Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 8.0
Customer Order Number: N/A, Online only
Text Part Number: OL-12172-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR
IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco Security Appliance Command Line Configuration Guide
Copyright © 2007 Cisco Systems, Inc. All rights reserved.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of
Cisco Systems,
Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,
Cisco
Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me
Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys,
MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet
Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0711R)
3
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CONTENTS
About This Guide
39
Document Objectives
39
Audience
39
Related Documentation
40
Document Organization
40
Document Conventions
43
Obtaining Documentation, Obtaining Support, and Security Guidelines
43
PART
1
Getting Started and General Information
CHAPTER
1
Introduction to the Security Appliance
1
Firewall Functional Overview
1
Security Policy Overview
2
Permitting or Denying Traffic with Access Lists
2
Applying NAT
2
Using AAA for Through Traffic
2
Applying HTTP, HTTPS, or FTP Filtering
3
Applying Application Inspection
3
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
3
Sending Traffic to the Content Security and Control Security Services Module
3
Applying QoS Policies
3
Applying Connection Limits and TCP Normalization
3
Enabling Threat Detection
3
Firewall Mode Overview
4
Stateful Inspection Overview
4
VPN Functional Overview
5
Intrusion Prevention Services Functional Overview
6
Security Context Overview
6
CHAPTER
2
Getting Started
1
Getting Started with Your Platform Model
1
Factory Default Configurations
1
Contents
4
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Restoring the Factory Default Configuration
2
ASA 5505 Default Configuration
2
ASA 5510 and Higher Default Configuration
3
PIX 515/515E Default Configuration
4
Accessing the Command-Line Interface
4
Setting Transparent or Routed Firewall Mode
5
Working with the Configuration
6
Saving Configuration Changes
6
Saving Configuration Changes in Single Context Mode
7
Saving Configuration Changes in Multiple Context Mode
7
Copying the Startup Configuration to the Running Configuration
8
Viewing the Configuration
8
Clearing and Removing Configuration Settings
9
Creating Text Configuration Files Offline
9
CHAPTER
3
Enabling Multiple Context Mode
1
Security Context Overview
1
Common Uses for Security Contexts
2
Unsupported Features
2
Context Configuration Files
2
Context Configurations
2
System Configuration
2
Admin Context Configuration
3
How the Security Appliance Classifies Packets
3
Valid Classifier Criteria
3
Invalid Classifier Criteria
4
Classification Examples
5
Cascading Security Contexts
8
Management Access to Security Contexts
9
System Administrator Access
9
Context Administrator Access
10
Enabling or Disabling Multiple Context Mode
10
Backing Up the Single Mode Configuration
10
Enabling Multiple Context Mode
10
Restoring Single Context Mode
11
CHAPTER
4
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security
Appliance
1
Interface Overview
1
Contents
5
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Understanding ASA 5505 Ports and Interfaces
2
Maximum Active VLAN Interfaces for Your License
2
Default Interface Configuration
4
VLAN MAC Addresses
4
Power Over Ethernet
4
Monitoring Traffic Using SPAN
4
Security Level Overview
5
Configuring VLAN Interfaces
5
Configuring Switch Ports as Access Ports
9
Configuring a Switch Port as a Trunk Port
11
Allowing Communication Between VLAN Interfaces on the Same Security Level
13
CHAPTER
5
Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces
1
Configuring and Enabling RJ-45 Interfaces
1
RJ-45 Interface Overview
1
Default State of Physical Interfaces
2
Connector Types
2
Auto-MDI/MDIX Feature
2
Configuring the RJ-45 Interface
2
Configuring and Enabling Fiber Interfaces
3
Default State of Physical Interfaces
3
Configuring the Fiber Interface
4
Configuring a Redundant Interface
4
Redundant Interface Overview
5
Default State of Redundant Interfaces
5
Redundant Interfaces and Failover Guidelines
5
Redundant Interface MAC Address
5
Physical Interface Guidelines
5
Adding a Redundant Interface
6
Changing the Active Interface
7
Configuring VLAN Subinterfaces and 802.1Q Trunking
7
Subinterface Overview
7
Default State of Subinterfaces
7
Maximum Subinterfaces
8
Preventing Untagged Packets on the Physical Interface
8
Adding a Subinterface
8
Contents
6
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CHAPTER
6
Adding and Managing Security Contexts
1
Configuring Resource Management
1
Classes and Class Members Overview
1
Resource Limits
2
Default Class
3
Class Members
4
Configuring a Class
4
Configuring a Security Context
7
Automatically Assigning MAC Addresses to Context Interfaces
11
Changing Between Contexts and the System Execution Space
12
Managing Security Contexts
12
Removing a Security Context
12
Changing the Admin Context
13
Changing the Security Context URL
13
Reloading a Security Context
14
Reloading by Clearing the Configuration
14
Reloading by Removing and Re-adding the Context
15
Monitoring Security Contexts
15
Viewing Context Information
15
Viewing Resource Allocation
16
Viewing Resource Usage
19
Monitoring SYN Attacks in Contexts
20
CHAPTER
7
Configuring Interface Parameters
1
Security Level Overview
1
Configuring Interface Parameters
2
Interface Parameters Overview
2
Default State of Interfaces
3
Default Security Level
3
Multiple Context Mode Guidelines
3
Configuring the Interface
3
Allowing Communication Between Interfaces on the Same Security Level
7
CHAPTER
8
Configuring Basic Settings
1
Changing the Login Password
1
Changing the Enable Password
1
Setting the Hostname
2
Setting the Domain Name
2
Contents
7
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Setting the Date and Time
2
Setting the Time Zone and Daylight Saving Time Date Range
3
Setting the Date and Time Using an NTP Server
4
Setting the Date and Time Manually
4
Setting the Management IP Address for a Transparent Firewall
5
CHAPTER
9
Configuring IP Routing
1
Configuring Static and Default Routes
1
Configuring a Static Route
2
Configuring a Default Static Route
3
Configuring Static Route Tracking
4
Defining Route Maps
6
Configuring OSPF
7
OSPF Overview
8
Enabling OSPF
8
Redistributing Routes Into OSPF
9
Configuring OSPF Interface Parameters
10
Configuring OSPF Area Parameters
13
Configuring OSPF NSSA
13
Configuring Route Summarization Between OSPF Areas
15
Configuring Route Summarization When Redistributing Routes into OSPF
15
Defining Static OSPF Neighbors
16
Generating a Default Route
16
Configuring Route Calculation Timers
17
Logging Neighbors Going Up or Down
17
Displaying OSPF Update Packet Pacing
18
Monitoring OSPF
18
Restarting the OSPF Process
19
Configuring RIP
19
Enabling and Configuring RIP
19
Redistributing Routes into the RIP Routing Process
21
Configuring RIP Send/Receive Version on an Interface
21
Enabling RIP Authentication
22
Monitoring RIP
22
Configuring EIGRP
23
EIGRP Routing Overview
23
Enabling and Configuring EIGRP Routing
24
Enabling and Configuring EIGRP Stub Routing
25
Enabling EIGRP Authentication
26
Contents
8
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Defining an EIGRP Neighbor
27
Redistributing Routes Into EIGRP
27
Configuring the EIGRP Hello Interval and Hold Time
28
Disabling Automatic Route Summarization
29
Configuring Summary Aggregate Addresses
29
Disabling EIGRP Split Horizon
29
Changing the Interface Delay Value
30
Monitoring EIGRP
30
Disabling Neighbor Change and Warning Message Logging
31
The Routing Table
31
Displaying the Routing Table
31
How the Routing Table is Populated
32
Backup Routes
33
How Forwarding Decisions are Made
33
Dynamic Routing and Failover
34
CHAPTER
10
Configuring DHCP, DDNS, and WCCP Services
1
Configuring a DHCP Server
1
Enabling the DHCP Server
2
Configuring DHCP Options
3
Using Cisco IP Phones with a DHCP Server
4
Configuring DHCP Relay Services
5
Configuring Dynamic DNS
6
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
7
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN
Provided Through Configuration
7
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides
Client and Updates Both RRs.
8
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only;
Honors Client Request and Updates Both A and PTR RR
8
Example 5: Client Updates A RR; Server Updates PTR RR
9
Configuring Web Cache Services Using WCCP
9
WCCP Feature Support
9
WCCP Interaction With Other Features
10
Enabling WCCP Redirection
10
CHAPTER
11
Configuring Multicast Routing
13
Multicast Routing Overview
13
Enabling Multicast Routing
14
Contents
9
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Configuring IGMP Features
14
Disabling IGMP on an Interface
15
Configuring Group Membership
15
Configuring a Statically Joined Group
15
Controlling Access to Multicast Groups
15
Limiting the Number of IGMP States on an Interface
16
Modifying the Query Interval and Query Timeout
16
Changing the Query Response Time
17
Changing the IGMP Version
17
Configuring Stub Multicast Routing
17
Configuring a Static Multicast Route
18
Configuring PIM Features
18
Disabling PIM on an Interface
18
Configuring a Static Rendezvous Point Address
19
Configuring the Designated Router Priority
19
Filtering PIM Register Messages
19
Configuring PIM Message Intervals
20
Configuring a Multicast Boundary
20
Filtering PIM Neighbors
20
Supporting Mixed Bidirectional/Sparse-Mode PIM Networks
21
For More Information about Multicast Routing
22
CHAPTER
12
Configuring IPv6
1
IPv6-enabled Commands
1
Configuring IPv6
2
Configuring IPv6 on an Interface
3
Configuring a Dual IP Stack on an Interface
4
Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses
4
Configuring IPv6 Duplicate Address Detection
4
Configuring IPv6 Default and Static Routes
5
Configuring IPv6 Access Lists
6
Configuring IPv6 Neighbor Discovery
7
Configuring Neighbor Solicitation Messages
7
Configuring Router Advertisement Messages
9
Configuring a Static IPv6 Neighbor
11
Verifying the IPv6 Configuration
11
The show ipv6 interface Command
11
The show ipv6 route Command
12
Contents
10
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CHAPTER
13
Configuring AAA Servers and the Local Database
1
AAA Overview
1
About Authentication
2
About Authorization
2
About Accounting
2
AAA Server and Local Database Support
3
Summary of Support
3
RADIUS Server Support
4
Authentication Methods
4
Attribute Support
4
RADIUS Authorization Functions
4
TACACS+ Server Support
4
SDI Server Support
5
SDI Version Support
5
Two-step Authentication Process
5
SDI Primary and Replica Servers
5
NT Server Support
5
Kerberos Server Support
5
LDAP Server Support
6
SSO Support for WebVPN with HTTP Forms
6
Local Database Support
6
User Profiles
6
Fallback Support
7
Configuring the Local Database
7
Identifying AAA Server Groups and Servers
9
Configuring an LDAP Server
12
Authentication with LDAP
12
Authorization with LDAP for VPN
14
LDAP Attribute Mapping
14
Using Certificates and User Login Credentials
16
Using User Login Credentials
16
Using certificates
16
Supporting a Zone Labs Integrity Server
17
Overview of Integrity Server and Security Appliance Interaction
17
Configuring Integrity Server Support
18
CHAPTER
14
Configuring Failover
1
Understanding Failover
1
Contents
11
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Failover System Requirements
2
Hardware Requirements
2
Software Requirements
2
License Requirements
2
The Failover and Stateful Failover Links
3
Failover Link
3
Stateful Failover Link
5
Active/Active and Active/Standby Failover
6
Active/Standby Failover
6
Active/Active Failover
10
Determining Which Type of Failover to Use
15
Regular and Stateful Failover
15
Regular Failover
15
Stateful Failover
15
Failover Health Monitoring
16
Unit Health Monitoring
17
Interface Monitoring
17
Failover Feature/Platform Matrix
18
Failover Times by Platform
18
Configuring Failover
19
Failover Configuration Limitations
19
Configuring Active/Standby Failover
19
Prerequisites
20
Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance Only)
20
Configuring LAN-Based Active/Standby Failover
21
Configuring Optional Active/Standby Failover Settings
25
Configuring Active/Active Failover
27
Prerequisites
27
Configuring Cable-Based Active/Active Failover (PIX 500 series security appliance)
27
Configuring LAN-Based Active/Active Failover
29
Configuring Optional Active/Active Failover Settings
33
Configuring Unit Health Monitoring
39
Configuring Failover Communication Authentication/Encryption
39
Verifying the Failover Configuration
40
Using the show failover Command
40
Viewing Monitored Interfaces
48
Displaying the Failover Commands in the Running Configuration
48
Testing the Failover Functionality
49
Controlling and Monitoring Failover
49
Forcing Failover
49
Contents
12
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Disabling Failover
50
Restoring a Failed Unit or Failover Group
50
Monitoring Failover
50
Failover System Messages
51
Debug Messages
51
SNMP
51
Remote Command Execution
51
Changing Command Modes
52
Security Considerations
53
Limitations of Remote Command Execution
53
Auto Update Server Support in Failover Configurations
54
Auto Update Process Overview
54
Monitoring the Auto Update Process
55
PART
2
Configuring the Firewall
CHAPTER
15
Firewall Mode Overview
1
Routed Mode Overview
1
IP Routing Support
1
How Data Moves Through the Security Appliance in Routed Firewall Mode
1
An Inside User Visits a Web Server
2
An Outside User Visits a Web Server on the DMZ
3
An Inside User Visits a Web Server on the DMZ
4
An Outside User Attempts to Access an Inside Host
5
A DMZ User Attempts to Access an Inside Host
6
Transparent Mode Overview
6
Transparent Firewall Network
7
Allowing Layer 3 Traffic
7
Allowed MAC Addresses
7
Passing Traffic Not Allowed in Routed Mode
7
MAC Address vs. Route Lookups
8
Using the Transparent Firewall in Your Network
9
Transparent Firewall Guidelines
9
Unsupported Features in Transparent Mode
10
How Data Moves Through the Transparent Firewall
11
An Inside User Visits a Web Server
12
An Inside User Visits a Web Server Using NAT
13
An Outside User Visits a Web Server on the Inside Network
14
An Outside User Attempts to Access an Inside Host
15
Contents
13
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CHAPTER
16
Identifying Traffic with Access Lists
1
Access List Overview
1
Access List Types
2
Access Control Entry Order
2
Access Control Implicit Deny
3
IP Addresses Used for Access Lists When You Use NAT
3
Adding an Extended Access List
5
Extended Access List Overview
5
Allowing Broadcast and Multicast Traffic through the Transparent Firewall
6
Adding an Extended ACE
6
Adding an EtherType Access List
8
EtherType Access List Overview
8
Supported EtherTypes
8
Implicit Permit of IP and ARPs Only
9
Implicit and Explicit Deny ACE at the End of an Access List
9
IPv6 Unsupported
9
Using Extended and EtherType Access Lists on the Same Interface
9
Allowing MPLS
9
Adding an EtherType ACE
10
Adding a Standard Access List
10
Adding a Webtype Access List
11
Simplifying Access Lists with Object Grouping
11
How Object Grouping Works
11
Adding Object Groups
12
Adding a Protocol Object Group
12
Adding a Network Object Group
13
Adding a Service Object Group
13
Adding an ICMP Type Object Group
14
Nesting Object Groups
15
Using Object Groups with an Access List
16
Displaying Object Groups
17
Removing Object Groups
17
Adding Remarks to Access Lists
17
Scheduling Extended Access List Activation
18
Adding a Time Range
18
Applying the Time Range to an ACE
19
Logging Access List Activity
19
Access List Logging Overview
19
Contents
14
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Configuring Logging for an Access Control Entry
20
Managing Deny Flows
21
CHAPTER
17
Configuring NAT
1
NAT Overview
1
Introduction to NAT
1
NAT in Routed Mode
2
NAT in Transparent Mode
3
NAT Control
5
NAT Types
6
Dynamic NAT
6
PAT
8
Static NAT
9
Static PAT
9
Bypassing NAT When NAT Control is Enabled
10
Policy NAT
11
NAT and Same Security Level Interfaces
14
Order of NAT Commands Used to Match Real Addresses
15
Mapped Address Guidelines
15
DNS and NAT
16
Configuring NAT Control
17
Using Dynamic NAT and PAT
18
Dynamic NAT and PAT Implementation
18
Configuring Dynamic NAT or PAT
24
Using Static NAT
27
Using Static PAT
28
Bypassing NAT
31
Configuring Identity NAT
31
Configuring Static Identity NAT
32
Configuring NAT Exemption
34
NAT Examples
35
Overlapping Networks
35
Redirecting Ports
37
CHAPTER
18
Permitting or Denying Network Access
1
Inbound and Outbound Access List Overview
1
Applying an Access List to an Interface
2
Contents
15
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CHAPTER
19
Applying AAA for Network Access
1
AAA Performance
1
Configuring Authentication for Network Access
1
Authentication Overview
2
One-Time Authentication
2
Applications Required to Receive an Authentication Challenge
2
Security Appliance Authentication Prompts
2
Static PAT and HTTP
3
Enabling Network Access Authentication
3
Enabling Secure Authentication of Web Clients
5
Authenticating Directly with the Security Appliance
6
Enabling Direct Authentication Using HTTP and HTTPS
6
Enabling Direct Authentication Using Telnet
7
Configuring Authorization for Network Access
8
Configuring TACACS+ Authorization
8
Configuring RADIUS Authorization
10
Configuring a RADIUS Server to Send Downloadable Access Control Lists
10
Configuring a RADIUS Server to Download Per-User Access Control List Names
14
Configuring Accounting for Network Access
14
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
16
CHAPTER
20
Applying Filtering Services
1
Filtering Overview
1
Filtering ActiveX Objects
2
ActiveX Filtering Overview
2
Enabling ActiveX Filtering
2
Filtering Java Applets
3
Filtering URLs and FTP Requests with an External Server
4
URL Filtering Overview
4
Identifying the Filtering Server
4
Buffering the Content Server Response
6
Caching Server Addresses
6
Filtering HTTP URLs
7
Configuring HTTP Filtering
7
Enabling Filtering of Long HTTP URLs
7
Truncating Long HTTP URLs
7
Exempting Traffic from Filtering
8
Filtering HTTPS URLs
8
Contents
16
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Filtering FTP Requests
9
Viewing Filtering Statistics and Configuration
9
Viewing Filtering Server Statistics
10
Viewing Buffer Configuration and Statistics
11
Viewing Caching Statistics
11
Viewing Filtering Performance Statistics
11
Viewing Filtering Configuration
12
CHAPTER
21
Using Modular Policy Framework
1
Modular Policy Framework Overview
1
Default Global Policy
2
Identifying Traffic Using a Layer 3/4 Class Map
2
Creating a Layer 3/4 Class Map for Through Traffic
3
Creating a Layer 3/4 Class Map for Management Traffic
5
Configuring Special Actions for Application Inspections
6
Creating a Regular Expression
6
Creating a Regular Expression Class Map
9
Identifying Traffic in an Inspection Class Map
10
Defining Actions in an Inspection Policy Map
11
Defining Actions Using a Layer 3/4 Policy Map
13
Layer 3/4 Policy Map Overview
13
Policy Map Guidelines
14
Supported Feature Types
14
Feature Directionality
14
Feature Matching Guidelines within a Policy Map
15
Feature Matching Guidelines for multiple Policy Maps
15
Order in Which Multiple Feature Actions are Applied
16
Default Layer 3/4 Policy Map
16
Adding a Layer 3/4 Policy Map
16
Applying a Layer 3/4 Policy to an Interface Using a Service Policy
18
Modular Policy Framework Examples
19
Applying Inspection and QoS Policing to HTTP Traffic
19
Applying Inspection to HTTP Traffic Globally
20
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
21
Applying Inspection to HTTP Traffic with NAT
22
CHAPTER
22
Managing the AIP SSM and CSC SSM
1
Managing the AIP SSM
1
AIP SSM Overview
1
Contents
17
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
How the AIP SSM Works with the Adaptive Security Appliance
2
Operating Modes
2
Using Virtual Sensors
3
AIP SSM Procedure Overview
4
Sessioning to the AIP SSM
5
Configuring the Security Policy on the AIP SSM
6
Assigning Virtual Sensors to Security Contexts
6
Diverting Traffic to the AIP SSM
8
Managing the CSC SSM
9
About the CSC SSM
10
Getting Started with the CSC SSM
12
Determining What Traffic to Scan
13
Limiting Connections Through the CSC SSM
15
Diverting Traffic to the CSC SSM
16
Checking SSM Status
18
Transferring an Image onto an SSM
19
CHAPTER
23
Preventing Network Attacks
1
Configuring Threat Detection
1
Configuring Basic Threat Detection
1
Basic Threat Detection Overview
2
Configuring Basic Threat Detection
2
Managing Basic Threat Statistics
4
Configuring Scanning Threat Detection
5
Enabling Scanning Threat Detection
5
Managing Shunned Hosts
6
Viewing Attackers and Targets
7
Configuring and Viewing Threat Statistics
7
Configuring Threat Statistics
7
Viewing Threat Statistics
8
Configuring TCP Normalization
11
Configuring Connection Limits and Timeouts
14
Connection Limit Overview
14
TCP Intercept Overview
14
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
14
Dead Connection Detection (DCD) Overview
15
TCP Sequence Randomization Overview
15
Enabling Connection Limits and Timeouts
15
Preventing IP Spoofing
18
Contents
18
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Configuring the Fragment Size
18
Blocking Unwanted Connections
19
Configuring IP Audit for Basic IPS Support
19
CHAPTER
24
Applying QoS Policies
1
Overview
1
QoS Concepts
2
Implementing QoS
2
Identifying Traffic for QoS
4
Defining a QoS Policy Map
5
Applying Rate Limiting
6
Activating the Service Policy
7
Applying Low Latency Queueing
8
Configuring Priority Queuing
8
Sizing the Priority Queue
8
Reducing Queue Latency
9
Configuring QoS
9
Viewing QoS Configuration
12
Viewing QoS Service Policy Configuration
12
Viewing QoS Policy Map Configuration
13
Viewing the Priority-Queue Configuration for an Interface
13
Viewing QoS Statistics
14
Viewing QoS Police Statistics
14
Viewing QoS Priority Statistics
14
Viewing QoS Priority Queue Statistics
15
CHAPTER
25
Configuring Application Layer Protocol Inspection
1
Inspection Engine Overview
2
When to Use Application Protocol Inspection
2
Inspection Limitations
3
Default Inspection Policy
3
Configuring Application Inspection
5
CTIQBE Inspection
10
CTIQBE Inspection Overview
10
Limitations and Restrictions
10
Verifying and Monitoring CTIQBE Inspection
11
DCERPC Inspection
12
Contents
19
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
DCERPC Overview
12
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
12
DNS Inspection
13
How DNS Application Inspection Works
14
How DNS Rewrite Works
14
Configuring DNS Rewrite
15
Using the Static Command for DNS Rewrite
16
Using the Alias Command for DNS Rewrite
16
Configuring DNS Rewrite with Two NAT Zones
16
DNS Rewrite with Three NAT Zones
17
Configuring DNS Rewrite with Three NAT Zones
19
Verifying and Monitoring DNS Inspection
20
Configuring a DNS Inspection Policy Map for Additional Inspection Control
21
ESMTP Inspection
24
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
24
FTP Inspection
27
FTP Inspection Overview
27
Using the strict Option
28
Configuring an FTP Inspection Policy Map for Additional Inspection Control
29
Verifying and Monitoring FTP Inspection
32
GTP Inspection
32
GTP Inspection Overview
33
Configuring a GTP Inspection Policy Map for Additional Inspection Control
34
Verifying and Monitoring GTP Inspection
37
H.323 Inspection
38
H.323 Inspection Overview
39
How H.323 Works
39
Limitations and Restrictions
40
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
40
Configuring H.323 and H.225 Timeout Values
43
Verifying and Monitoring H.323 Inspection
43
Monitoring H.225 Sessions
44
Monitoring H.245 Sessions
44
Monitoring H.323 RAS Sessions
45
HTTP Inspection
45
HTTP Inspection Overview
45
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
46
Instant Messaging Inspection
50
IM Inspection Overview
50
Contents
20
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
50
ICMP Inspection
53
ICMP Error Inspection
53
ILS Inspection
54
MGCP Inspection
55
MGCP Inspection Overview
55
Configuring an MGCP Inspection Policy Map for Additional Inspection Control
57
Configuring MGCP Timeout Values
58
Verifying and Monitoring MGCP Inspection
58
NetBIOS Inspection
59
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
59
PPTP Inspection
61
RADIUS Accounting Inspection
61
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
62
RSH Inspection
62
RTSP Inspection
62
RTSP Inspection Overview
62
Using RealPlayer
63
Restrictions and Limitations
63
Configuring an RTSP Inspection Policy Map for Additional Inspection Control
64
SIP Inspection
66
SIP Inspection Overview
66
Configuring a SIP Inspection Policy Map for Additional Inspection Control
66
SIP Instant Messaging
67
Configuring a SIP Inspection Policy Map for Additional Inspection Control
68
Configuring SIP Timeout Values
71
Verifying and Monitoring SIP Inspection
72
Skinny (SCCP) Inspection
72
SCCP Inspection Overview
72
Supporting Cisco IP Phones
73
Restrictions and Limitations
73
Verifying and Monitoring SCCP Inspection
74
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
74
SMTP and Extended SMTP Inspection
76
SNMP Inspection
77
SQL*Net Inspection
78
Sun RPC Inspection
78
Sun RPC Inspection Overview
78
Contents
21
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Managing Sun RPC Services
79
Verifying and Monitoring Sun RPC Inspection
79
TFTP Inspection
81
TLS Proxy for Encrypted Voice Inspection
81
Overview
81
Maximum TLS Proxy Sessions
82
Configuring TLS Proxy
82
Debugging TLS Proxy
86
CTL Client
89
XDMCP Inspection
91
CHAPTER
26
Configuring ARP Inspection and Bridging Parameters for Transparent Mode
1
Configuring ARP Inspection
1
ARP Inspection Overview
1
Adding a Static ARP Entry
2
Enabling ARP Inspection
2
Customizing the MAC Address Table
3
MAC Address Table Overview
3
Adding a Static MAC Address
3
Setting the MAC Address Timeout
4
Disabling MAC Address Learning
4
Viewing the MAC Address Table
4
PART
3
Configuring VPN
CHAPTER
27
Configuring IPSec and ISAKMP
1
Tunneling Overview
1
IPSec Overview
2
Configuring ISAKMP
2
ISAKMP Overview
3
Configuring ISAKMP Policies
5
Enabling ISAKMP on the Outside Interface
6
Disabling ISAKMP in Aggressive Mode
6
Determining an ID Method for ISAKMP Peers
7
Enabling IPSec over NAT-T
7
Using NAT-T
8
Enabling IPSec over TCP
8
Waiting for Active Sessions to Terminate Before Rebooting
9
Contents
22
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Alerting Peers Before Disconnecting
9
Configuring Certificate Group Matching
9
Creating a Certificate Group Matching Rule and Policy
10
Using the Tunnel-group-map default-group Command
11
Configuring IPSec
11
Understanding IPSec Tunnels
12
Understanding Transform Sets
12
Defining Crypto Maps
12
Applying Crypto Maps to Interfaces
20
Using Interface Access Lists
20
Changing IPSec SA Lifetimes
22
Creating a Basic IPSec Configuration
22
Using Dynamic Crypto Maps
24
Providing Site-to-Site Redundancy
26
Viewing an IPSec Configuration
26
Clearing Security Associations
27
Clearing Crypto Map Configurations
27
Supporting the Nokia VPN Client
28
CHAPTER
28
Configuring L2TP over IPSec
1
L2TP Overview
1
IPSec Transport and Tunnel Modes
2
Configuring L2TP over IPSec Connections
3
Tunnel Group Switching
5
IKE Settings for Apple iPhone Compatibility
6
Viewing L2TP over IPSec Connection Information
6
Using L2TP Debug Commands
8
Enabling IPSec Debug
8
Getting Additional Information
8
CHAPTER
29
Setting General IPSec VPN Parameters
1
Configuring VPNs in Single, Routed Mode
1
Configuring IPSec to Bypass ACLs
1
Permitting Intra-Interface Traffic
2
NAT Considerations for Intra-Interface Traffic
3
Setting Maximum Active IPSec VPN Sessions
3
Using Client Update to Ensure Acceptable Client Revision Levels
3
Understanding Load Balancing
5
Contents
23
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Implementing Load Balancing
6
Prerequisites
6
Eligible Platforms
7
Eligible Clients
7
VPN Load-Balancing Cluster Configurations
7
Some Typical Mixed Cluster Scenarios
8
Scenario 1: Mixed Cluster with No WebVPN Connections
8
Scenario 2: Mixed Cluster Handling WebVPN Connections
8
Configuring Load Balancing
9
Configuring the Public and Private Interfaces for Load Balancing
9
Configuring the Load Balancing Cluster Attributes
10
Enabling Redirection Using a Fully-qualified Domain Name
11
Configuring VPN Session Limits
12
CHAPTER
30
Configuring Connection Profiles, Group Policies, and Users
1
Overview of Connection Profiles, Group Policies, and Users
1
Connection Profiles
2
General Connection Profile Connection Parameters
3
IPSec Tunnel-Group Connection Parameters
4
Connection Profile Connection Parameters for Clientless SSL VPN Sessions
5
Configuring Connection Profiles
6
Default IPSec Remote Access Connection Profile Configuration
6
Configuring IPSec Tunnel-Group General Attributes
7
Configuring IPSec Remote-Access Connection Profiles
7
Specifying a Name and Type for the IPSec Remote Access Connection Profile
7
Configuring IPSec Remote-Access Connection Profile General Attributes
8
Enabling IPv6 VPN Access
12
Configuring IPSec Remote-Access Connection Profile IPSec Attributes
13
Configuring IPSec Remote-Access Connection Profile PPP Attributes
15
Configuring LAN-to-LAN Connection Profiles
16
Default LAN-to-LAN Connection Profile Configuration
16
Specifying a Name and Type for a LAN-to-LAN Connection Profile
16
Configuring LAN-to-LAN Connection Profile General Attributes
16
Configuring LAN-to-LAN IPSec Attributes
17
Configuring Connection Profiles for Clientless SSL VPN Sessions
19
Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions
19
Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions
19
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
22
Customizing Login Windows for Users of Clientless SSL VPN sessions
26
Contents
24
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Configuring Microsoft Active Directory Settings for Password Management
27
Using Active Directory to Force the User to Change Password at Next Logon
28
Using Active Directory to Specify Maximum Password Age
29
Using Active Directory to Override an Account Disabled AAA Indicator
30
Using Active Directory to Enforce Minimum Password Length
31
Using Active Directory to Enforce Password Complexity
32
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
33
AnyConnect Client and RADIUS/SDI Server Interaction
33
Configuring the Security Appliance to Support RADIUS/SDI Messages
34
Group Policies
35
Default Group Policy
36
Configuring Group Policies
37
Configuring an External Group Policy
37
Configuring an Internal Group Policy
38
Configuring Group Policy Attributes
39
Configuring WINS and DNS Servers
39
Configuring VPN-Specific Attributes
40
Configuring Security Attributes
43
Configuring the Banner Message
45
Configuring IPSec-UDP Attributes
45
Configuring Split-Tunneling Attributes
46
Configuring Domain Attributes for Tunneling
47
Configuring Attributes for VPN Hardware Clients
49
Configuring Backup Server Attributes
52
Configuring Microsoft Internet Explorer Client Parameters
53
Configuring Network Admission Control Parameters
55
Configuring Address Pools
58
Configuring Firewall Policies
59
Configuring Client Access Rules
62
Configuring Group-Policy Attributes for Clientless SSL VPN Sessions
63
Configuring User Attributes
74
Viewing the Username Configuration
74
Configuring Attributes for Specific Users
75
Setting a User Password and Privilege Level
75
Configuring User Attributes
75
Configuring VPN User Attributes
76
Configuring Clientless SSL VPN Access for Specific Users
80
Contents
25
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
CHAPTER
31
Configuring IP Addresses for VPNs
1
Configuring an IP Address Assignment Method
1
Configuring Local IP Address Pools
2
Configuring AAA Addressing
2
Configuring DHCP Addressing
3
CHAPTER
32
Configuring Remote Access IPSec VPNs
1
Summary of the Configuration
1
Configuring Interfaces
2
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
3
Configuring an Address Pool
4
Adding a User
4
Creating a Transform Set
4
Defining a Tunnel Group
5
Creating a Dynamic Crypto Map
6
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
7
CHAPTER
33
Configuring Network Admission Control
1
Overview
1
Uses, Requirements, and Limitations
2
Viewing the NAC Policies on the Security Appliance
2
Adding, Accessing, or Removing a NAC Policy
4
Configuring a NAC Policy
5
Specifying the Access Control Server Group
5
Setting the Query-for-Posture-Changes Timer
5
Setting the Revalidation Timer
6
Configuring the Default ACL for NAC
6
Configuring Exemptions from NAC
7
Assigning a NAC Policy to a Group Policy
8
Changing Global NAC Framework Settings
8
Changing Clientless Authentication Settings
8
Enabling and Disabling Clientless Authentication
9
Changing the Login Credentials Used for Clientless Authentication
9
Changing NAC Framework Session Attributes
10
CHAPTER
34
Configuring Easy VPN Services on the ASA 5505
1
Specifying the Client/Server Role of the Cisco ASA 5505
2