Cisco Systems OL-16647-01 Configuring Application Inspection

24-4

Cisco ASDM User Guide

OL-16647-01

Chapter 24 Configuring Application Layer Protocol Inspection

Configuring Application Inspection

Configuring Application Inspection

This feature uses Security Policy Rules. Service policies provide a consistent and flexible way to

configure security appliance features. For example, you can use a service policy to create a timeout

configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP

applications. See Chapter 22, “Configuring Service Policy Rules,” for more information.

Inspection is enabled by default for some applications. See the “Default Inspection Policy” section for

more information. Use this section to modify your inspection policy.

NetBIOS Name

Server over IP

UDP/137,

138 (Source

ports)

— — NetBIOS is supported by performing

NAT of the packets for NBNS UDP port

137 and NBDS UDP port 138.

PPTP TCP/1723 — RFC 2637 —

RADIUS

Accounting

1646 — RFC 2865 —

RSH TCP/514 No PAT Berkeley UNIX —

RTSP TCP/554 No PAT.

No outside NAT.

RFC 2326, 2327,

1889

No handling for HTTP cloaking.

SIP TCP/5060

UDP/5060

No outside NAT.

No NAT on same security

interfaces.

RFC 2543 —

SKINNY

(SCCP)

TCP/2000 No outside NAT.

No NAT on same security

interfaces.

— Does not handle TFTP uploaded Cisco

IP Phone configurations under certain

circumstances.

SMTP and

ESMTP

TCP/25 — RFC 821, 1123 —

SNMP UDP/161,

162

No NAT or PAT. RFC 1155, 1157,

1212, 1213, 1215

v.2 RFC 1902-1908; v.3 RFC

2570-2580.

SQL*Net TCP/1521 — — v.1 and v.2.

Sun RPC over

UDP and TCP

UDP/111 No NAT or PAT. — The default rule includes UDP port 111;

if you want to enable Sun RPC

inspection for TCP port 111, you need

to create a new rule that matches TCP

port 111 and performs Sun RPC

inspection.

TFTP UDP/69 — RFC 1350 Payload IP addresses are not translated.

XDCMP UDP/177 No NAT or PAT. — —

1. Inspection engines that are enabled by default for the default port are in bold.

2. The security appliance is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands

are supposed to be in a particular order, but the security appliance does not enforce the order.

Table 24-1 Supported Application Inspection Engines (continued)

Application1Default Port NAT Limitations Standards2Comments

Contents

Main Cisco ASDM User Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Related Documentation Document Conventions Obtaining Documentation and Submitting a Service Request Page Page Welcome to ASDM ASDM Client Operating System and Browser Requirements VPN Specifications Supported Platforms and SSMs Page New ASDM Features Multiple ASDM Session Support Unsupported Commands Ignored and View-Only Commands Effects of Unsupported Commands Discontinuous Subnet Masks Not Supported Interactive User Commands Not Supported by the ASDM CLI Tool About the ASDM Interface Menus File Menu View Menu Tools Menu Wizards Menu Window Menu Help Menu Toolbar ASDM Assistant How Do I? Tab Search Tab Status Bar Connection to Device Device List Common Buttons Keyboard Shortcuts Page Enabling Extended Screen Reader Support Organizational Folder About the Help Window Header Buttons Browser Window Home Pane Device Dashboard Tab Page Firewall Dashboard Tab Content Security Tab Page Intrusion Prevention Tab Connecting to IPS Page System Home Pane Page Introduction to the Security Appliance New Features by Platform Release New Features in Version 8.1(2) Page Page New Features in Version 8.1(1) New Features in Version 8.0(4) Page Page Page New Features in Version 8.0(3) New Features in Version 8.0(2) Page Page Page Page Page Firewall Functional Overview Security Policy Overview Permitting or Denying Traffic with Access Lists Applying NAT Protecting from IP Fragments Using AAA for Through Traffic Applying HTTP, HTTPS, or FTP Filtering Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Enabling Threat Detection Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Security Context Overview Page Page Defining Preferences and Using Configuration, Diagnostic, and File Management Tools Preferences Page Configuration Tools Reset Device to the Factory Default Configuration Save Running Configuration to TFTP Server Save Internal Log Buffer to Flash Command Line Interface Command Errors Interactive Commands Avoiding Conflicts with Other Administrators Show Commands Ignored by ASDM on Device Diagnostic Tools Packet Tracer Ping Using the Ping Tool Troubleshooting the Ping Tool Pinging from a Security Appliance Interface Pinging to a Security Appliance Interface Pinging Through the Security Appliance Traceroute Administrators Alert to Clientless SSL VPN Users ASDM Java Console Packet Capture Wizard Page Field Information for the Packet Capture Wizard Ingress Traffic Selector Egress Traffic Selector Buffers Summary Run Captures Save Captures File Management Tools File Management Manage Mount Points Add/Edit a CIFS/FTP Mount Point Upgrade Software from Local Computer File Transfer Upgrade Software from Cisco.com Wizard Page ASDM Assistant System Reload Backup and Restore Backing Up Configurations Page Page Restoring Configurations Page Before You Start Factory Default Configurations Restoring the Factory Default Configuration ASA 5505 Default Configuration 4-3 ASA 5510 and Higher Version Default Configuration command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the adaptive security appliance, so a computer connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Page Starting ASDM Downloading the ASDM Launcher Starting ASDM from the ASDM Launcher Using ASDM in Demo Mode Starting ASDM from a Web Browser Configuration Overview Page Page Page Page Page Using the Startup Wizard Startup Wizard Screens for ASA 5500 Series and PIX 500 Series Security Appliances Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome Step 2 - Basic Configuration Step 3 - Auto Update Server Step 4 - Management IP Address Configuration Step 5 - Interface Selection Step 6 - Switch Port Allocation Step 7 - Interface IP Address Configuration Step 8 - Internet Interface Configuration - PPPoE Step 9 - Business Interface Configuration - PPPoE Step 10 - Home Interface Configuration - PPPoE Step 11 - General Interface Configuration Step 12 - Static Routes Add/Edit Static Routes Step 13 - DHCP Server Step 14 - Address Translation (NAT/PAT) Step 15 - Administrative Access Add/Edit Administrative Access Entry Step 16 - Easy VPN Remote Configuration Page Step 17 - Startup Wizard Summary Other Interfaces Configuration Edit Interface Interface Configuration Outside Interface Configuration - PPPoE Outside Interface Configuration Page Page Configuring Basic Device Settings Management IP Address System Time Clock NTP Add/Edit NTP Server Configuration Configuring Advanced Device Management Features Configuring HTTP Redirect Edit HTTP/HTTPS Settings Configuring Maximum SSL VPN Sessions History Metrics System Image/Configuration Activation Key Auto Update Page Set Polling Schedule Add/Edit Auto Update Server Advanced Auto Update Settings Boot Image/Configuration Add Boot Image Device Name/Password System Software Add/Edit Client Update Page Page Configuring Interfaces in Single Mode Interface Overview Physical Interface Overview Default Physical Interface Settings Connector Types Redundant Interface Overview Redundant Interfaces and Failover Guidelines Redundant Interface MAC Address Physical Interface Guidelines for Use in a Redundant Interface VLAN Subinterface and 802.1Q Trunking Overview Maximum Subinterfaces Preventing Untagged Packets on the Physical Interface Default State of Interfaces Default Security Level Configuring an Interface (Single Mode) Page Page Enabling Same Security Level Communication (Single Mode) PPPoE IP Address and Route Settings Page Configuring Interfaces in Multiple Mode Configuring Interfaces in the System Configuration (Multiple Mode) Configuring Physical Interfaces in the System Configuration (Multiple Mode) Physical Interface Overview Default State of Physical Interfaces Connector Types Auto-MDI/MDIX Feature Configuring Redundant Interfaces in the System Configuration (Multiple Mode) Redundant Interface Overview Default State of Redundant Interfaces Redundant Interfaces and Failover Guidelines Redundant Interface MAC Address Physical Interface Guidelines for Use in a Redundant Interface Configuring VLAN Subinterfaces and 802.1Q Trunking in the System Configuration (Multiple Mode) Subinterface Overview Default State of Subinterfaces Maximum Subinterfaces Adding a Subinterface in the System Configuration (Multiple Mode) Enabling Jumbo Frame Support for the ASA 5580 in the System Configuration (Multiple Mode) Allocating Interfaces to Contexts Configuring Interface Parameters within each Context (Multiple Mode) Interface Parameters Overview Default State of Interfaces Default Security Level Configuring Interface Parameters in each Context (Multiple Mode) Enabling Same Security Level Communication (Multiple Mode) Page Page Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces Maximum Active VLAN Interfaces for Your License Page Default Interface Configuration VLAN MAC Addresses Power Over Ethernet Monitoring Traffic Using SPAN Security Level Overview Configuring VLAN Interfaces Interfaces > Interfaces Page Add/Edit Interface > General Page Add/Edit Interface > Advanced Configuring Switch Ports Interfaces > Switch Ports Edit Switch Port Page Page Configuring Security Contexts Security Context Overview Common Uses for Security Contexts Unsupported Features Context Configuration Files How the Security Appliance Classifies Packets Valid Classifier Criteria Unique Interfaces Unique MAC Addresses NAT Configuration Invalid Classifier Criteria Classification Examples Page 10-6 Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access Enabling or Disabling Multiple Context Mode Backing Up the Single Mode Configuration Enabling Multiple Context Mode Restoring Single Context Mode Configuring Resource Classes Classes and Class Members Overview Resource Limits Default Class Class Members Adding a Resource Class Page Monitoring Context Resource Usage Configuring Security Contexts Adding a Security Context Automatically Assigning MAC Addresses MAC Address Overview Enabling Automatic MAC Address Assignment Configuring Dynamic And Static Routing Dynamic Routing OSPF Setup Setup > Process Instances Tab Edit OSPF Process Advanced Properties Page Setup > Area/Networks Tab Add/Edit OSPF Area Page Setup > Route Summarization Tab Add/Edit Route Summarization Filtering Add/Edit Filtering Entry Interface Interface > Authentication Tab Edit OSPF Interface Authentication Interface > Properties Tab Edit OSPF Interface Properties Edit OSPF Interface Advanced Properties Redistribution Page Add/Edit OSPF Redistribution Entry Static Neighbor Add/Edit OSPF Neighbor Entry Summary Address Add/Edit OSPF Summary Address Entry Virtual Link Add/Edit Virtual Link Advanced OSPF Virtual Link Properties RIP Setup Interface Edit RIP Interface Entry Filter Rules Add/Edit Filter Rule Network Rule Redistribution Add/Edit Route Redistribution EIGRP Configuring EIGRP Field Information for the EIGRP Panes Setup Process Instances Edit EIGRP Process Advanced Properties Networks Passive Interfaces Filter Rules Interface Redistribution Static Neighbor Summary Address Default Information Static Routes Static Route Tracking Configuring Static Route Tracking Field Information for Static Routes Static Routes Add/Edit Static Route Route Monitoring Options ASR Group Proxy ARPs Configuring Multicast Routing Multicast IGMP Access Group Add/Edit Access Group Join Group Add/Edit IGMP Join Group Protocol Configure IGMP Parameters Static Group Add/Edit IGMP Static Group Multicast Route Add/Edit Multicast Route MBoundary Edit Boundary Filter Add/Edit/Insert Neighbor Filter Entry MForwarding PIM Protocol Edit PIM Protocol Neighbor Filter Add/Edit/Insert Neighbor Filter Entry Bidirectional Neighbor Filter Add/Edit/Insert Bidirectional Neighbor Filter Entry Rendezvous Points Add/Edit Rendezvous Point Page Multicast Group Request Filter Request Filter Entry Route Tree DHCP, DNS and WCCP Services DHCP Relay Page Edit DHCP Relay Agent Settings Add/Edit Global DHCP Relay Server DHCP Server Page Edit DHCP Server Advanced DHCP Options Page DNS Client Add/Edit DNS Server Group Dynamic DNS Page Add/Edit Dynamic DNS Update Methods Add/Edit Dynamic DNS Interface Settings WCCP WCCP Service Groups Add or Edit WCCP Service Group Redirection Add or Edit WCCP Redirection Page Configuring AAA Servers and the Local Database AAA Overview About Authentication About Authorization About Accounting AAA Server and Local Database Support Summary of Support RADIUS Server Support Authentication Methods Attribute Support RADIUS Authorization Functions TACACS+ Server Support SDI Server Support SDI Version Support Two-step Authentication Process SDI Primary and Replica Servers NT Server Support LDAP Server Support Authentication with LDAP Securing LDAP Authentication with SASL LDAP Server Types Authorization with LDAP for VPN SSO Support for WebVPN with HTTP Forms Local Database Support User Profiles Fallback Support Configuring AAA Server Groups Adding a Server Group Adding a Server to a Group AAA Server Parameters RADIUS Server Fields Page TACACS+ Server Fields SDI Server Fields Windows NT Domain Server Fields Kerberos Server Fields LDAP Server Fields Page HTTP Form Server Fields Testing Server Authentication and Authorization Adding a User Account Page Configuring VPN Policy Attributes for a User Page Configuring LDAP Attribute Maps Adding an Authentication Prompt Page High Availability Understanding Failover Active/Standby Failover Active/Active Failover Stateless (Regular) Failover Stateful Failover Configuring Failover with the High Availability and Scalability Wizard Accessing and Using the High Availability and Scalability Wizard Configuring Active/Active Failover with the High Availability and Scalability Configuring Active/Standby Failover with the High Availability and Scalability Configuring VPN Load Balancing with the High Availability and Scalability Field Information for the High Availability and Scalability Wizard Choose the Type of Failover Configuration Check Failover Peer Connectivity and Compatibility Change Device to Multiple Mode Select Failover Communication Media Security Context Configuration Failover Link Configuration State Link Configuration Standby Address Configuration VPN Cluster Load Balancing Configuration Page Summary Field Information for the Failover Panes Failover - Single Mode Failover: Setup Page Failover: Interfaces (Routed Firewall Mode) Edit Failover Interface Configuration (Routed Firewall Mode) Failover: Interfaces (Transparent Firewall Mode) Edit Failover Interface Configuration (Transparent Firewall Mode) Failover: Criteria Failover: MAC Addresses Add/Edit Interface MAC Address Failover-Multiple Mode, Security Context Failover - Routed Edit Failover Interface Configuration Failover - Transparent Edit Failover Interface Configuration Failover-Multiple Mode, System Failover > Setup Tab Page Failover > Criteria Tab Failover > Active/Active Tab Add/Edit Failover Group Add/Edit Interface MAC Address Failover > MAC Addresses Tab Add/Edit Interface MAC Address Page Configuring Management Access Configuring Device Access for ASDM, Telnet, or SSH Configuring CLI Parameters Adding a Banner Customizing a CLI Prompt Changing the Console Timeout Period Configuring File Access Configuring the FTP Client Mode Configuring the Security Appliance as a Secure Copy Server Configuring the Security Appliance as a TFTP Client Adding Mount Points Adding a CIFS Mount Point Adding an FTP Mount Point Configuring Configuring ICMP Access Page Configuring a Management Interface Configuring SNMP Information About SNMP Information About SNMP Terminology Information About the Management Information Base and Traps Page Page 16-13 MIB or Trap Support Description of Security Appliance Support ENTITY-MIB Browsing of the following groups and tables: entPhysicalTable entLogicalTable The following objects are supported: 16-14 MIB or Trap Support Description of Security Appliance Support ENTITY-MIB (continued) Page Page Configuring an SNMP Agent and Management Station Configuring the SNMP Agent Adding an SNMP Management Station Configuring SNMP Traps Configuring Management Access Rules Configuring AAA for System Administrators Configuring Authentication for CLI, ASDM, and enable command Access Page Limiting User CLI and ASDM Access with Management Authorization Configuring Command Authorization Command Authorization Overview Supported Command Authorization Methods About Preserving User Credentials Security Contexts and Command Authorization Configuring Local Command Authorization Local Command Authorization Prerequisites Default Command Privilege Levels Assigning Privilege Levels to Commands and Enabling Authorization Configuring TACACS+ Command Authorization TACACS+ Command Authorization Prerequisites Configuring Commands on the TACACS+ Server Page Enabling TACACS+ Command Authorization Configuring Management Access Accounting Recovering from a Lockout Page Page Configuring Logging About Logging Security Contexts in Logging Using Logging Logging Setup Configure FTP Settings Configure Logging Flash Usage Syslog Setup Edit Syslog ID Settings Advanced Syslog Configuration E-Mail Setup Add/Edit E-Mail Recipients Event Lists Page Add/Edit Event List Add/Edit Syslog Message ID Filter Logging Filters Edit Logging Filters Page Add/Edit Class and Severity Filter Add/Edit Syslog Message ID Filter Rate Limit Edit Rate Limit for Syslog Logging Level Add/Edit Rate Limit for Syslog Message Syslog Servers Add/Edit Syslog Server SMTP Using NetFlow Matching NetFlow Events to Configured Collectors Page Page Page Firewall Mode Overview Routed Mode Overview IP Routing Support How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server An Outside User Visits a Web Server on the DMZ An Inside User Visits a Web Server on the DMZ An Outside User Attempts to Access an Inside Host A DMZ User Attempts to Access an Inside Host Transparent Mode Overview Transparent Firewall Network Allowing Layer 3 Traffic Allowed MAC Addresses Passing Traffic Not Allowed in Routed Mode MAC Address vs. Route Lookups Using the Transparent Firewall in Your Network Transparent Firewall Guidelines Unsupported Features in Transparent Mode How Data Moves Through the Transparent Firewall An Inside User Visits a Web Server An Inside User Visits a Web Server Using NAT An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host Page Adding Global Objects Using Network Objects and Groups Network Object Overview Configuring a Network Object Configuring a Network Object Group Using Network Objects and Groups in a Rule Viewing the Usage of a Network Object or Group Configuring Service Groups Service Groups Add/Edit Service Group Browse Service Groups Configuring Class Maps Configuring Inspect Maps Configuring Regular Expressions Regular Expressions Add/Edit Regular Expression Page Build Regular Expression Page Test Regular Expression Add/Edit Regular Expression Class Map Configuring TCP Maps Configuring Global Pools Configuring Time Ranges Add/Edit Time Range Add/Edit Recurring Time Range Encrypted Traffic Inspection TLS Proxy Wizard Page Configure TLS Proxy Pane Adding a TLS Proxy Instance Add TLS Proxy Instance Wizard Server Configuration Add TLS Proxy Instance Wizard Client Configuration Page Add TLS Proxy Instance Wizard Other Steps Phone Proxy Configuring the Phone Proxy Creating a Phone Proxy Instance Page Add/Edit TFTP Server CTL File Creating a CTL File Add/Edit Record Entry TLS Proxy Add/Edit TLS Proxy CTL Provider Add/Edit CTL Provider Page Configuring Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Information About Both Access Rules and EtherType Rules Using Access Rules and EtherType Rules on the Same Interface Rule Order Implicit Deny Inbound and Outbound Rules Information About Access Rules IP Addresses Used for Access Rules When You Use NAT Page Access Rules for Returning Traffic Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules Information About EtherType Rules Supported EtherTypes Implicit Permit of IP and ARPs Only IPv6 Unsupported Allowing MPLS Configuring Access Rules Page Page Rule Queries New/Edit Rule Query Add/Edit Access Rule Manage Service Groups Add/Edit Service Group Advanced Access Rule Configuration Log Options Page Configuring Ethertype Rules (Transparent Mode Only) Add/Edit EtherType Rule Page Configuring NAT NAT Overview Introduction to NAT NAT in Routed Mode NAT in Transparent Mode 21-4 NAT Control Page NAT Types Dynamic NAT 21-7 PAT Static NAT Static PAT Bypassing NAT When NAT Control is Enabled Policy NAT 21-11 NAT and Same Security Level Interfaces Order of NAT Rules Used to Match Real Addresses Mapped Address Guidelines DNS and NAT Page Configuring NAT Control Using Dynamic NAT Dynamic NAT Implementation Real Addresses and Global Pools Paired Using a Pool ID NAT Rules on Different Interfaces with the Same Global Pools Global Pools on Different Interfaces with the Same Pool ID Multiple NAT Rules with Different Global Pools on the Same Interface Multiple Addresses in the Same Global Pool Outside NAT Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces Managing Global Pools Configuring Dynamic NAT, PAT, or Identity NAT Page Configuring Dynamic Policy NAT or PAT Page Using Static NAT Configuring Static NAT, PAT, or Identity NAT Page Page Configuring Static Policy NAT, PAT, or Identity NAT Page Using NAT Exemption Page Page Configuring Service Policy Rules Service Policy Overview Supported Features Service Policy Elements Default Global Policy Feature Directionality Feature Matching Guidelines Order in Which Multiple Feature Actions within a Rule are Applied Incompatibility of Certain Feature Actions Feature Matching Guidelines for Multiple Service Policies Adding a Service Policy Rule for Through Traffic Page Page Page Adding a Service Policy Rule for Management Traffic RADIUS Accounting Inspection Overview Configuring a Service Policy Rule for Management Traffic Page Page Managing the Order of Service Policy Rules RADIUS Accounting Field Descriptions Select RADIUS Accounting Map Add RADIUS Accounting Policy Map RADIUS Inspect Map RADIUS Inspect Map Host RADIUS Inspect Map Other Page Applying AAA for Network Access AAA Performance Configuring Authentication for Network Access Information About Authentication One-Time Authentication Applications Required to Receive an Authentication Challenge Security Appliance Authentication Prompts Static PAT and HTTP Configuring Network Access Authentication Enabling the Redirection Method of Authentication for HTTP and HTTPS Enabling Secure Authentication of Web Clients Authenticating Directly with the Security Appliance Authenticating Telnet Connections with a Virtual Server Authenticating HTTP(S) Connections with a Virtual Server Page Configuring the Authentication Proxy Limit Configuring Authorization for Network Access Configuring TACACS+ Authorization Configuring RADIUS Authorization Configuring a RADIUS Server to Send Downloadable Access Control Lists About the Downloadable Access List Feature and Cisco Secure ACS Page Configuring Cisco Secure ACS for Downloadable Access Lists Configuring Any RADIUS Server for Downloadable Access Lists Converting Wildcard Netmask Expressions in Downloadable Access Lists Configuring a RADIUS Server to Download Per-User Access Control List Names Configuring Accounting for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Page Page Configuring Application Layer Protocol Inspection Inspection Engine Overview When to Use Application Protocol Inspection Inspection Limitations Default Inspection Policy Configuring Application Inspection CTIQBE Inspection CTIQBE Inspection Overview Limitations and Restrictions DCERPC Inspection DNS Inspection How DNS Application Inspection Works How DNS Rewrite Works ESMTP Inspection FTP Inspection FTP Inspection Overview Using Strict FTP Verifying and Monitoring FTP Inspection GTP Inspection H.323 Inspection H.323 Inspection Overview How H.323 Works Limitations and Restrictions HTTP Inspection Instant Messaging Inspection ICMP Inspection ICMP Error Inspection ILS Inspection MGCP Inspection Page MMP Inspection Configuring MMP Inspection for a TLS Proxy NetBIOS Inspection PPTP Inspection RADIUS Accounting Inspection RSH Inspection RTSP Inspection RTSP Inspection Overview Using RealPlayer Restrictions and Limitations SIP Inspection SIP Inspection Overview SIP Instant Messaging Skinny (SCCP) Inspection SCCP Inspection Overview Supporting Cisco IP Phones Restrictions and Limitations SMTP and Extended SMTP Inspection SNMP Inspection SQL*Net Inspection Sun RPC Inspection Sun RPC Inspection Overview SUNRPC Server Add/Edit SUNRPC Service TFTP Inspection XDMCP Inspection Service Policy Field Descriptions Rule Actions > Protocol Inspection Tab Page Select DCERPC Map Select DNS Map Select ESMTP Map Select FTP Map Select GTP Map Select H.323 Map Select HTTP Map Select IM Map Select IPSec-Pass-Thru Map Select MGCP Map Select NETBIOS Map Select RTSP Map Select SCCP (Skinny) Map Select SIP Map Select SNMP Map Class Map Field Descriptions DNS Class Map Add/Edit DNS Traffic Class Map Add/Edit DNS Match Criterion Page Manage Regular Expressions Manage Regular Expression Class Maps FTP Class Map Add/Edit FTP Traffic Class Map Add/Edit FTP Match Criterion Page H.323 Class Map Add/Edit H.323 Traffic Class Map Add/Edit H.323 Match Criterion HTTP Class Map Add/Edit HTTP Traffic Class Map Add/Edit HTTP Match Criterion Page Page Page IM Class Map Add/Edit IM Traffic Class Map Add/Edit IM Match Criterion Page SIP Class Map Add/Edit SIP Traffic Class Map Add/Edit SIP Match Criterion Page Inspect Map Field Descriptions Page Page DCERPC Inspect Map Add/Edit DCERPC Policy Map DNS Inspect Map Page Add/Edit DNS Policy Map (Security Level) Add/Edit DNS Policy Map (Details) Page Add/Edit DNS Inspect Manage Class Maps ESMTP Inspect Map MIME File Type Filtering Add/Edit ESMTP Policy Map (Security Level) Add/Edit ESMTP Policy Map (Details) Add/Edit ESMTP Inspect Page Page Page FTP Inspect Map File Type Filtering Add/Edit FTP Policy Map (Security Level) Add/Edit FTP Policy Map (Details) Add/Edit FTP Map Page GTP Inspect Map IMSI Prefix Filtering Add/Edit GTP Policy Map (Security Level) Add/Edit GTP Policy Map (Details) Page Add/Edit GTP Map H.323 Inspect Map Phone Number Filtering Add/Edit H.323 Policy Map (Security Level) Add/Edit H.323 Policy Map (Details) Add/Edit HSI Group Add/Edit H.323 Map HTTP Inspect Map URI Filtering Add/Edit HTTP Policy Map (Security Level) Add/Edit HTTP Policy Map (Details) Add/Edit HTTP Map Page Page Page Instant Messaging (IM) Inspect Map Add/Edit Instant Messaging (IM) Policy Map Add/Edit IM Map Page IPSec Pass Through Inspect Map Add/Edit IPSec Pass Thru Policy Map (Security Level) Add/Edit IPSec Pass Thru Policy Map (Details) MGCP Inspect Map Gateways and Call Agents Add/Edit MGCP Policy Map Add/Edit MGCP Group NetBIOS Inspect Map Add/Edit NetBIOS Policy Map RTSP Inspect Map Add/Edit RTSP Policy Map Add/Edit RTSP Inspect SCCP (Skinny) Inspect Map Message ID Filtering Add/Edit SCCP (Skinny) Policy Map (Security Level) Add/Edit SCCP (Skinny) Policy Map (Details) Add/Edit Message ID Filter SIP Inspect Map Add/Edit SIP Policy Map (Security Level) Add/Edit SIP Policy Map (Details) Page Add/Edit SIP Inspect Page SNMP Inspect Map Add/Edit SNMP Map Page Configuring QoS QoS Overview Supported QoS Features What is a Token Bucket? Policing Overview Priority Queueing Overview Traffic Shaping Overview How QoS Features Interact DSCP and DiffServ Preservation Creating the Standard Priority Queue for an Interface Creating a Policy for Standard Priority Queueing and/or Policing Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing Page Configuring Filter Rules URL Filtering Configuring URL Filtering URL Filtering Servers Add/Edit Parameters for Websense URL Filtering Add/Edit Parameters for Secure Computing SmartFilter URL Filtering Advanced URL Filtering Filter Rules Page Add/Edit Filter Rule Page Filtering the Rule Table Define Query Browse Source/Destination/Service Page Configuring Advanced Firewall Protection Configuring Threat Detection Configuring Basic Threat Detection Basic Threat Detection Overview Configuring Basic Threat Detection Configuring Scanning Threat Detection Configuring Threat Statistics Page Configuring Connection Settings Connection Limit Overview TCP Intercept Overview Disabling TCP Intercept for Management Packets for Clientless SSL VPN Compatibility Dead Connection Detection Overview TCP Normalization Overview Enabling Connection Limits and TCP Normalization Page Page Configuring IP Audit IP Audit Policy Add/Edit IP Audit Policy Configuration IP Audit Signatures IP Audit Signature List Page Page Page Configuring the Fragment Size Show Fragment Edit Fragment Configuring Anti-Spoofing Configuring TCP Options Page TCP Reset Settings Configuring Global Timeouts Page Configuring IPS AIP SSM Overview How the AIP SSM Works with the Adaptive Security Appliance Operating Modes Using Virtual Sensors AIP SSM Procedure Overview Accessing IDM from ASDM Configuring the AIP SSM Security Policy in IDM Assigning Virtual Sensors to Security Contexts Diverting Traffic to the AIP SSM Intrusion Prevention Tab Field Descriptions Resetting the AIP SSM Password Configuring Trend Micro Content Security Connecting to the CSC SSM Managing the CSC SSM About the CSC SSM Page Getting Started with the CSC SSM Page Determining What Traffic to Scan Page Rule Actions for CSC Scanning CSC SSM Setup Activation/License IP Configuration Host/Notification Settings Management Access Host/Networks Password Restoring the Default Password Wizard Setup CSC Setup Wizard Activation Codes Configuration CSC Setup Wizard IP Configuration CSC Setup Wizard Host Configuration CSC Setup Wizard Management Access Configuration CSC Setup Wizard Password Configuration CSC Setup Wizard Traffic Selection for CSC Scan Specify traffic for CSC Scan CSC Setup Wizard Summary Web Mail SMTP Tab POP3 Tab File Transfer Updates Page Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection ARP Inspection Edit ARP Inspection Entry ARP Static Table Add/Edit ARP Static Configuration Customizing the MAC Address Table MAC Address Table Page Add/Edit MAC Address Entry MAC Learning Page Page SSL VPN Wizard SSL VPN Feature SSL VPN Interface User Authentication Group Policy Bookmark List IP Address Pools and Client Image Summary Page Page VPN VPN Wizard VPN Tunnel Type Remote Site Peer IKE Policy Hosts and Networks Summary Remote Access Client VPN Client Authentication Method and Name Client Authentication New Authentication Server Group User Accounts Address Pool Attributes Pushed to Client IPsec Settings (Optional) Page Page Page Configuring Certificates CA Certificate Authentication Page Add/Install a CA Certificate Edit CA Certificate Configuration Show CA Certificate Details Request CRL Delete a CA Certificate Configuration Options for CA Certificates Page Page Page Advanced Configuration Options Page Identity Certificates Authentication Page Page Page Show Identity Certificate Details Delete an Identity Certificate Export an Identity Certificate Generate Certificate Signing Request Installing Identity Certificates Code-Signer Certificates Show Code-Signer Certificate Details Delete a Code-Signer Certificate Import or Export a Code-Signer Certificate Local Certificate Authority Default Local CA Server Configuring the Local CA Sever Page More Local CA Configuration Options Page Deleting the Local CA Server Manage User Certificates Revoking a Local CA Certificate Unrevoking a Local CA Certificate Manage User Database Add a Local CA User Edit a Local CA User Page IKE IKE Parameters Page Page IKE Policies Add/Edit IKE Policy Assignment Policy Address Pools Add/Edit IP Pool IPsec Crypto Maps Page Create IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab Page Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab Create IPsec Rule/Traffic Selection Tab Page Page Pre-Fragmentation Edit IPsec Pre-Fragmentation Policy IPsec Transform Sets Add/Edit Transform Set Load Balancing Page Page Setting Global NAC Parameters Configuring Network Admission Control Policies About NAC Uses, Requirements, and Limitations What to Do Next Add/Edit Posture Validation Exception Page Page General Client Software Page Edit Client Update Entry Default Tunnel Gateway Group Policies Add/Edit External Group Policy Add AAA Server Group Adding or Editing a Remote Access Internal Group Policy, General Attributes Page Configuring the Portal for a Group Policy Page Configuring Customization for a Group Policy Adding or Editing a Site-to-Site Internal Group Policy Browse Time Range Add/Edit Time Range Add/Edit Recurring Time Range ACL Manager Standard ACL Extended ACL Add/Edit/Paste ACE Page Browse Source/Destination Address Browse Source/Destination Port Add TCP Service Group Browse ICMP Add ICMP Group Browse Other Add Protocol Group Add/Edit Internal Group Policy > Servers Add/Edit Internal Group Policy > IPSec Client Client Access Rules Add/Edit Client Access Rule Add/Edit Internal Group Policy > Client Configuration Tab Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab View/Config Banner Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab Add or Edit Internal Group Policy > Advanced > IE Browser Proxy Add/Edit Standard Access List Rule Add/Edit Internal Group Policy > Client Firewall Tab Page Add/Edit Internal Group Policy > Hardware Client Tab Page Add/Edit Server and URL List Add/Edit Server or URL Configuring SSL VPN Connections Setting the Basic Attributes for an SSL VPN Connection Setting Advanced Attributes for an IPSec or SSL VPN Connection Setting General Attributes for an IPSec or SSL VPN Connection Page Configuring SSL VPN Client Connections Login Setting Key Regeneration Dead Peer Detection Customization ACLs Configuring Clientless SSL VPN Connections Add or Edit Clientless SSL VPN Connections Add or Edit Clientless SSL VPN Connections > Basic Add or Edit Clientless SSL VPN Connections > Advanced Add or Edit Clientless SSL VPN Connections > Advanced > General Page Assign Authentication Server Group to Interface Add or Edit SSL VPN Connections > Advanced > Authorization Assign Authorization Server Group to Interface Add or Edit SSL VPN Connections > Advanced > SSL VPN Add or Edit Clientless SSL VPN Connections > Advanced > SSL VPN Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers Configure DNS Server Groups Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN IPSec Remote Access Connection Profiles Add or Edit an IPSec Remote Access Connection Profile Add or Edit IPSec Remote Access Connection Profile Basic Mapping Certificates to IPSec or SSL VPN Connection Profiles Add/Edit Certificate Matching Rule Add/Edit Certificate Matching Rule Criterion Configure Site-to-Site Tunnel Groups Add/Edit Site-to-Site Connection Adding or Editing a Site-to-Site Tunnel Group Crypto Map Entry Crypto Map Entry for Static Peer Address Managing CA Certificates Install Certificate Configure Options for CA Certificate Revocation Check Tab Add/Edit Remote Access Connections > Advanced > General Configuring Client Addressing Add IPSec Remote Access Connection and Add SSL VPN Access Connection Assign Address Pools to Interface Select Address Pools Add or Edit IP Pool Add/Edit Tunnel Group > General Tab > Authentication Add/Edit SSL VPN Connection > General > Authorization Page Add/Edit SSL VPN Connections > Advanced > Accounting Add/Edit Tunnel Group > General > Client Address Assignment Add/Edit Tunnel Group > General > Advanced Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Page Add/Edit Tunnel Group for Site-to-Site VPN Add/Edit Tunnel Group > PPP Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General > Basic Page Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Page Add/Edit Tunnel Group > Clientless SSL VPN Access > General > Basic Add/Edit Tunnel Group > Clientless SSL VPN > Basic Configuring Internal Group Policy IPSec Client Attributes Configuring Client Addressing for SSL VPN Connections Assign Address Pools to Interface Select Address Pools Add or Edit an IP Address Pool Authenticating SSL VPN Connections System Options Configuring SSL VPN Connections, Advanced Configuring Split Tunneling Zone Labs Integrity Server Page Easy VPN Remote Page Advanced Easy VPN Properties Page Page Configuring Dynamic Access Policies Understanding VPN Access Policies Configuring Dynamic Access Policies DAP Support for Remote Access Connection Types DAP and AAA AAA Attribute Definitions DAP and Endpoint Security Endpoint Attribute Definitions Page DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs DAP Connection Sequence Test Dynamic Access Policies Add/Edit Dynamic Access Policies Page Page Page Page Add/Edit AAA Attributes Page Retrieve AD Groups from selected AD Server Group Add/Edit Endpoint Attributes Page Guide Syntax for Creating Lua EVAL Expressions Constructing DAP Logical Expressions The DAP CheckAndMsg Function Checking for a Single Antivirus Program Checking for Antivirus Definitions Within the Last 10 Days Checking for a Hotfix on the User PC Checking for Antivirus Programs Checking for Antivirus Programs and Definitions Older than 1 1/2 Days Advanced Lua Functions OU-Based Match Group Membership Example Further Information on Lua Operator for Endpoint Category DAP Examples Using DAP to Define Network Resources Using DAP to Apply a WebVPN ACL Enforcing CSD Checks and Applying Policies via DAP Page Page Clientless SSL VPN End User Set-up Requiring Usernames and Passwords Communicating Security Tips Configuring Remote Systems to Use Clientless SSL VPN Features Page Page Page Page Capturing Clientless SSL VPN Data Creating a Capture File Using a Browser to Display Capture Data Page Page Clientless SSL VPN Security Precautions ACLs Add ACL Add/Edit ACE Configuring the Setup for Cisco Secure Desktop Upload Image Page Configuring Application Helper Add/Edit APCF Profile Upload APCF package Auto Signon Add/Edit Auto Signon Entry Configuring Session Settings Java Code Signer Content Cache Content Rewrite Java Code Signer Encoding Add\Edit Encoding Web ACLs Page Port Forwarding Why Port Forwarding? Requirements and Restrictions Add/Edit Port Forwarding List Add/Edit Port Forwarding Entry Configuring the Use of External Proxy Servers Configuring Proxy Bypass Add/Edit Proxy Bypass Rule DTLS Settings SSL VPN Client Settings Page Add/Replace SSL VPN Client Image Upload Image Add/Edit SSL VPN Client Profiles Upload Package Bypass Interface Access List SSO Servers Configuring SiteMinder and SAML Browser Post Profile SAML POST SSO Server Configuration Adding the Cisco Authentication Scheme to SiteMinder Add/Edit SSO Servers Clientless SSL VPN Access Page Configuring Smart Tunnel Access About Smart Tunnels Why Smart Tunnels? Smart Tunnel Requirements and Limitations General Requirements and Limitations Windows Requirements and Limitations Mac OS Requirements and Limitations Configuring a Smart Tunnel (Lotus example) Add or Edit Smart Tunnel List Add or Edit Smart Tunnel Entry Page Add or Edit Smart Tunnel Auto Sign-on Server List Add or Edit Smart Tunnel Auto Sign-on Server Entry Configuring Customization Objects Add Customization Object Import/Export Customization Object Creating XML-Based Portal Customization Objects and URL Lists Understanding the XML Customization File Structure Page Page Page 38-48 Table 38-3 XML-Based Customization File Structure Customization Example The following example illustrates the following customization options: text string Text for TEXT type panes column number 38-49 Using the Customization Template The Customization Template 38-51 38-52 38-53 38-54 38-55 38-56 38-57 38-58 38-59 38-60 38-61 38-62 Help Customization Customizing a Help File Provided by Cisco Creating Help Files for Languages Not Provided by Cisco Import/Export Application Help Content Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins Plug-in Requirements and Restrictions Preparing the Security Appliance for a Plug-in Installing Plug-ins Redistributed by Cisco Page Assembling and Installing Third-Party Plug-insExample: Citrix Java Presentation Server Client Language Localization Understanding Language Translation Page Creating a Translation Table Add/Edit Localization Entry AnyConnect Customization Resources Binary Installs Import/Export Language Localization Page Configure GUI Customization Objects (Bookmark Lists) Add/Edit Bookmark List Add Bookmark Entry Import/Export Bookmark List Configure GUI Customization Objects (Web Contents) Import/Export Web Content Add/Edit Post Parameter Clientless SSL VPN Macro Substitutions Using Macros 1 - 4 Using Macros 5 and 6 Example 1: Setting a Homepage Example 2: Setting a Bookmark or URL Entry Page Page E-Mail Proxy Configuring E-Mail Proxy AAA POP3S Tab Page IMAP4S Tab Page SMTPS Tab Access Page Edit E-Mail Proxy Access Authentication Page Default Servers Page Delimiters Page Configuring SSL Settings SSL Edit SSL Certificate SSL Certificates Page Page Page Monitoring Interfaces ARP Table DHCP DHCP Server Table DHCP Client Lease Information DHCP Statistics MAC Address Table Dynamic ACLs Interface Graphs Page Page Graph/Table PPPoE Client interface connection Track Status for Monitoring Statistics for Page Monitoring VPN VPN Connection Graphs IPSec Tunnels Sessions VPN Statistics Sessions Page Page Sessions Details Page Sub-session Details NAC Details Encryption Statistics NAC Session Summary Protocol Statistics VLAN Mapping Sessions Global IKE/IPSec Statistics Crypto Statistics Compression Statistics Cluster Loads SSO Statistics for Clientless SSL VPN Session Page Page Monitoring Routing Monitoring OSPF LSAs Type 1 Type 2 Type 3 Type 4 Type 5 Type 7 Monitoring OSPF Neighbors Page Monitoring EIGRP Neighbors Displaying Routes Monitoring Properties Monitoring AAA Servers Viewing AAA Server Statistics Updating the Operational State of an AAA Server Fields Used to Monitor AAA Servers Monitoring Device Access Monitoring User Lockouts Viewing Lockouts Removing All User Lockouts Removing One User Lockout Monitoring Authenticated Users Monitoring Active Sessions Viewing Active Sessions Page Disconnecting an Active Session Fields Used to Monitor Device Access Fields for Monitoring User Lockouts Fields for Monitoring Users Who Have Authenticated with a Server Connection Graphs Perfmon Xlates CRL DNS Cache IP Audit Page System Resources Graphs Blocks CPU Memory WCCP Service Groups Redirection Page Page Page Monitoring Logging About Log Viewing Log Buffer Log Buffer Viewer Real-Time Log Viewer Real-Time Log Viewer Page Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Context Status Page Page Graphs Page Monitoring Failover in the System Execution Space System Page Page Failover Group 1 and Failover Group 2 Page Page Page Monitoring Trend Micro Content Security Threats Live Security Events Live Security Events Log Software Updates Resource Graphs CSC CPU CSC Memory Page Page Page A Feature Licenses ASA 5505 Feature Licenses ASA 5510 Feature Licenses ASA 5520 Feature Licenses ASA 5540 Feature Licenses ASA 5550 Feature Licenses ASA 5580 Feature Licenses PIX 515/515E Feature Licenses PIX 525 Feature Licenses PIX 535 Feature Licenses Page Page Page B Troubleshooting Testing Your Configuration Enabling ICMP Debug Messages and System Log Messages Pinging Security Appliance Interfaces B-3 Pinging Through the Security Appliance ? Disabling the Test Configuration Traceroute Packet Tracer Reloading the Security Appliance Recovering from a Lockout Performing Password Recovery Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance Recovering Passwords for the PIX 500 Series Security Appliance Disabling Password Recovery Using the ROM Monitor to Load a Software Image Erasing the Flash File System Other Troubleshooting Tools Viewing Debug Messages Capturing Packets Viewing the Crash Dump TACACS+ Server Lockout Common Problems Page C Configuring an External Server for Authorization and Authentication Understanding Policy Enforcement of Permissions and Attributes Configuring an External LDAP Server Organizing the Security Appliance for LDAP Operations Searching the Hierarchy Binding the Security Appliance to the LDAP Server Login DN Example for Active Directory Defining the Security Appliance LDAP Configuration Supported Cisco Attributes for LDAP Authorization Page Page Page Page Page Cisco-AV-Pair Attribute Syntax Page Additional Information for using ASDM to Configure LDAP Configuring an External RADIUS Server Reviewing the RADIUS Configuration Procedure Security Appliance RADIUS Authorization Attributes Page Page Page Page Page Page Page Configuring an External TACACS+ Server Page INDEX Numerics A Page Page B C Page D E F G H I signature matches J K L M N O P Q R S Page T Page U V W X Z