuration
4-3
ASA 5510 and Higher Version Default Configuration
command, then the IP address and mask are 192.168.1.1 and 255.255.255.0.
The DHCP server is enabled on the adaptive security appliance, so a computer connecting to the
interface receives an address between 192.168.1.2 and 192.168.1.254.
The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
Configuring the Security Appliance for ASDM Access
Setting Transparent or Routed Firewall Mode at the CLI
Page
Starting ASDM
Downloading the ASDM Launcher
Starting ASDM from the ASDM Launcher
Using ASDM in Demo Mode
Starting ASDM from a Web Browser
Configuration Overview
Page
Page
Page
Page
Page
Using the Startup Wizard
Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Appliances
Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance
Step 1 - Starting Point or Welcome
Step 2 - Basic Configuration
Step 3 - Auto Update Server
Step 4 - Management IP Address Configuration
Step 5 - Interface Selection
Step 6 - Switch Port Allocation
Step 7 - Interface IP Address Configuration
Step 8 - Internet Interface Configuration - PPPoE
Step 9 - Business Interface Configuration - PPPoE
Step 10 - Home Interface Configuration - PPPoE
Step 11 - General Interface Configuration
Step 12 - Static Routes
Add/Edit Static Routes
Step 13 - DHCP Server
Step 14 - Address Translation (NAT/PAT)
Step 15 - Administrative Access
Add/Edit Administrative Access Entry
Step 16 - Easy VPN Remote Configuration
Page
Step 17 - Startup Wizard Summary
Other Interfaces Configuration
Edit Interface
Interface Configuration
Outside Interface Configuration - PPPoE
Outside Interface Configuration
Page
Page
Configuring Basic Device Settings
Management IP Address
System Time
Clock
NTP
Add/Edit NTP Server Configuration
Configuring Advanced Device Management Features
Configuring HTTP Redirect
Edit HTTP/HTTPS Settings
Configuring Maximum SSL VPN Sessions
History Metrics
System Image/Configuration
Activation Key
Auto Update
Page
Set Polling Schedule
Add/Edit Auto Update Server
Advanced Auto Update Settings
Boot Image/Configuration
Add Boot Image
Device Name/Password
System Software
Add/Edit Client Update
Page
Page
Configuring Interfaces in Single Mode
Interface Overview
Physical Interface Overview
Default Physical Interface Settings
Connector Types
Redundant Interface Overview
Redundant Interfaces and Failover Guidelines
Redundant Interface MAC Address
Physical Interface Guidelines for Use in a Redundant Interface
VLAN Subinterface and 802.1Q Trunking Overview
Maximum Subinterfaces
Preventing Untagged Packets on the Physical Interface
Default State of Interfaces
Default Security Level
Configuring an Interface (Single Mode)
Page
Page
Enabling Same Security Level Communication (Single Mode)
PPPoE IP Address and Route Settings
Page
Configuring Interfaces in Multiple Mode
Configuring Interfaces in the System Configuration (Multiple Mode)
Configuring Physical Interfaces in the System Configuration (Multiple Mode)
Physical Interface Overview
Default State of Physical Interfaces
Connector Types
Auto-MDI/MDIX Feature
Configuring Redundant Interfaces in the System Configuration (Multiple Mode)
Redundant Interface Overview
Default State of Redundant Interfaces
Redundant Interfaces and Failover Guidelines
Redundant Interface MAC Address
Physical Interface Guidelines for Use in a Redundant Interface
Configuring VLAN Subinterfaces and 802.1Q Trunking in the System Configuration (Multiple Mode)
Subinterface Overview
Default State of Subinterfaces
Maximum Subinterfaces
Adding a Subinterface in the System Configuration (Multiple Mode)
Enabling Jumbo Frame Support for the ASA 5580 in the System Configuration (Multiple Mode)
Allocating Interfaces to Contexts
Configuring Interface Parameters within each Context (Multiple Mode)
Interface Parameters Overview
Default State of Interfaces
Default Security Level
Configuring Interface Parameters in each Context (Multiple Mode)
Enabling Same Security Level Communication (Multiple Mode)
Page
Page
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
Interface Overview
Understanding ASA 5505 Ports and Interfaces
Maximum Active VLAN Interfaces for Your License
Page
Default Interface Configuration
VLAN MAC Addresses
Power Over Ethernet
Monitoring Traffic Using SPAN
Security Level Overview
Configuring VLAN Interfaces
Interfaces > Interfaces
Page
Add/Edit Interface > General
Page
Add/Edit Interface > Advanced
Configuring Switch Ports
Interfaces > Switch Ports
Edit Switch Port
Page
Page
Configuring Security Contexts
Security Context Overview
Common Uses for Security Contexts
Unsupported Features
Context Configuration Files
How the Security Appliance Classifies Packets
Valid Classifier Criteria
Unique Interfaces
Unique MAC Addresses
NAT Configuration
Invalid Classifier Criteria
Classification Examples
Page
10-6
Cascading Security Contexts
Management Access to Security Contexts
System Administrator Access
Context Administrator Access
Enabling or Disabling Multiple Context Mode
Backing Up the Single Mode Configuration
Enabling Multiple Context Mode
Restoring Single Context Mode
Configuring Resource Classes
Classes and Class Members Overview
Resource Limits
Default Class
Class Members
Adding a Resource Class
Page
Monitoring Context Resource Usage
Configuring Security Contexts
Adding a Security Context
Automatically Assigning MAC Addresses
MAC Address Overview
Enabling Automatic MAC Address Assignment
Configuring Dynamic And Static Routing
Dynamic Routing
OSPF
Setup
Setup > Process Instances Tab
Edit OSPF Process Advanced Properties
Page
Setup > Area/Networks Tab
Add/Edit OSPF Area
Page
Setup > Route Summarization Tab
Add/Edit Route Summarization
Filtering
Add/Edit Filtering Entry
Interface
Interface > Authentication Tab
Edit OSPF Interface Authentication
Interface > Properties Tab
Edit OSPF Interface Properties
Edit OSPF Interface Advanced Properties
Redistribution
Page
Add/Edit OSPF Redistribution Entry
Static Neighbor
Add/Edit OSPF Neighbor Entry
Summary Address
Add/Edit OSPF Summary Address Entry
Virtual Link
Add/Edit Virtual Link
Advanced OSPF Virtual Link Properties
RIP
Setup
Interface
Edit RIP Interface Entry
Filter Rules
Add/Edit Filter Rule
Network Rule
Redistribution
Add/Edit Route Redistribution
EIGRP
Configuring EIGRP
Field Information for the EIGRP Panes
Setup
Process Instances
Edit EIGRP Process Advanced Properties
Networks
Passive Interfaces
Filter Rules
Interface
Redistribution
Static Neighbor
Summary Address
Default Information
Static Routes
Static Route Tracking
Configuring Static Route Tracking
Field Information for Static Routes
Static Routes
Add/Edit Static Route
Route Monitoring Options
ASR Group
Proxy ARPs
Configuring Multicast Routing
Multicast
IGMP
Access Group
Add/Edit Access Group
Join Group
Add/Edit IGMP Join Group
Protocol
Configure IGMP Parameters
Static Group
Add/Edit IGMP Static Group
Multicast Route
Add/Edit Multicast Route
MBoundary
Edit Boundary Filter
Add/Edit/Insert Neighbor Filter Entry
MForwarding
PIM
Protocol
Edit PIM Protocol
Neighbor Filter
Add/Edit/Insert Neighbor Filter Entry
Bidirectional Neighbor Filter
Add/Edit/Insert Bidirectional Neighbor Filter Entry
Rendezvous Points
Add/Edit Rendezvous Point
Page
Multicast Group
Request Filter
Request Filter Entry
Route Tree
DHCP, DNS and WCCP Services
DHCP Relay
Page
Edit DHCP Relay Agent Settings
Add/Edit Global DHCP Relay Server
DHCP Server
Page
Edit DHCP Server
Advanced DHCP Options
Page
DNS Client
Add/Edit DNS Server Group
Dynamic DNS
Page
Add/Edit Dynamic DNS Update Methods
Add/Edit Dynamic DNS Interface Settings
WCCP
WCCP Service Groups
Add or Edit WCCP Service Group
Redirection
Add or Edit WCCP Redirection
Page
Configuring AAA Servers and the Local Database
AAA Overview
About Authentication
About Authorization
About Accounting
AAA Server and Local Database Support
Summary of Support
RADIUS Server Support
Authentication Methods
Attribute Support
RADIUS Authorization Functions
TACACS+ Server Support
SDI Server Support
SDI Version Support
Two-step Authentication Process
SDI Primary and Replica Servers
NT Server Support
LDAP Server Support
Authentication with LDAP
Securing LDAP Authentication with SASL
LDAP Server Types
Authorization with LDAP for VPN
SSO Support for WebVPN with HTTP Forms
Local Database Support
User Profiles
Fallback Support
Configuring AAA Server Groups
Adding a Server Group
Adding a Server to a Group
AAA Server Parameters
RADIUS Server Fields
Page
TACACS+ Server Fields
SDI Server Fields
Windows NT Domain Server Fields
Kerberos Server Fields
LDAP Server Fields
Page
HTTP Form Server Fields
Testing Server Authentication and Authorization
Adding a User Account
Page
Configuring VPN Policy Attributes for a User
Page
Configuring LDAP Attribute Maps
Adding an Authentication Prompt
Page
High Availability
Understanding Failover
Active/Standby Failover
Active/Active Failover
Stateless (Regular) Failover
Stateful Failover
Configuring Failover with the High Availability and Scalability Wizard
Accessing and Using the High Availability and Scalability Wizard
Configuring Active/Active Failover with the High Availability and Scalability
Configuring Active/Standby Failover with the High Availability and Scalability
Configuring VPN Load Balancing with the High Availability and Scalability
Field Information for the High Availability and Scalability Wizard
Choose the Type of Failover Configuration
Check Failover Peer Connectivity and Compatibility
Change Device to Multiple Mode
Select Failover Communication Media
Security Context Configuration
Failover Link Configuration
State Link Configuration
Standby Address Configuration
VPN Cluster Load Balancing Configuration
Page
Summary
Field Information for the Failover Panes
Failover - Single Mode
Failover: Setup
Page
Failover: Interfaces (Routed Firewall Mode)
Edit Failover Interface Configuration (Routed Firewall Mode)
Failover: Interfaces (Transparent Firewall Mode)
Edit Failover Interface Configuration (Transparent Firewall Mode)
Failover: Criteria
Failover: MAC Addresses
Add/Edit Interface MAC Address
Failover-Multiple Mode, Security Context
Failover - Routed
Edit Failover Interface Configuration
Failover - Transparent
Edit Failover Interface Configuration
Failover-Multiple Mode, System
Failover > Setup Tab
Page
Failover > Criteria Tab
Failover > Active/Active Tab
Add/Edit Failover Group
Add/Edit Interface MAC Address
Failover > MAC Addresses Tab
Add/Edit Interface MAC Address
Page
Configuring Management Access
Configuring Device Access for ASDM, Telnet, or SSH
Configuring CLI Parameters
Adding a Banner
Customizing a CLI Prompt
Changing the Console Timeout Period
Configuring File Access
Configuring the FTP Client Mode
Configuring the Security Appliance as a Secure Copy Server
Configuring the Security Appliance as a TFTP Client
Adding Mount Points
Adding a CIFS Mount Point
Adding an FTP Mount Point
Configuring Configuring ICMP Access
Page
Configuring a Management Interface
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
Information About the Management Information Base and Traps
Page
Page
16-13
MIB or Trap Support Description of Security Appliance Support
ENTITY-MIB Browsing of the following groups and tables:
entPhysicalTable entLogicalTable
The following objects are supported:
16-14
MIB or Trap Support Description of Security Appliance Support
ENTITY-MIB (continued)
Page
Page
Configuring an SNMP Agent and Management Station
Configuring the SNMP Agent
Adding an SNMP Management Station
Configuring SNMP Traps
Configuring Management Access Rules
Configuring AAA for System Administrators
Configuring Authentication for CLI, ASDM, and enable command Access
Page
Limiting User CLI and ASDM Access with Management Authorization
Configuring Command Authorization
Command Authorization Overview
Supported Command Authorization Methods
About Preserving User Credentials
Security Contexts and Command Authorization
Configuring Local Command Authorization
Local Command Authorization Prerequisites
Default Command Privilege Levels
Assigning Privilege Levels to Commands and Enabling Authorization
Configuring TACACS+ Command Authorization
TACACS+ Command Authorization Prerequisites
Configuring Commands on the TACACS+ Server
Page
Enabling TACACS+ Command Authorization
Configuring Management Access Accounting
Recovering from a Lockout
Page
Page
Configuring Logging
About Logging
Security Contexts in Logging
Using Logging
Logging Setup
Configure FTP Settings
Configure Logging Flash Usage
Syslog Setup
Edit Syslog ID Settings
Advanced Syslog Configuration
E-Mail Setup
Add/Edit E-Mail Recipients
Event Lists
Page
Add/Edit Event List
Add/Edit Syslog Message ID Filter
Logging Filters
Edit Logging Filters
Page
Add/Edit Class and Severity Filter
Add/Edit Syslog Message ID Filter
Rate Limit
Edit Rate Limit for Syslog Logging Level
Add/Edit Rate Limit for Syslog Message
Syslog Servers
Add/Edit Syslog Server
SMTP
Using NetFlow
Matching NetFlow Events to Configured Collectors
Page
Page
Page
Firewall Mode Overview
Routed Mode Overview
IP Routing Support
How Data Moves Through the Security Appliance in Routed Firewall Mode
An Inside User Visits a Web Server
An Outside User Visits a Web Server on the DMZ
An Inside User Visits a Web Server on the DMZ
An Outside User Attempts to Access an Inside Host
A DMZ User Attempts to Access an Inside Host
Transparent Mode Overview
Transparent Firewall Network
Allowing Layer 3 Traffic
Allowed MAC Addresses
Passing Traffic Not Allowed in Routed Mode
MAC Address vs. Route Lookups
Using the Transparent Firewall in Your Network
Transparent Firewall Guidelines
Unsupported Features in Transparent Mode
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server
An Inside User Visits a Web Server Using NAT
An Outside User Visits a Web Server on the Inside Network
An Outside User Attempts to Access an Inside Host
Page
Adding Global Objects
Using Network Objects and Groups
Network Object Overview
Configuring a Network Object
Configuring a Network Object Group
Using Network Objects and Groups in a Rule
Viewing the Usage of a Network Object or Group
Configuring Service Groups
Service Groups
Add/Edit Service Group
Browse Service Groups
Configuring Class Maps
Configuring Inspect Maps
Configuring Regular Expressions
Regular Expressions
Add/Edit Regular Expression
Page
Build Regular Expression
Page
Test Regular Expression
Add/Edit Regular Expression Class Map
Configuring TCP Maps
Configuring Global Pools
Configuring Time Ranges
Add/Edit Time Range
Add/Edit Recurring Time Range
Encrypted Traffic Inspection
TLS Proxy Wizard
Page
Configure TLS Proxy Pane
Adding a TLS Proxy Instance
Add TLS Proxy Instance Wizard Server Configuration
Add TLS Proxy Instance Wizard Client Configuration
Page
Add TLS Proxy Instance Wizard Other Steps
Phone Proxy
Configuring the Phone Proxy
Creating a Phone Proxy Instance
Page
Add/Edit TFTP Server
CTL File
Creating a CTL File
Add/Edit Record Entry
TLS Proxy
Add/Edit TLS Proxy
CTL Provider
Add/Edit CTL Provider
Page
Configuring Access Rules and EtherType Rules
Information About Access Rules and EtherType Rules
Information About Both Access Rules and EtherType Rules
Using Access Rules and EtherType Rules on the Same Interface
Rule Order
Implicit Deny
Inbound and Outbound Rules
Information About Access Rules
IP Addresses Used for Access Rules When You Use NAT
Page
Access Rules for Returning Traffic
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
Information About EtherType Rules
Supported EtherTypes
Implicit Permit of IP and ARPs Only
IPv6 Unsupported
Allowing MPLS
Configuring Access Rules
Page
Page
Rule Queries
New/Edit Rule Query
Add/Edit Access Rule
Manage Service Groups
Add/Edit Service Group
Advanced Access Rule Configuration
Log Options
Page
Configuring Ethertype Rules (Transparent Mode Only)
Add/Edit EtherType Rule
Page
Configuring NAT
NAT Overview
Introduction to NAT
NAT in Routed Mode
NAT in Transparent Mode
21-4
NAT Control
Page
NAT Types
Dynamic NAT
21-7
PAT
Static NAT
Static PAT
Bypassing NAT When NAT Control is Enabled
Policy NAT
21-11
NAT and Same Security Level Interfaces
Order of NAT Rules Used to Match Real Addresses
Mapped Address Guidelines
DNS and NAT
Page
Configuring NAT Control
Using Dynamic NAT
Dynamic NAT Implementation
Real Addresses and Global Pools Paired Using a Pool ID
NAT Rules on Different Interfaces with the Same Global Pools
Global Pools on Different Interfaces with the Same Pool ID
Multiple NAT Rules with Different Global Pools on the Same Interface
Multiple Addresses in the Same Global Pool
Outside NAT
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
Managing Global Pools
Configuring Dynamic NAT, PAT, or Identity NAT
Page
Configuring Dynamic Policy NAT or PAT
Page
Using Static NAT
Configuring Static NAT, PAT, or Identity NAT
Page
Page
Configuring Static Policy NAT, PAT, or Identity NAT
Page
Using NAT Exemption
Page
Page
Configuring Service Policy Rules
Service Policy Overview
Supported Features
Service Policy Elements
Default Global Policy
Feature Directionality
Feature Matching Guidelines
Order in Which Multiple Feature Actions within a Rule are Applied
Incompatibility of Certain Feature Actions
Feature Matching Guidelines for Multiple Service Policies
Adding a Service Policy Rule for Through Traffic
Page
Page
Page
Adding a Service Policy Rule for Management Traffic
RADIUS Accounting Inspection Overview
Configuring a Service Policy Rule for Management Traffic
Page
Page
Managing the Order of Service Policy Rules
RADIUS Accounting Field Descriptions
Select RADIUS Accounting Map
Add RADIUS Accounting Policy Map
RADIUS Inspect Map
RADIUS Inspect Map Host
RADIUS Inspect Map Other
Page
Applying AAA for Network Access
AAA Performance
Configuring Authentication for Network Access
Information About Authentication
One-Time Authentication
Applications Required to Receive an Authentication Challenge
Security Appliance Authentication Prompts
Static PAT and HTTP
Configuring Network Access Authentication
Enabling the Redirection Method of Authentication for HTTP and HTTPS
Enabling Secure Authentication of Web Clients
Authenticating Directly with the Security Appliance
Authenticating Telnet Connections with a Virtual Server
Authenticating HTTP(S) Connections with a Virtual Server
Page
Configuring the Authentication Proxy Limit
Configuring Authorization for Network Access
Configuring TACACS+ Authorization
Configuring RADIUS Authorization
Configuring a RADIUS Server to Send Downloadable Access Control Lists
About the Downloadable Access List Feature and Cisco Secure ACS
Page
Configuring Cisco Secure ACS for Downloadable Access Lists
Configuring Any RADIUS Server for Downloadable Access Lists
Converting Wildcard Netmask Expressions in Downloadable Access Lists
Configuring a RADIUS Server to Download Per-User Access Control List Names
Configuring Accounting for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Page
Page
Configuring Application Layer Protocol Inspection
Inspection Engine Overview
When to Use Application Protocol Inspection
Inspection Limitations
Default Inspection Policy
Configuring Application Inspection
CTIQBE Inspection
CTIQBE Inspection Overview
Limitations and Restrictions
DCERPC Inspection
DNS Inspection
How DNS Application Inspection Works
How DNS Rewrite Works
ESMTP Inspection
FTP Inspection
FTP Inspection Overview
Using Strict FTP
Verifying and Monitoring FTP Inspection
GTP Inspection
H.323 Inspection
H.323 Inspection Overview
How H.323 Works
Limitations and Restrictions
HTTP Inspection
Instant Messaging Inspection
ICMP Inspection
ICMP Error Inspection
ILS Inspection
MGCP Inspection
Page
MMP Inspection
Configuring MMP Inspection for a TLS Proxy
NetBIOS Inspection
PPTP Inspection
RADIUS Accounting Inspection
RSH Inspection
RTSP Inspection
RTSP Inspection Overview
Using RealPlayer
Restrictions and Limitations
SIP Inspection
SIP Inspection Overview
SIP Instant Messaging
Skinny (SCCP) Inspection
SCCP Inspection Overview
Supporting Cisco IP Phones
Restrictions and Limitations
SMTP and Extended SMTP Inspection
SNMP Inspection
SQL*Net Inspection
Sun RPC Inspection
Sun RPC Inspection Overview
SUNRPC Server
Add/Edit SUNRPC Service
TFTP Inspection
XDMCP Inspection
Service Policy Field Descriptions
Rule Actions > Protocol Inspection Tab
Page
Select DCERPC Map
Select DNS Map
Select ESMTP Map
Select FTP Map
Select GTP Map
Select H.323 Map
Select HTTP Map
Select IM Map
Select IPSec-Pass-Thru Map
Select MGCP Map
Select NETBIOS Map
Select RTSP Map
Select SCCP (Skinny) Map
Select SIP Map
Select SNMP Map
Class Map Field Descriptions
DNS Class Map
Add/Edit DNS Traffic Class Map
Add/Edit DNS Match Criterion
Page
Manage Regular Expressions
Manage Regular Expression Class Maps
FTP Class Map
Add/Edit FTP Traffic Class Map
Add/Edit FTP Match Criterion
Page
H.323 Class Map
Add/Edit H.323 Traffic Class Map
Add/Edit H.323 Match Criterion
HTTP Class Map
Add/Edit HTTP Traffic Class Map
Add/Edit HTTP Match Criterion
Page
Page
Page
IM Class Map
Add/Edit IM Traffic Class Map
Add/Edit IM Match Criterion
Page
SIP Class Map
Add/Edit SIP Traffic Class Map
Add/Edit SIP Match Criterion
Page
Inspect Map Field Descriptions
Page
Page
DCERPC Inspect Map
Add/Edit DCERPC Policy Map
DNS Inspect Map
Page
Add/Edit DNS Policy Map (Security Level)
Add/Edit DNS Policy Map (Details)
Page
Add/Edit DNS Inspect
Manage Class Maps
ESMTP Inspect Map
MIME File Type Filtering
Add/Edit ESMTP Policy Map (Security Level)
Add/Edit ESMTP Policy Map (Details)
Add/Edit ESMTP Inspect
Page
Page
Page
FTP Inspect Map
File Type Filtering
Add/Edit FTP Policy Map (Security Level)
Add/Edit FTP Policy Map (Details)
Add/Edit FTP Map
Page
GTP Inspect Map
IMSI Prefix Filtering
Add/Edit GTP Policy Map (Security Level)
Add/Edit GTP Policy Map (Details)
Page
Add/Edit GTP Map
H.323 Inspect Map
Phone Number Filtering
Add/Edit H.323 Policy Map (Security Level)
Add/Edit H.323 Policy Map (Details)
Add/Edit HSI Group
Add/Edit H.323 Map
HTTP Inspect Map
URI Filtering
Add/Edit HTTP Policy Map (Security Level)
Add/Edit HTTP Policy Map (Details)
Add/Edit HTTP Map
Page
Page
Page
Instant Messaging (IM) Inspect Map
Add/Edit Instant Messaging (IM) Policy Map
Add/Edit IM Map
Page
IPSec Pass Through Inspect Map
Add/Edit IPSec Pass Thru Policy Map (Security Level)
Add/Edit IPSec Pass Thru Policy Map (Details)
MGCP Inspect Map
Gateways and Call Agents
Add/Edit MGCP Policy Map
Add/Edit MGCP Group
NetBIOS Inspect Map
Add/Edit NetBIOS Policy Map
RTSP Inspect Map
Add/Edit RTSP Policy Map
Add/Edit RTSP Inspect
SCCP (Skinny) Inspect Map
Message ID Filtering
Add/Edit SCCP (Skinny) Policy Map (Security Level)
Add/Edit SCCP (Skinny) Policy Map (Details)
Add/Edit Message ID Filter
SIP Inspect Map
Add/Edit SIP Policy Map (Security Level)
Add/Edit SIP Policy Map (Details)
Page
Add/Edit SIP Inspect
Page
SNMP Inspect Map
Add/Edit SNMP Map
Page
Configuring QoS
QoS Overview
Supported QoS Features
What is a Token Bucket?
Policing Overview
Priority Queueing Overview
Traffic Shaping Overview
How QoS Features Interact
DSCP and DiffServ Preservation
Creating the Standard Priority Queue for an Interface
Creating a Policy for Standard Priority Queueing and/or Policing
Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing
Page
Configuring Filter Rules
URL Filtering
Configuring URL Filtering
URL Filtering Servers
Add/Edit Parameters for Websense URL Filtering
Add/Edit Parameters for Secure Computing SmartFilter URL Filtering
Advanced URL Filtering
Filter Rules
Page
Add/Edit Filter Rule
Page
Filtering the Rule Table
Define Query
Browse Source/Destination/Service
Page
Configuring Advanced Firewall Protection
Configuring Threat Detection
Configuring Basic Threat Detection
Basic Threat Detection Overview
Configuring Basic Threat Detection
Configuring Scanning Threat Detection
Configuring Threat Statistics
Page
Configuring Connection Settings
Connection Limit Overview
TCP Intercept Overview
Disabling TCP Intercept for Management Packets for Clientless SSL VPN Compatibility
Dead Connection Detection Overview
TCP Normalization Overview
Enabling Connection Limits and TCP Normalization
Page
Page
Configuring IP Audit
IP Audit Policy
Add/Edit IP Audit Policy Configuration
IP Audit Signatures
IP Audit Signature List
Page
Page
Page
Configuring the Fragment Size
Show Fragment
Edit Fragment
Configuring Anti-Spoofing
Configuring TCP Options
Page
TCP Reset Settings
Configuring Global Timeouts
Page
Configuring IPS
AIP SSM Overview
How the AIP SSM Works with the Adaptive Security Appliance
Operating Modes
Using Virtual Sensors
AIP SSM Procedure Overview
Accessing IDM from ASDM
Configuring the AIP SSM Security Policy in IDM
Assigning Virtual Sensors to Security Contexts
Diverting Traffic to the AIP SSM
Intrusion Prevention Tab Field Descriptions
Resetting the AIP SSM Password
Configuring Trend Micro Content Security
Connecting to the CSC SSM
Managing the CSC SSM
About the CSC SSM
Page
Getting Started with the CSC SSM
Page
Determining What Traffic to Scan
Page
Rule Actions for CSC Scanning
CSC SSM Setup
Activation/License
IP Configuration
Host/Notification Settings
Management Access Host/Networks
Password
Restoring the Default Password
Wizard Setup
CSC Setup Wizard Activation Codes Configuration
CSC Setup Wizard IP Configuration
CSC Setup Wizard Host Configuration
CSC Setup Wizard Management Access Configuration
CSC Setup Wizard Password Configuration
CSC Setup Wizard Traffic Selection for CSC Scan
Specify traffic for CSC Scan
CSC Setup Wizard Summary
Web
Mail
SMTP Tab
POP3 Tab
File Transfer
Updates
Page
Configuring ARP Inspection and Bridging Parameters
Configuring ARP Inspection
ARP Inspection
Edit ARP Inspection Entry
ARP Static Table
Add/Edit ARP Static Configuration
Customizing the MAC Address Table
MAC Address Table
Page
Add/Edit MAC Address Entry
MAC Learning
Page
Page
SSL VPN Wizard
SSL VPN Feature
SSL VPN Interface
User Authentication
Group Policy
Bookmark List
IP Address Pools and Client Image
Summary
Page
Page
VPN
VPN Wizard
VPN Tunnel Type
Remote Site Peer
IKE Policy
Hosts and Networks
Summary
Remote Access Client
VPN Client Authentication Method and Name
Client Authentication
New Authentication Server Group
User Accounts
Address Pool
Attributes Pushed to Client
IPsec Settings (Optional)
Page
Page
Page
Configuring Certificates
CA Certificate Authentication
Page
Add/Install a CA Certificate
Edit CA Certificate Configuration
Show CA Certificate Details
Request CRL
Delete a CA Certificate
Configuration Options for CA Certificates
Page
Page
Page
Advanced Configuration Options
Page
Identity Certificates Authentication
Page
Page
Page
Show Identity Certificate Details
Delete an Identity Certificate
Export an Identity Certificate
Generate Certificate Signing Request
Installing Identity Certificates
Code-Signer Certificates
Show Code-Signer Certificate Details
Delete a Code-Signer Certificate
Import or Export a Code-Signer Certificate
Local Certificate Authority
Default Local CA Server
Configuring the Local CA Sever
Page
More Local CA Configuration Options
Page
Deleting the Local CA Server
Manage User Certificates
Revoking a Local CA Certificate
Unrevoking a Local CA Certificate
Manage User Database
Add a Local CA User
Edit a Local CA User
Page
IKE
IKE Parameters
Page
Page
IKE Policies
Add/Edit IKE Policy
Assignment Policy
Address Pools
Add/Edit IP Pool
IPsec
Crypto Maps
Page
Create IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab
Page
Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab
Create IPsec Rule/Traffic Selection Tab
Page
Page
Pre-Fragmentation
Edit IPsec Pre-Fragmentation Policy
IPsec Transform Sets
Add/Edit Transform Set
Load Balancing
Page
Page
Setting Global NAC Parameters
Configuring Network Admission Control Policies
About NAC
Uses, Requirements, and Limitations
What to Do Next
Add/Edit Posture Validation Exception
Page
Page
General
Client Software
Page
Edit Client Update Entry
Default Tunnel Gateway
Group Policies
Add/Edit External Group Policy
Add AAA Server Group
Adding or Editing a Remote Access Internal Group Policy, General Attributes
Page
Configuring the Portal for a Group Policy
Page
Configuring Customization for a Group Policy
Adding or Editing a Site-to-Site Internal Group Policy
Browse Time Range
Add/Edit Time Range
Add/Edit Recurring Time Range
ACL Manager
Standard ACL
Extended ACL
Add/Edit/Paste ACE
Page
Browse Source/Destination Address
Browse Source/Destination Port
Add TCP Service Group
Browse ICMP
Add ICMP Group
Browse Other
Add Protocol Group
Add/Edit Internal Group Policy > Servers
Add/Edit Internal Group Policy > IPSec Client
Client Access Rules
Add/Edit Client Access Rule
Add/Edit Internal Group Policy > Client Configuration Tab
Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab
View/Config Banner
Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab
Add or Edit Internal Group Policy > Advanced > IE Browser Proxy
Add/Edit Standard Access List Rule
Add/Edit Internal Group Policy > Client Firewall Tab
Page
Add/Edit Internal Group Policy > Hardware Client Tab
Page
Add/Edit Server and URL List
Add/Edit Server or URL
Configuring SSL VPN Connections
Setting the Basic Attributes for an SSL VPN Connection
Setting Advanced Attributes for an IPSec or SSL VPN Connection
Setting General Attributes for an IPSec or SSL VPN Connection
Page
Configuring SSL VPN Client Connections
Login Setting
Key Regeneration
Dead Peer Detection
Customization
ACLs
Configuring Clientless SSL VPN Connections
Add or Edit Clientless SSL VPN Connections
Add or Edit Clientless SSL VPN Connections > Basic
Add or Edit Clientless SSL VPN Connections > Advanced
Add or Edit Clientless SSL VPN Connections > Advanced > General
Page
Assign Authentication Server Group to Interface
Add or Edit SSL VPN Connections > Advanced > Authorization
Assign Authorization Server Group to Interface
Add or Edit SSL VPN Connections > Advanced > SSL VPN
Add or Edit Clientless SSL VPN Connections > Advanced > SSL VPN
Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers
Configure DNS Server Groups
Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN
IPSec Remote Access Connection Profiles
Add or Edit an IPSec Remote Access Connection Profile
Add or Edit IPSec Remote Access Connection Profile Basic
Mapping Certificates to IPSec or SSL VPN Connection Profiles
Add/Edit Certificate Matching Rule
Add/Edit Certificate Matching Rule Criterion
Configure Site-to-Site Tunnel Groups
Add/Edit Site-to-Site Connection
Adding or Editing a Site-to-Site Tunnel Group
Crypto Map Entry
Crypto Map Entry for Static Peer Address
Managing CA Certificates
Install Certificate
Configure Options for CA Certificate
Revocation Check Tab
Add/Edit Remote Access Connections > Advanced > General
Configuring Client Addressing
Add IPSec Remote Access Connection and Add SSL VPN Access Connection
Assign Address Pools to Interface
Select Address Pools
Add or Edit IP Pool
Add/Edit Tunnel Group > General Tab > Authentication
Add/Edit SSL VPN Connection > General > Authorization
Page
Add/Edit SSL VPN Connections > Advanced > Accounting
Add/Edit Tunnel Group > General > Client Address Assignment
Add/Edit Tunnel Group > General > Advanced
Add/Edit Tunnel Group > IPSec for Remote Access > IPSec
Page
Add/Edit Tunnel Group for Site-to-Site VPN
Add/Edit Tunnel Group > PPP
Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General > Basic
Page
Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec
Page
Add/Edit Tunnel Group > Clientless SSL VPN Access > General > Basic
Add/Edit Tunnel Group > Clientless SSL VPN > Basic
Configuring Internal Group Policy IPSec Client Attributes
Configuring Client Addressing for SSL VPN Connections
Assign Address Pools to Interface
Select Address Pools
Add or Edit an IP Address Pool
Authenticating SSL VPN Connections
System Options
Configuring SSL VPN Connections, Advanced
Configuring Split Tunneling
Zone Labs Integrity Server
Page
Easy VPN Remote
Page
Advanced Easy VPN Properties
Page
Page
Configuring Dynamic Access Policies
Understanding VPN Access Policies
Configuring Dynamic Access Policies
DAP Support for Remote Access Connection Types
DAP and AAA
AAA Attribute Definitions
DAP and Endpoint Security
Endpoint Attribute Definitions
Page
DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs
DAP Connection Sequence
Test Dynamic Access Policies
Add/Edit Dynamic Access Policies
Page
Page
Page
Page
Add/Edit AAA Attributes
Page
Retrieve AD Groups from selected AD Server Group
Add/Edit Endpoint Attributes
Page
Guide
Syntax for Creating Lua EVAL Expressions
Constructing DAP Logical Expressions
The DAP CheckAndMsg Function
Checking for a Single Antivirus Program
Checking for Antivirus Definitions Within the Last 10 Days
Checking for a Hotfix on the User PC
Checking for Antivirus Programs
Checking for Antivirus Programs and Definitions Older than 1 1/2 Days
Advanced Lua Functions
OU-Based Match
Group Membership Example
Further Information on Lua
Operator for Endpoint Category
DAP Examples
Using DAP to Define Network Resources
Using DAP to Apply a WebVPN ACL
Enforcing CSD Checks and Applying Policies via DAP
Page
Page
Clientless SSL VPN End User Set-up
Requiring Usernames and Passwords
Communicating Security Tips
Configuring Remote Systems to Use Clientless SSL VPN Features
Page
Page
Page
Page
Capturing Clientless SSL VPN Data
Creating a Capture File
Using a Browser to Display Capture Data
Page
Page
Clientless SSL VPN
Security Precautions
ACLs
Add ACL
Add/Edit ACE
Configuring the Setup for Cisco Secure Desktop
Upload Image
Page
Configuring Application Helper
Add/Edit APCF Profile
Upload APCF package
Auto Signon
Add/Edit Auto Signon Entry
Configuring Session Settings
Java Code Signer
Content Cache
Content Rewrite
Java Code Signer
Encoding
Add\Edit Encoding
Web ACLs
Page
Port Forwarding
Why Port Forwarding?
Requirements and Restrictions
Add/Edit Port Forwarding List
Add/Edit Port Forwarding Entry
Configuring the Use of External Proxy Servers
Configuring Proxy Bypass
Add/Edit Proxy Bypass Rule
DTLS Settings
SSL VPN Client Settings
Page
Add/Replace SSL VPN Client Image
Upload Image
Add/Edit SSL VPN Client Profiles
Upload Package
Bypass Interface Access List
SSO Servers
Configuring SiteMinder and SAML Browser Post Profile
SAML POST SSO Server Configuration
Adding the Cisco Authentication Scheme to SiteMinder
Add/Edit SSO Servers
Clientless SSL VPN Access
Page
Configuring Smart Tunnel Access
About Smart Tunnels
Why Smart Tunnels?
Smart Tunnel Requirements and Limitations
General Requirements and Limitations
Windows Requirements and Limitations
Mac OS Requirements and Limitations
Configuring a Smart Tunnel (Lotus example)
Add or Edit Smart Tunnel List
Add or Edit Smart Tunnel Entry
Page
Add or Edit Smart Tunnel Auto Sign-on Server List
Add or Edit Smart Tunnel Auto Sign-on Server Entry
Configuring Customization Objects
Add Customization Object
Import/Export Customization Object
Creating XML-Based Portal Customization Objects and URL Lists
Understanding the XML Customization File Structure
Page
Page
Page
38-48
Table 38-3 XML-Based Customization File Structure
Customization Example
The following example illustrates the following customization options:
text string Text for TEXT type panes column number
38-49
Using the Customization Template
The Customization Template
38-51
38-52
38-53
38-54
38-55
38-56
38-57
38-58
38-59
38-60
38-61
38-62
Help Customization
Customizing a Help File Provided by Cisco
Creating Help Files for Languages Not Provided by Cisco
Import/Export Application Help Content
Configuring Browser Access to Client-Server Plug-ins
About Installing Browser Plug-ins
Plug-in Requirements and Restrictions
Preparing the Security Appliance for a Plug-in
Installing Plug-ins Redistributed by Cisco
Page
Assembling and Installing Third-Party Plug-insExample: Citrix Java Presentation Server Client
Language Localization
Understanding Language Translation
Page
Creating a Translation Table
Add/Edit Localization Entry
AnyConnect Customization
Resources
Binary
Installs
Import/Export Language Localization
Page
Configure GUI Customization Objects (Bookmark Lists)
Add/Edit Bookmark List
Add Bookmark Entry
Import/Export Bookmark List
Configure GUI Customization Objects (Web Contents)
Import/Export Web Content
Add/Edit Post Parameter
Clientless SSL VPN Macro Substitutions
Using Macros 1 - 4
Using Macros 5 and 6
Example 1: Setting a Homepage
Example 2: Setting a Bookmark or URL Entry
Page
Page
E-Mail Proxy
Configuring E-Mail Proxy
AAA
POP3S Tab
Page
IMAP4S Tab
Page
SMTPS Tab
Access
Page
Edit E-Mail Proxy Access
Authentication
Page
Default Servers
Page
Delimiters
Page
Configuring SSL Settings
SSL
Edit SSL Certificate
SSL Certificates
Page
Page
Page
Monitoring Interfaces
ARP Table
DHCP
DHCP Server Table
DHCP Client Lease Information
DHCP Statistics
MAC Address Table
Dynamic ACLs
Interface Graphs
Page
Page
Graph/Table
PPPoE Client
interface connection
Track Status for
Monitoring Statistics for
Page
Monitoring VPN
VPN Connection Graphs
IPSec Tunnels
Sessions
VPN Statistics
Sessions
Page
Page
Sessions Details
Page
Sub-session Details NAC Details
Encryption Statistics
NAC Session Summary
Protocol Statistics
VLAN Mapping Sessions
Global IKE/IPSec Statistics
Crypto Statistics
Compression Statistics
Cluster Loads
SSO Statistics for Clientless SSL VPN Session
Page
Page
Monitoring Routing
Monitoring OSPF LSAs
Type 1
Type 2
Type 3
Type 4
Type 5
Type 7
Monitoring OSPF Neighbors
Page
Monitoring EIGRP Neighbors
Displaying Routes
Monitoring Properties
Monitoring AAA Servers
Viewing AAA Server Statistics
Updating the Operational State of an AAA Server
Fields Used to Monitor AAA Servers
Monitoring Device Access
Monitoring User Lockouts
Viewing Lockouts
Removing All User Lockouts
Removing One User Lockout
Monitoring Authenticated Users
Monitoring Active Sessions
Viewing Active Sessions
Page
Disconnecting an Active Session
Fields Used to Monitor Device Access
Fields for Monitoring User Lockouts
Fields for Monitoring Users Who Have Authenticated with a Server
Connection Graphs
Perfmon
Xlates
CRL
DNS Cache
IP Audit
Page
System Resources Graphs
Blocks
CPU
Memory
WCCP
Service Groups
Redirection
Page
Page
Page
Monitoring Logging
About Log Viewing
Log Buffer
Log Buffer Viewer
Real-Time Log Viewer
Real-Time Log Viewer
Page
Monitoring Failover
Monitoring Failover in Single Context Mode or in a Security Context
Status
Page
Page
Graphs
Page
Monitoring Failover in the System Execution Space
System
Page
Page
Failover Group 1 and Failover Group 2
Page
Page
Page
Monitoring Trend Micro Content Security
Threats
Live Security Events
Live Security Events Log
Software Updates
Resource Graphs
CSC CPU
CSC Memory
Page
Page
Page
A
Feature Licenses
ASA 5505 Feature Licenses
ASA 5510 Feature Licenses
ASA 5520 Feature Licenses
ASA 5540 Feature Licenses
ASA 5550 Feature Licenses
ASA 5580 Feature Licenses
PIX 515/515E Feature Licenses
PIX 525 Feature Licenses
PIX 535 Feature Licenses
Page
Page
Page
B
Troubleshooting
Testing Your Configuration
Enabling ICMP Debug Messages and System Log Messages
Pinging Security Appliance Interfaces
B-3
Pinging Through the Security Appliance
?
Disabling the Test Configuration
Traceroute
Packet Tracer
Reloading the Security Appliance
Recovering from a Lockout
Performing Password Recovery
Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance
Recovering Passwords for the PIX 500 Series Security Appliance
Disabling Password Recovery
Using the ROM Monitor to Load a Software Image
Erasing the Flash File System
Other Troubleshooting Tools
Viewing Debug Messages
Capturing Packets
Viewing the Crash Dump
TACACS+ Server Lockout
Common Problems
Page
C
Configuring an External Server for Authorization and Authentication
Understanding Policy Enforcement of Permissions and Attributes
Configuring an External LDAP Server
Organizing the Security Appliance for LDAP Operations
Searching the Hierarchy
Binding the Security Appliance to the LDAP Server
Login DN Example for Active Directory
Defining the Security Appliance LDAP Configuration
Supported Cisco Attributes for LDAP Authorization
Page
Page
Page
Page
Page
Cisco-AV-Pair Attribute Syntax
Page
Additional Information for using ASDM to Configure LDAP
Configuring an External RADIUS Server
Reviewing the RADIUS Configuration Procedure
Security Appliance RADIUS Authorization Attributes
Page
Page
Page
Page
Page
Page
Page
Configuring an External TACACS+ Server
Page
INDEX
Numerics
A
Page
Page
B
C
Page
D
E
F
G
H
I
signature matches
J
K
L
M
N
O
P
Q
R
S
Page
T
Page
U
V
W
X
Z
