Cisco Cisco ASA 5500 Series Configuration manual

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Cisco Security Appliance Command Line

Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series

Software Version 8.0(1)

Customer Order Number: N/A, Online only

Text Part Number: OL-12172-03

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco Security Appliance Command Line Configuration Guide

CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems,

Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco

Press,

Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing,

FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys,

MeetingPlace, MGX, Networking Academy, Network Registrar, Packe t, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet

Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship

between Cisco and any other company. (0705R)

iii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CONTENTS

About This Guide xxxix

Document Objectives xxxix

Audience xxxix

Related Documentation xl

Document Organization xl

Document Conventions xliii

Obtaining Documentation, Obtaining Support, and Security Guidelines xliii

PART

1 Getting Started and General Information

CHAPTER

1 Introduction to the Security Appliance 1-1

Firewall Functional Overview 1-1

Security Policy Overview 1-2

Permitting or Denying Traffic with Access Lists 1-2

Applying NAT 1-2

Using AAA for Through Traffic 1-2

Applying HTTP, HTTPS, or FTP Filtering 1-3

Applying Application Inspection 1-3

Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3

Sending Traffic to the Content Security and Control Security Services Module 1-3

Applying QoS Policies 1-3

Applying Connection Limits and TCP Normalization 1-3

Enabling Threat Detection 1-3

Firewall Mode Overview 1-4

Stateful Inspection Overview 1-4

VPN Functional Overview 1-5

Intrusion Prevention Services Functional Overview 1-6

Security Context Overview 1-6

Contents

iv

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

2 Getting Started 2-1

Getting Started with Your Platform Model 2-1

Factory Default Configurations 2-1

Restoring the Factory Default Configuration 2-2

ASA 5505 Default Configuration 2-2

ASA 5510 and Higher Default Configuration 2-3

PIX 515/515E Default Configuration 2-4

Accessing the Command-Line Interface 2-4

Setting Transparent or Routed Firewall Mode 2-5

Working with the Configuration 2-6

Saving Configuration Changes 2-6

Saving Configuration Changes in Single Context Mode 2-7

Saving Configuration Changes in Multiple Context Mode 2-7

Copying the Startup Configuration to the Running Configuration 2-8

Viewing the Configuration 2-8

Clearing and Removing Configuration Settings 2-9

Creating Text Configuration Files Offline 2-9

CHAPTER

3 Enabling Multiple Context Mode 3-1

Security Context Overview 3-1

Common Uses for Security Contexts 3-1

Unsupported Features 3-2

Context Configuration Files 3-2

Context Configurations 3-2

System Configuration 3-2

Admin Context Configuration 3-2

How the Security Appliance Classifies Packets 3-3

Valid Classifier Criteria 3-3

Invalid Classifier Criteria 3-4

Classification Examples 3-5

Cascading Security Contexts 3-8

Management Access to Security Contexts 3-9

System Administrator Access 3-9

Context Administrator Access 3-10

Enabling or Disabling Multiple Context Mode 3-10

Backing Up the Single Mode Configuration 3-10

Enabling Multiple Context Mode 3-10

Restoring Single Context Mode 3-11

Contents

v

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security

Appliance

4-1

Interface Overview 4-1

Understanding ASA 5505 Ports and Interfaces 4-2

Maximum Active VLAN Interfaces for Your License 4-2

Default Interface Configuration 4-4

VLAN MAC Addresses 4-4

Power Over Ethernet 4-4

Monitoring Traffic Using SPAN 4-4

Security Level Overview 4-5

Configuring VLAN Interfaces 4-5

Configuring Switch Ports as Access Ports 4-9

Configuring a Switch Port as a Trunk Port 4-11

Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13

CHAPTER

5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces 5-1

Configuring and Enabling RJ-45 Interfaces 5-1

RJ-45 Interface Overview 5-1

Default State of Physical Interfaces 5-2

Connector Types 5-2

Auto-MDI/MDIX Feature 5-2

Configuring the RJ-45 Interface 5-2

Configuring and Enabling Fiber Interfaces 5-3

Default State of Physical Interfaces 5-3

Configuring the Fiber Interface 5-4

Configuring a Redundant Interface 5-4

Redundant Interface Overview 5-5

Default State of Redundant Interfaces 5-5

Redundant Interfaces and Failover Guidelines 5-5

Redundant Interface MAC Address 5-5

Physical Interface Guidelines 5-5

Adding a Redundant Interface 5-6

Changing the Active Interface 5-7

Configuring VLAN Subinterfaces and 802.1Q Trunking 5-7

Subinterface Overview 5-7

Default State of Subinterfaces 5-7

Maximum Subinterfaces 5-8

Preventing Untagged Packets on the Physical Interface 5-8

Adding a Subinterface 5-8

Contents

vi

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

6 Adding and Managing Security Contexts 6-1

Configuring Resource Management 6-1

Classes and Class Members Overview 6-1

Resource Limits 6-2

Default Class 6-3

Class Members 6-4

Configuring a Class 6-4

Configuring a Security Context 6-7

Automatically Assigning MAC Addresses to Context Interfaces 6-11

Changing Between Contexts and the System Execution Space 6-12

Managing Security Contexts 6-12

Removing a Security Context 6-12

Changing the Admin Context 6-13

Changing the Security Context URL 6-13

Reloading a Security Context 6-14

Reloading by Clearing the Configuration 6-14

Reloading by Removing and Re-adding the Context 6-15

Monitoring Security Contexts 6-15

Viewing Context Information 6-15

Viewing Resource Allocation 6-16

Viewing Resource Usage 6-19

Monitoring SYN Attacks in Contexts 6-20

CHAPTER

7 Configuring Interface Parameters 7-1

Security Level Overview 7-1

Configuring Interface Parameters 7-2

Interface Parameters Overview 7-2

Default State of Interfaces 7-3

Default Security Level 7-3

Multiple Context Mode Guidelines 7-3

Configuring the Interface 7-3

Allowing Communication Between Interfaces on the Same Security Level 7-7

CHAPTER

8 Configuring Basic Settings 8-1

Changing the Login Password 8-1

Changing the Enable Password 8-1

Setting the Hostname 8-2

Setting the Domain Name 8-2

Contents

vii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Setting the Date and Time 8-2

Setting the Time Zone and Daylight Saving Time Date Range 8-3

Setting the Date and Time Using an NTP Server 8-4

Setting the Date and Time Manually 8-4

Setting the Management IP Address for a Transparent Firewall 8-5

CHAPTER

9 Configuring IP Routing 9-1

Configuring Static and Default Routes 9-1

Configuring a Static Route 9-2

Configuring a Default Static Route 9-3

Configuring Static Route Tracking 9-4

Defining Route Maps 9-6

Configuring OSPF 9-7

OSPF Overview 9-8

Enabling OSPF 9-8

Redistributing Routes Into OSPF 9-9

Configuring OSPF Interface Parameters 9-10

Configuring OSPF Area Parameters 9-13

Configuring OSPF NSSA 9-13

Configuring Route Summarization Between OSPF Areas 9-15

Configuring Route Summarization When Redistributing Routes into OSPF 9-15

Defining Static OSPF Neighbors 9-16

Generating a Default Route 9-16

Configuring Route Calculation Timers 9-17

Logging Neighbors Going Up or Down 9-17

Displaying OSPF Update Packet Pacing 9-18

Monitoring OSPF 9-18

Restarting the OSPF Process 9-19

Configuring RIP 9-19

Enabling and Configuring RIP 9-19

Redistributing Routes into the RIP Routing Process 9-21

Configuring RIP Send/Receive Version on an Interface 9-21

Enabling RIP Authentication 9-22

Monitoring RIP 9-22

Configuring EIGRP 9-23

EIGRP Routing Overview 9-23

Enabling and Configuring EIGRP Routing 9-24

Enabling and Configuring EIGRP Stub Routing 9-25

Enabling EIGRP Authentication 9-26

Contents

viii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Defining an EIGRP Neighbor 9-27

Redistributing Routes Into EIGRP 9-27

Configuring the EIGRP Hello Interval and Hold Time 9-28

Disabling Automatic Route Summarization 9-28

Configuring Summary Aggregate Addresses 9-29

Disabling EIGRP Split Horizon 9-29

Changing the Interface Delay Value 9-30

Monitoring EIGRP 9-30

Disabling Neighbor Change and Warning Message Logging 9-31

The Routing Table 9-31

Displaying the Routing Table 9-31

How the Routing Table is Populated 9-32

Backup Routes 9-33

How Forwarding Decisions are Made 9-33

Dynamic Routing and Failover 9-34

CHAPTER

10 Configuring DHCP, DDNS, and WCCP Services 10-1

Configuring a DHCP Server 10-1

Enabling the DHCP Server 10-2

Configuring DHCP Options 10-3

Using Cisco IP Phones with a DHCP Server 10-4

Configuring DHCP Relay Services 10-5

Configuring Dynamic DNS 10-6

Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7

Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN

Provided Through Configuration

10-7

Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides

Client and Updates Both RRs.

10-8

Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;

Honors Client Request and Updates Both A and PTR RR

10-8

Example 5: Client Updates A RR; Server Updates PTR RR 10-9

Configuring Web Cache Services Using WCCP 10-9

WCCP Feature Support 10-9

WCCP Interaction With Other Features 10-10

Enabling WCCP Redirection 10-10

Contents

ix

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

11 Configuring Multicast Routing 11-13

Multicast Routing Overview 11-13

Enabling Multicast Routing 11-14

Configuring IGMP Features 11-14

Disabling IGMP on an Interface 11-15

Configuring Group Membership 11-15

Configuring a Statically Joined Group 11-15

Controlling Access to Multicast Groups 11-15

Limiting the Number of IGMP States on an Interface 11-16

Modifying the Query Interval and Query Timeout 11-16

Changing the Query Response Time 11-17

Changing the IGMP Version 11-17

Configuring Stub Multicast Routing 11-17

Configuring a Static Multicast Route 11-17

Configuring PIM Features 11-18

Disabling PIM on an Interface 11-18

Configuring a Static Rendezvous Point Address 11-19

Configuring the Designated Router Priority 11-19

Filtering PIM Register Messages 11-19

Configuring PIM Message Intervals 11-20

Configuring a Multicast Boundary 11-20

Filtering PIM Neighbors 11-20

Supporting Mixed Bidirctional/Sparse-Mode PIM Networks 11-21

For More Information about Multicast Routing 11-22

CHAPTER

12 Configuring IPv6 12-1

IPv6-enabled Commands 12-1

Configuring IPv6 12-2

Configuring IPv6 on an Interface 12-3

Configuring a Dual IP Stack on an Interface 12-4

Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4

Configuring IPv6 Duplicate Address Detection 12-4

Configuring IPv6 Default and Static Routes 12-5

Configuring IPv6 Access Lists 12-6

Configuring IPv6 Neighbor Discovery 12-7

Configuring Neighbor Solicitation Messages 12-7

Configuring Router Advertisement Messages 12-9

Configuring a Static IPv6 Neighbor 12-11

Contents

x

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Verifying the IPv6 Configuration 12-11

The show ipv6 interface Command 12-11

The show ipv6 route Command 12-12

CHAPTER

13 Configuring AAA Servers and the Local Database 13-1

AAA Overview 13-1

About Authentication 13-2

About Authorization 13-2

About Accounting 13-2

AAA Server and Local Database Support 13-3

Summary of Support 13-3

RADIUS Server Support 13-4

Authentication Methods 13-4

Attribute Support 13-4

RADIUS Authorization Functions 13-4

TACACS+ Server Support 13-4

SDI Server Support 13-5

SDI Version Support 13-5

Two-step Authentication Process 13-5

SDI Primary and Replica Servers 13-5

NT Server Support 13-5

Kerberos Server Support 13-5

LDAP Server Support 13-6

SSO Support for WebVPN with HTTP Forms 13-6

Local Database Support 13-6

User Profiles 13-6

Fallback Support 13-7

Configuring the Local Database 13-7

Identifying AAA Server Groups and Servers 13-9

Configuring an LDAP Server 13-12

Authentication with LDAP 13-12

Authorization with LDAP for VPN 13-14

LDAP Attribute Mapping 13-14

Using Certificates and User Login Credentials 13-16

Using User Login Credentials 13-16

Using certificates 13-16

Supporting a Zone Labs Integrity Server 13-17

Overview of Integrity Server and Security Appliance Interaction 13-17

Configuring Integrity Server Support 13-18

Contents

xi

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

14 Configuring Failover 14-1

Understanding Failover 14-1

Failover System Requirements 14-2

Hardware Requirements 14-2

Software Requirements 14-2

License Requirements 14-2

The Failover and Stateful Failover Links 14-3

Failover Link 14-3

Stateful Failover Link 14-5

Active/Active and Active/Standby Failover 14-6

Active/Standby Failover 14-6

Active/Active Failover 14-10

Determining Which Type of Failover to Use 14-15

Regular and Stateful Failover 14-15

Regular Failover 14-15

Stateful Failover 14-15

Failover Health Monitoring 14-16

Unit Health Monitoring 14-17

Interface Monitoring 14-17

Failover Feature/Platform Matrix 14-18

Failover Times by Platform 14-18

Configuring Failover 14-19

Failover Configuration Limitations 14-19

Configuring Active/Standby Failover 14-19

Prerequisites 14-20

Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance

Only)

14-20

Configuring LAN-Based Active/Standby Failover 14-21

Configuring Optional Active/Standby Failover Settings 14-25

Configuring Active/Active Failover 14-27

Prerequisites 14-27

Configuring Cable-Based Active/Active Failover (PIX 500 series security appliance) 14-27

Configuring LAN-Based Active/Active Failover 14-29

Configuring Optional Active/Active Failover Settings 14-33

Configuring Unit Health Monitoring 14-39

Configuring Failover Communication Authentication/Encryption 14-39

Verifying the Failover Configuration 14-40

Using the show failover Command 14-40

Viewing Monitored Interfaces 14-48

Displaying the Failover Commands in the Running Configuration 14-48

Contents

xii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Testing the Failover Functionality 14-49

Controlling and Monitoring Failover 14-49

Forcing Failover 14-49

Disabling Failover 14-50

Restoring a Failed Unit or Failover Group 14-50

Monitoring Failover 14-50

Failover System Messages 14-51

Debug Messages 14-51

SNMP 14-51

Remote Command Execution 14-51

Changing Command Modes 14-52

Security Considerations 14-53

Limitations of Remote Command Execution 14-53

Auto Update Server Support in Failover Configurations 14-54

Auto Update Process Overview 14-54

Monitoring the Auto Update Process 14-55

PART

2 Configuring the Firewall

CHAPTER

15 Firewall Mode Overview 15-1

Routed Mode Overview 15-1

IP Routing Support 15-1

How Data Moves Through the Security Appliance in Routed Firewall Mode 15-1

An Inside User Visits a Web Server 15-2

An Outside User Visits a Web Server on the DMZ 15-3

An Inside User Visits a Web Server on the DMZ 15-4

An Outside User Attempts to Access an Inside Host 15-5

A DMZ User Attempts to Access an Inside Host 15-6

Transparent Mode Overview 15-6

Transparent Firewall Network 15-7

Allowing Layer 3 Traffic 15-7

Allowed MAC Addresses 15-7

Passing Traffic Not Allowed in Routed Mode 15-7

MAC Address vs. Route Lookups 15-8

Using the Transparent Firewall in Your Network 15-9

Transparent Firewall Guidelines 15-9

Unsupported Features in Transparent Mode 15-10

Contents

xiii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

How Data Moves Through the Transparent Firewall 15-11

An Inside User Visits a Web Server 15-12

An Inside User Visits a Web Server Using NAT 15-13

An Outside User Visits a Web Server on the Inside Network 15-14

An Outside User Attempts to Access an Inside Host 15-15

CHAPTER

16 Identifying Traffic with Access Lists 16-1

Access List Overview 16-1

Access List Types 16-2

Access Control Entry Order 16-2

Access Control Implicit Deny 16-3

IP Addresses Used for Access Lists When You Use NAT 16-3

Adding an Extended Access List 16-5

Extended Access List Overview 16-5

Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6

Adding an Extended ACE 16-6

Adding an EtherType Access List 16-8

EtherType Access List Overview 16-8

Supported EtherTypes 16-8

Implicit Permit of IP and ARPs Only 16-9

Implicit and Explicit Deny ACE at the End of an Access List 16-9

IPv6 Unsupported 16-9

Using Extended and EtherType Access Lists on the Same Interface 16-9

Allowing MPLS 16-9

Adding an EtherType ACE 16-10

Adding a Standard Access List 16-10

Adding a Webtype Access List 16-11

Simplifying Access Lists with Object Grouping 16-11

How Object Grouping Works 16-11

Adding Object Groups 16-12

Adding a Protocol Object Group 16-12

Adding a Network Object Group 16-13

Adding a Service Object Group 16-13

Adding an ICMP Type Object Group 16-14

Nesting Object Groups 16-15

Using Object Groups with an Access List 16-16

Displaying Object Groups 16-17

Removing Object Groups 16-17

Adding Remarks to Access Lists 16-17

Contents

xiv

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Scheduling Extended Access List Activation 16-18

Adding a Time Range 16-18

Applying the Time Range to an ACE 16-19

Logging Access List Activity 16-19

Access List Logging Overview 16-19

Configuring Logging for an Access Control Entry 16-20

Managing Deny Flows 16-21

CHAPTER

17 Configuring NAT 17-1

NAT Overview 17-1

Introduction to NAT 17-1

NAT in Routed Mode 17-2

NAT in Transparent Mode 17-3

NAT Control 17-4

NAT Types 17-6

Dynamic NAT 17-6

PAT 17-8

Static NAT 17-8

Static PAT 17-9

Bypassing NAT When NAT Control is Enabled 17-10

Policy NAT 17-10

NAT and Same Security Level Interfaces 17-13

Order of NAT Commands Used to Match Real Addresses 17-14

Mapped Address Guidelines 17-14

DNS and NAT 17-15

Configuring NAT Control 17-16

Using Dynamic NAT and PAT 17-17

Dynamic NAT and PAT Implementation 17-17

Configuring Dynamic NAT or PAT 17-23

Using Static NAT 17-26

Using Static PAT 17-27

Bypassing NAT 17-30

Configuring Identity NAT 17-30

Configuring Static Identity NAT 17-31

Configuring NAT Exemption 17-33

NAT Examples 17-34

Overlapping Networks 17-34

Redirecting Ports 17-36

Contents

xv

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

18 Permitting or Denying Network Access 18-1

Inbound and Outbound Access List Overview 18-1

Applying an Access List to an Interface 18-2

CHAPTER

19 Applying AAA for Network Access 19-1

AAA Performance 19-1

Configuring Authentication for Network Access 19-1

Authentication Overview 19-2

One-Time Authentication 19-2

Applications Required to Receive an Authentication Challenge 19-2

Security Appliance Authentication Prompts 19-2

Static PAT and HTTP 19-3

Enabling Network Access Authentication 19-3

Enabling Secure Authentication of Web Clients 19-5

Authenticating Directly with the Security Appliance 19-6

Enabling Direct Authentication Using HTTP and HTTPS 19-6

Enabling Direct Authentication Using Telnet 19-7

Configuring Authorization for Network Access 19-8

Configuring TACACS+ Authorization 19-8

Configuring RADIUS Authorization 19-10

Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-10

Configuring a RADIUS Server to Download Per-User Access Control List Names 19-14

Configuring Accounting for Network Access 19-14

Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-16

CHAPTER

20 Applying Filtering Services 20-1

Filtering Overview 20-1

Filtering ActiveX Objects 20-2

ActiveX Filtering Overview 20-2

Enabling ActiveX Filtering 20-2

Filtering Java Applets 20-3

Filtering URLs and FTP Requests with an External Server 20-4

URL Filtering Overview 20-4

Identifying the Filtering Server 20-4

Buffering the Content Server Response 20-6

Caching Server Addresses 20-6

Filtering HTTP URLs 20-7

Configuring HTTP Filtering 20-7

Contents

xvi

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Enabling Filtering of Long HTTP URLs 20-7

Truncating Long HTTP URLs 20-7

Exempting Traffic from Filtering 20-8

Filtering HTTPS URLs 20-8

Filtering FTP Requests 20-9

Viewing Filtering Statistics and Configuration 20-9

Viewing Filtering Server Statistics 20-10

Viewing Buffer Configuration and Statistics 20-11

Viewing Caching Statistics 20-11

Viewing Filtering Performance Statistics 20-11

Viewing Filtering Configuration 20-12

CHAPTER

21 Using Modular Policy Framework 21-1

Modular Policy Framework Overview 21-1

Default Global Policy 21-2

Identifying Traffic Using a Layer 3/4 Class Map 21-2

Creating a Layer 3/4 Class Map for Through Traffic 21-3

Creating a Layer 3/4 Class Map for Management Traffic 21-5

Configuring Special Actions for Application Inspections 21-6

Creating a Regular Expression 21-6

Creating a Regular Expression Class Map 21-9

Identifying Traffic in an Inspection Class Map 21-10

Defining Actions in an Inspection Policy Map 21-11

Defining Actions Using a Layer 3/4 Policy Map 21-13

Layer 3/4 Policy Map Overview 21-13

Policy Map Guidelines 21-14

Supported Feature Types 21-14

Feature Directionality 21-14

Feature Matching Guidelines within a Policy Map 21-15

Feature Matching Guidelines for multiple Policy Maps 21-15

Order in Which Multiple Feature Actions are Applied 21-16

Default Layer 3/4 Policy Map 21-16

Adding a Layer 3/4 Policy Map 21-16

Applying a Layer 3/4 Policy to an Interface Using a Service Policy 21-18

Modular Policy Framework Examples 21-19

Applying Inspection and QoS Policing to HTTP Traffic 21-19

Applying Inspection to HTTP Traffic Globally 21-20

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-21

Applying Inspection to HTTP Traffic with NAT 21-22

Contents

xvii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

CHAPTER

22 Managing the AIP SSM and CSC SSM 22-1

Managing the AIP SSM 22-1

AIP SSM Overview 22-1

How the AIP SSM Works with the Adaptive Security Appliance 22-2

Operating Modes 22-2

Using Virtual Sensors 22-3

AIP SSM Procedure Overview 22-4

Sessioning to the AIP SSM 22-5

Configuring the Security Policy on the AIP SSM 22-6

Assigning Virtual Sensors to Security Contexts 22-6

Diverting Traffic to the AIP SSM 22-8

Managing the CSC SSM 22-9

About the CSC SSM 22-10

Getting Started with the CSC SSM 22-12

Determining What Traffic to Scan 22-13

Limiting Connections Through the CSC SSM 22-15

Diverting Traffic to the CSC SSM 22-16

Checking SSM Status 22-18

Transferring an Image onto an SSM 22-19

CHAPTER

23 Preventing Network Attacks 23-1

Configuring Threat Detection 23-1

Configuring Basic Threat Detection 23-1

Basic Threat Detection Overview 23-2

Configuring Basic Threat Detection 23-2

Managing Basic Threat Statistics 23-4

Configuring Scanning Threat Detection 23-5

Enabling Scanning Threat Detection 23-5

Managing Shunned Hosts 23-6

Viewing Attackers and Targets 23-7

Configuring and Viewing Threat Statistics 23-7

Configuring Threat Statistics 23-7

Viewing Threat Statistics 23-8

Configuring TCP Normalization 23-11

Configuring Connection Limits and Timeouts 23-14

Connection Limit Overview 23-14

TCP Intercept Overview 23-14

Disabling TCP Intercept for Management Packets for WebVPN Compatibility 23-14

Dead Connection Detection Overview 23-15

Contents

xviii

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

TCP Sequence Randomization Overview 23-15

Enabling Connection Limits 23-15

Preventing IP Spoofing 23-16

Configuring the Fragment Size 23-17

Blocking Unwanted Connections 23-17

Configuring IP Audit for Basic IPS Support 23-18

CHAPTER

24 Applying QoS Policies 24-1

Overview 24-1

QoS Concepts 24-2

Implementing QoS 24-2

Identifying Traffic for QoS 24-4

Defining a QoS Policy Map 24-5

Applying Rate Limiting 24-6

Activating the Service Policy 24-7

Applying Low Latency Queueing 24-8

Configuring Priority Queuing 24-8

Sizing the Priority Queue 24-8

Reducing Queue Latency 24-9

Configuring QoS 24-9

Viewing QoS Configuration 24-12

Viewing QoS Service Policy Configuration 24-12

Viewing QoS Policy Map Configuration 24-13

Viewing the Priority-Queue Configuration for an Interface 24-13

Viewing QoS Statistics 24-14

Viewing QoS Police Statistics 24-14

Viewing QoS Priority Statistics 24-14

Viewing QoS Priority Queue Statistics 24-15

CHAPTER

25 Configuring Application Layer Protocol Inspection 25-1

Inspection Engine Overview 25-2

When to Use Application Protocol Inspection 25-2

Inspection Limitations 25-3

Default Inspection Policy 25-3

Configuring Application Inspection 25-5

CTIQBE Inspection 25-10

CTIQBE Inspection Overview 25-10

Contents

xix

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Limitations and Restrictions 25-10

Verifying and Monitoring CTIQBE Inspection 25-11

DCERPC Inspection 25-12

DCERPC Overview 25-12

Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12

DNS Inspection 25-13

How DNS Application Inspection Works 25-14

How DNS Rewrite Works 25-14

Configuring DNS Rewrite 25-15

Using the Static Command for DNS Rewrite 25-16

Using the Alias Command for DNS Rewrite 25-16

Configuring DNS Rewrite with Two NAT Zones 25-16

DNS Rewrite with Three NAT Zones 25-17

Configuring DNS Rewrite with Three NAT Zones 25-19

Verifying and Monitoring DNS Inspection 25-20

Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-21

ESMTP Inspection 25-24

Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24

FTP Inspection 25-26

FTP Inspection Overview 25-26

Using the strict Option 25-26

Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-27

Verifying and Monitoring FTP Inspection 25-31

GTP Inspection 25-31

GTP Inspection Overview 25-31

Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-32

Verifying and Monitoring GTP Inspection 25-36

H.323 Inspection 25-37

H.323 Inspection Overview 25-38

How H.323 Works 25-38

Limitations and Restrictions 25-39

Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-39

Configuring H.323 and H.225 Timeout Values 25-42

Verifying and Monitoring H.323 Inspection 25-42

Monitoring H.225 Sessions 25-42

Monitoring H.245 Sessions 25-43

Monitoring H.323 RAS Sessions 25-44

HTTP Inspection 25-44

HTTP Inspection Overview 25-44

Contents

xx

Cisco Security Appliance Command Line Configuration Guide

OL-12172-03

Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45

Instant Messaging Inspection 25-48

IM Inspection Overview 25-49

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49

ICMP Inspection 25-52

ICMP Error Inspection 25-52

ILS Inspection 25-52

MGCP Inspection 25-53

MGCP Inspection Overview 25-54

Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-56

Configuring MGCP Timeout Values 25-57

Verifying and Monitoring MGCP Inspection 25-57

NetBIOS Inspection 25-58

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-58

PPTP Inspection 25-60

RADIUS Accounting Inspection 25-60

Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-61

RSH Inspection 25-61

RTSP Inspection 25-61

RTSP Inspection Overview 25-61

Using RealPlayer 25-62

Restrictions and Limitations 25-62

Configuring an RTSP Inspection Policy Map for Additional Inspection Control 25-63

SIP Inspection 25-65

SIP Inspection Overview 25-65

SIP Instant Messaging 25-66

Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66

Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-67

Configuring SIP Timeout Values 25-70

Verifying and Monitoring SIP Inspection 25-71

Skinny (SCCP) Inspection 25-71

SCCP Inspection Overview 25-72

Supporting Cisco IP Phones 25-72

Restrictions and Limitations 25-72

Verifying and Monitoring SCCP Inspection 25-73

Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73

SMTP and Extended SMTP Inspection 25-75

SNMP Inspection 25-76

Page is loading ...

Cisco Cisco ASA 5500 Series, 500 Series Configuration manual

Related papers

Other documents