Tài liệu Cisco Security Appliance Command Line pdf

Defining an EIGRP Neighbor 27Redistributing Routes Into EIGRP 27 Configuring the EIGRP Hello Interval and Hold Time 28 Disabling Automatic Route Summarization 29 Configuring Summary Aggr

Americas Headquarters

Cisco Systems, Inc

170 West Tasman Drive

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco Security Appliance Command Line Configuration Guide

Copyright © 2007 Cisco Systems, Inc All rights reserved.

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries

All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0711R)

Obtaining Documentation, Obtaining Support, and Security Guidelines 43

P A R T 1 Getting Started and General Information

C H A P T E R 1 Introduction to the Security Appliance 1

Firewall Functional Overview 1

Security Policy Overview 2

Permitting or Denying Traffic with Access Lists 2

Applying NAT 2

Using AAA for Through Traffic 2

Applying HTTP, HTTPS, or FTP Filtering 3

Applying Application Inspection 3

Sending Traffic to the Advanced Inspection and Prevention Security Services Module 3

Sending Traffic to the Content Security and Control Security Services Module 3

Applying QoS Policies 3

Applying Connection Limits and TCP Normalization 3

Enabling Threat Detection 3

Firewall Mode Overview 4

Stateful Inspection Overview 4

VPN Functional Overview 5

Intrusion Prevention Services Functional Overview 6

Security Context Overview 6

C H A P T E R 2 Getting Started 1

Getting Started with Your Platform Model 1

Factory Default Configurations 1

Restoring the Factory Default Configuration 2

ASA 5505 Default Configuration 2

ASA 5510 and Higher Default Configuration 3

PIX 515/515E Default Configuration 4

Accessing the Command-Line Interface 4

Setting Transparent or Routed Firewall Mode 5

Working with the Configuration 6

Saving Configuration Changes 6

Saving Configuration Changes in Single Context Mode 7

Saving Configuration Changes in Multiple Context Mode 7

Copying the Startup Configuration to the Running Configuration 8

Viewing the Configuration 8

Clearing and Removing Configuration Settings 9

Creating Text Configuration Files Offline 9

C H A P T E R 3 Enabling Multiple Context Mode 1

Security Context Overview 1

Common Uses for Security Contexts 2

Unsupported Features 2

Context Configuration Files 2

Context Configurations 2

System Configuration 2

Admin Context Configuration 3

How the Security Appliance Classifies Packets 3

Valid Classifier Criteria 3

Invalid Classifier Criteria 4

Classification Examples 5

Cascading Security Contexts 8

Management Access to Security Contexts 9

System Administrator Access 9

Context Administrator Access 10

Enabling or Disabling Multiple Context Mode 10

Backing Up the Single Mode Configuration 10

Enabling Multiple Context Mode 10

Restoring Single Context Mode 11

C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security

Appliance 1

Understanding ASA 5505 Ports and Interfaces 2

Maximum Active VLAN Interfaces for Your License 2

Default Interface Configuration 4

VLAN MAC Addresses 4

Power Over Ethernet 4

Monitoring Traffic Using SPAN 4

Security Level Overview 5

Configuring VLAN Interfaces 5

Configuring Switch Ports as Access Ports 9

Configuring a Switch Port as a Trunk Port 11

Allowing Communication Between VLAN Interfaces on the Same Security Level 13

C H A P T E R 5 Configuring Ethernet Settings, Redundant Interfaces, and Subinterfaces 1

Configuring and Enabling RJ-45 Interfaces 1

RJ-45 Interface Overview 1

Default State of Physical Interfaces 2

Connector Types 2

Auto-MDI/MDIX Feature 2

Configuring the RJ-45 Interface 2

Configuring and Enabling Fiber Interfaces 3

Default State of Physical Interfaces 3

Configuring the Fiber Interface 4

Configuring a Redundant Interface 4

Redundant Interface Overview 5

Default State of Redundant Interfaces 5

Redundant Interfaces and Failover Guidelines 5

Redundant Interface MAC Address 5

Physical Interface Guidelines 5

Adding a Redundant Interface 6

Changing the Active Interface 7

Configuring VLAN Subinterfaces and 802.1Q Trunking 7

C H A P T E R 6 Adding and Managing Security Contexts 1

Configuring Resource Management 1

Classes and Class Members Overview 1

Resource Limits 2

Default Class 3

Class Members 4

Configuring a Class 4

Configuring a Security Context 7

Automatically Assigning MAC Addresses to Context Interfaces 11

Changing Between Contexts and the System Execution Space 12

Managing Security Contexts 12

Removing a Security Context 12

Changing the Admin Context 13

Changing the Security Context URL 13

Reloading a Security Context 14

Reloading by Clearing the Configuration 14

Reloading by Removing and Re-adding the Context 15

Monitoring Security Contexts 15

Viewing Context Information 15

Viewing Resource Allocation 16

Viewing Resource Usage 19

Monitoring SYN Attacks in Contexts 20

C H A P T E R 7 Configuring Interface Parameters 1

Security Level Overview 1

Configuring Interface Parameters 2

Interface Parameters Overview 2

Default State of Interfaces 3

Default Security Level 3

Multiple Context Mode Guidelines 3

Configuring the Interface 3

Allowing Communication Between Interfaces on the Same Security Level 7

C H A P T E R 8 Configuring Basic Settings 1

Changing the Login Password 1

Changing the Enable Password 1

Setting the Hostname 2

Setting the Date and Time 2

Setting the Time Zone and Daylight Saving Time Date Range 3

Setting the Date and Time Using an NTP Server 4

Setting the Date and Time Manually 4

Setting the Management IP Address for a Transparent Firewall 5

C H A P T E R 9 Configuring IP Routing 1

Configuring Static and Default Routes 1

Configuring a Static Route 2

Configuring a Default Static Route 3

Configuring Static Route Tracking 4

Defining Route Maps 6

Configuring OSPF 7

OSPF Overview 8

Enabling OSPF 8

Redistributing Routes Into OSPF 9

Configuring OSPF Interface Parameters 10

Configuring OSPF Area Parameters 13

Configuring OSPF NSSA 13

Configuring Route Summarization Between OSPF Areas 15

Configuring Route Summarization When Redistributing Routes into OSPF 15

Defining Static OSPF Neighbors 16

Generating a Default Route 16

Configuring Route Calculation Timers 17

Logging Neighbors Going Up or Down 17

Displaying OSPF Update Packet Pacing 18

Monitoring OSPF 18

Restarting the OSPF Process 19

Configuring RIP 19

Enabling and Configuring RIP 19

Redistributing Routes into the RIP Routing Process 21

Configuring RIP Send/Receive Version on an Interface 21

Enabling RIP Authentication 22

Monitoring RIP 22

Configuring EIGRP 23

EIGRP Routing Overview 23

Enabling and Configuring EIGRP Routing 24

Enabling and Configuring EIGRP Stub Routing 25

Enabling EIGRP Authentication 26

Defining an EIGRP Neighbor 27

Redistributing Routes Into EIGRP 27

Configuring the EIGRP Hello Interval and Hold Time 28

Disabling Automatic Route Summarization 29

Configuring Summary Aggregate Addresses 29

Disabling EIGRP Split Horizon 29

Changing the Interface Delay Value 30

Monitoring EIGRP 30

Disabling Neighbor Change and Warning Message Logging 31

The Routing Table 31

Displaying the Routing Table 31

How the Routing Table is Populated 32

Backup Routes 33

How Forwarding Decisions are Made 33

Dynamic Routing and Failover 34

C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 1

Configuring a DHCP Server 1

Enabling the DHCP Server 2

Configuring DHCP Options 3

Using Cisco IP Phones with a DHCP Server 4

Configuring DHCP Relay Services 5

Configuring Dynamic DNS 6

Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 7

Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 7

Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs 8

Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 8

Example 5: Client Updates A RR; Server Updates PTR RR 9

Configuring Web Cache Services Using WCCP 9

WCCP Feature Support 9

WCCP Interaction With Other Features 10

Enabling WCCP Redirection 10

C H A P T E R 11 Configuring Multicast Routing 13

Multicast Routing Overview 13

Configuring IGMP Features 14

Disabling IGMP on an Interface 15

Configuring Group Membership 15

Configuring a Statically Joined Group 15

Controlling Access to Multicast Groups 15

Limiting the Number of IGMP States on an Interface 16

Modifying the Query Interval and Query Timeout 16

Changing the Query Response Time 17

Changing the IGMP Version 17

Configuring Stub Multicast Routing 17

Configuring a Static Multicast Route 18

Configuring PIM Features 18

Disabling PIM on an Interface 18

Configuring a Static Rendezvous Point Address 19

Configuring the Designated Router Priority 19

Filtering PIM Register Messages 19

Configuring PIM Message Intervals 20

Configuring a Multicast Boundary 20

Filtering PIM Neighbors 20

Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 21

For More Information about Multicast Routing 22

C H A P T E R 12 Configuring IPv6 1

IPv6-enabled Commands 1

Configuring IPv6 2

Configuring IPv6 on an Interface 3

Configuring a Dual IP Stack on an Interface 4

Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 4

Configuring IPv6 Duplicate Address Detection 4

Configuring IPv6 Default and Static Routes 5

Configuring IPv6 Access Lists 6

Configuring IPv6 Neighbor Discovery 7

Configuring Neighbor Solicitation Messages 7

Configuring Router Advertisement Messages 9

Configuring a Static IPv6 Neighbor 11

Verifying the IPv6 Configuration 11

The show ipv6 interface Command 11

The show ipv6 route Command 12

C H A P T E R 13 Configuring AAA Servers and the Local Database 1

RADIUS Authorization Functions 4

TACACS+ Server Support 4

SDI Server Support 5

SDI Version Support 5

Two-step Authentication Process 5

SDI Primary and Replica Servers 5

NT Server Support 5

Kerberos Server Support 5

LDAP Server Support 6

SSO Support for WebVPN with HTTP Forms 6

Local Database Support 6

User Profiles 6

Fallback Support 7

Configuring the Local Database 7

Identifying AAA Server Groups and Servers 9

Configuring an LDAP Server 12

Authentication with LDAP 12

Authorization with LDAP for VPN 14

LDAP Attribute Mapping 14

Using Certificates and User Login Credentials 16

Using User Login Credentials 16

Using certificates 16

Supporting a Zone Labs Integrity Server 17

Overview of Integrity Server and Security Appliance Interaction 17

Configuring Integrity Server Support 18

C H A P T E R 14 Configuring Failover 1

Understanding Failover

Failover System Requirements 2

Stateful Failover Link 5

Active/Active and Active/Standby Failover 6

Active/Standby Failover 6

Active/Active Failover 10

Determining Which Type of Failover to Use 15

Regular and Stateful Failover 15

Regular Failover 15

Stateful Failover 15

Failover Health Monitoring 16

Unit Health Monitoring 17

Interface Monitoring 17

Failover Feature/Platform Matrix 18

Failover Times by Platform 18

Configuring Failover 19

Failover Configuration Limitations 19

Configuring Active/Standby Failover 19

Prerequisites 20

Configuring Cable-Based Active/Standby Failover (PIX 500 Series Security Appliance Only) 20

Configuring LAN-Based Active/Standby Failover 21

Configuring Optional Active/Standby Failover Settings 25

Configuring Active/Active Failover 27

Prerequisites 27

Configuring Cable-Based Active/Active Failover (PIX 500 series security appliance) 27

Configuring LAN-Based Active/Active Failover 29

Configuring Optional Active/Active Failover Settings 33

Configuring Unit Health Monitoring 39

Configuring Failover Communication Authentication/Encryption 39

Verifying the Failover Configuration 40

Using the show failover Command 40

Viewing Monitored Interfaces 48

Displaying the Failover Commands in the Running Configuration 48

Testing the Failover Functionality 49

Controlling and Monitoring Failover 49

Forcing Failover 49

Remote Command Execution 51

Changing Command Modes 52

Security Considerations 53

Limitations of Remote Command Execution 53

Auto Update Server Support in Failover Configurations 54

Auto Update Process Overview 54

Monitoring the Auto Update Process 55

P A R T 2 Configuring the Firewall

C H A P T E R 15 Firewall Mode Overview 1

Routed Mode Overview 1

IP Routing Support 1

How Data Moves Through the Security Appliance in Routed Firewall Mode 1

An Inside User Visits a Web Server 2

An Outside User Visits a Web Server on the DMZ 3

An Inside User Visits a Web Server on the DMZ 4

An Outside User Attempts to Access an Inside Host 5

A DMZ User Attempts to Access an Inside Host 6

Transparent Mode Overview 6

Transparent Firewall Network 7

Allowing Layer 3 Traffic 7

Allowed MAC Addresses 7

Passing Traffic Not Allowed in Routed Mode 7

MAC Address vs Route Lookups 8

Using the Transparent Firewall in Your Network 9

Transparent Firewall Guidelines 9

Unsupported Features in Transparent Mode 10

How Data Moves Through the Transparent Firewall 11

An Inside User Visits a Web Server 12

An Inside User Visits a Web Server Using NAT 13

An Outside User Visits a Web Server on the Inside Network 14

C H A P T E R 16 Identifying Traffic with Access Lists 1

Access List Overview 1

Access List Types 2

Access Control Entry Order 2

Access Control Implicit Deny 3

IP Addresses Used for Access Lists When You Use NAT 3

Adding an Extended Access List 5

Extended Access List Overview 5

Allowing Broadcast and Multicast Traffic through the Transparent Firewall 6

Adding an Extended ACE 6

Adding an EtherType Access List 8

EtherType Access List Overview 8

Supported EtherTypes 8

Implicit Permit of IP and ARPs Only 9

Implicit and Explicit Deny ACE at the End of an Access List 9

IPv6 Unsupported 9

Using Extended and EtherType Access Lists on the Same Interface 9

Allowing MPLS 9

Adding an EtherType ACE 10

Adding a Standard Access List 10

Adding a Webtype Access List 11

Simplifying Access Lists with Object Grouping 11

How Object Grouping Works 11

Adding Object Groups 12

Adding a Protocol Object Group 12

Adding a Network Object Group 13

Adding a Service Object Group 13

Adding an ICMP Type Object Group 14

Nesting Object Groups 15

Using Object Groups with an Access List 16

Displaying Object Groups 17

Removing Object Groups 17

Adding Remarks to Access Lists 17

Scheduling Extended Access List Activation 18

Adding a Time Range 18

Applying the Time Range to an ACE 19

Logging Access List Activity 19

Access List Logging Overview 19

Configuring Logging for an Access Control Entry 20

Managing Deny Flows 21

C H A P T E R 17 Configuring NAT 1

NAT Overview 1

Introduction to NAT 1

NAT in Routed Mode 2

NAT in Transparent Mode 3

NAT and Same Security Level Interfaces 14

Order of NAT Commands Used to Match Real Addresses 15

Mapped Address Guidelines 15

DNS and NAT 16

Configuring NAT Control 17

Using Dynamic NAT and PAT 18

Dynamic NAT and PAT Implementation 18

Configuring Dynamic NAT or PAT 24

Using Static NAT 27

Using Static PAT 28

Bypassing NAT 31

Configuring Identity NAT 31

Configuring Static Identity NAT 32

Configuring NAT Exemption 34

NAT Examples 35

Overlapping Networks 35

Redirecting Ports 37

C H A P T E R 18 Permitting or Denying Network Access 1

Inbound and Outbound Access List Overview 1

Applying an Access List to an Interface 2

C H A P T E R 19 Applying AAA for Network Access 1

AAA Performance 1

Configuring Authentication for Network Access 1

Authentication Overview 2

One-Time Authentication 2

Applications Required to Receive an Authentication Challenge 2

Security Appliance Authentication Prompts 2

Static PAT and HTTP 3

Enabling Network Access Authentication 3

Enabling Secure Authentication of Web Clients 5

Authenticating Directly with the Security Appliance 6

Enabling Direct Authentication Using HTTP and HTTPS 6

Enabling Direct Authentication Using Telnet 7

Configuring Authorization for Network Access 8

Configuring TACACS+ Authorization 8

Configuring RADIUS Authorization 10

Configuring a RADIUS Server to Send Downloadable Access Control Lists 10

Configuring a RADIUS Server to Download Per-User Access Control List Names 14

Configuring Accounting for Network Access 14

Using MAC Addresses to Exempt Traffic from Authentication and Authorization 16

C H A P T E R 20 Applying Filtering Services 1

Filtering Overview 1

Filtering ActiveX Objects 2

ActiveX Filtering Overview 2

Enabling ActiveX Filtering 2

Filtering Java Applets 3

Filtering URLs and FTP Requests with an External Server 4

URL Filtering Overview 4

Identifying the Filtering Server 4

Buffering the Content Server Response 6

Caching Server Addresses 6

Filtering HTTP URLs 7

Configuring HTTP Filtering 7

Enabling Filtering of Long HTTP URLs 7

Truncating Long HTTP URLs 7

Exempting Traffic from Filtering 8

Filtering HTTPS URLs 8

Filtering FTP Requests 9

Viewing Filtering Statistics and Configuration 9

Viewing Filtering Server Statistics 10

Viewing Buffer Configuration and Statistics 11

Viewing Caching Statistics 11

Viewing Filtering Performance Statistics 11

Viewing Filtering Configuration 12

C H A P T E R 21 Using Modular Policy Framework 1

Modular Policy Framework Overview 1

Default Global Policy 2

Identifying Traffic Using a Layer 3/4 Class Map 2

Creating a Layer 3/4 Class Map for Through Traffic 3

Creating a Layer 3/4 Class Map for Management Traffic 5

Configuring Special Actions for Application Inspections 6

Creating a Regular Expression 6

Creating a Regular Expression Class Map 9

Identifying Traffic in an Inspection Class Map 10

Defining Actions in an Inspection Policy Map 11

Defining Actions Using a Layer 3/4 Policy Map 13

Layer 3/4 Policy Map Overview 13

Policy Map Guidelines 14

Supported Feature Types 14

Feature Directionality 14

Feature Matching Guidelines within a Policy Map 15

Feature Matching Guidelines for multiple Policy Maps 15

Order in Which Multiple Feature Actions are Applied 16

Default Layer 3/4 Policy Map 16

Adding a Layer 3/4 Policy Map 16

Applying a Layer 3/4 Policy to an Interface Using a Service Policy 18

Modular Policy Framework Examples 19

Applying Inspection and QoS Policing to HTTP Traffic 19

Applying Inspection to HTTP Traffic Globally 20

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21

Applying Inspection to HTTP Traffic with NAT 22

C H A P T E R 22 Managing the AIP SSM and CSC SSM 1

Managing the AIP SSM 1

How the AIP SSM Works with the Adaptive Security Appliance 2

Operating Modes 2

Using Virtual Sensors 3

AIP SSM Procedure Overview 4

Sessioning to the AIP SSM 5

Configuring the Security Policy on the AIP SSM 6

Assigning Virtual Sensors to Security Contexts 6

Diverting Traffic to the AIP SSM 8

Managing the CSC SSM 9

About the CSC SSM 10

Getting Started with the CSC SSM 12

Determining What Traffic to Scan 13

Limiting Connections Through the CSC SSM 15

Diverting Traffic to the CSC SSM 16

Checking SSM Status 18

Transferring an Image onto an SSM 19

C H A P T E R 23 Preventing Network Attacks 1

Configuring Threat Detection 1

Configuring Basic Threat Detection 1

Basic Threat Detection Overview 2

Configuring Basic Threat Detection 2

Managing Basic Threat Statistics 4

Configuring Scanning Threat Detection 5

Enabling Scanning Threat Detection 5

Managing Shunned Hosts 6

Viewing Attackers and Targets 7

Configuring and Viewing Threat Statistics 7

Configuring Threat Statistics 7

Viewing Threat Statistics 8

Configuring TCP Normalization 11

Configuring Connection Limits and Timeouts 14

Connection Limit Overview 14

TCP Intercept Overview 14

Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 14

Dead Connection Detection (DCD) Overview 15

TCP Sequence Randomization Overview 15

Enabling Connection Limits and Timeouts 15

Preventing IP Spoofing 18

Configuring the Fragment Size 18

Blocking Unwanted Connections 19

Configuring IP Audit for Basic IPS Support 19

C H A P T E R 24 Applying QoS Policies 1

Overview 1

QoS Concepts 2

Implementing QoS 2

Identifying Traffic for QoS 4

Defining a QoS Policy Map 5

Applying Rate Limiting 6

Activating the Service Policy 7

Applying Low Latency Queueing 8

Configuring Priority Queuing 8

Sizing the Priority Queue 8

Reducing Queue Latency 9

Configuring QoS 9

Viewing QoS Configuration 12

Viewing QoS Service Policy Configuration 12

Viewing QoS Policy Map Configuration 13

Viewing the Priority-Queue Configuration for an Interface 13

Viewing QoS Statistics 14

Viewing QoS Police Statistics 14

Viewing QoS Priority Statistics 14

Viewing QoS Priority Queue Statistics 15

C H A P T E R 25 Configuring Application Layer Protocol Inspection 1

Inspection Engine Overview 2

When to Use Application Protocol Inspection 2

Inspection Limitations 3

Default Inspection Policy 3

Configuring Application Inspection 5

CTIQBE Inspection 10

CTIQBE Inspection Overview 10

Limitations and Restrictions 10

Verifying and Monitoring CTIQBE Inspection 11

DCERPC Overview 12

Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 12

DNS Inspection 13

How DNS Application Inspection Works 14

How DNS Rewrite Works 14

Configuring DNS Rewrite 15

Using the Static Command for DNS Rewrite 16

Using the Alias Command for DNS Rewrite 16

Configuring DNS Rewrite with Two NAT Zones 16

DNS Rewrite with Three NAT Zones 17

Configuring DNS Rewrite with Three NAT Zones 19

Verifying and Monitoring DNS Inspection 20

Configuring a DNS Inspection Policy Map for Additional Inspection Control 21

ESMTP Inspection 24

Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 24

FTP Inspection 27

FTP Inspection Overview 27

Using the strict Option 28

Configuring an FTP Inspection Policy Map for Additional Inspection Control 29

Verifying and Monitoring FTP Inspection 32

GTP Inspection 32

GTP Inspection Overview 33

Configuring a GTP Inspection Policy Map for Additional Inspection Control 34

Verifying and Monitoring GTP Inspection 37

H.323 Inspection 38

H.323 Inspection Overview 39

How H.323 Works 39

Limitations and Restrictions 40

Configuring an H.323 Inspection Policy Map for Additional Inspection Control 40

Configuring H.323 and H.225 Timeout Values 43

Verifying and Monitoring H.323 Inspection 43

Configuring an HTTP Inspection Policy Map for Additional Inspection Control 46

Instant Messaging Inspection 50

IM Inspection Overview 50

Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 50

Configuring an MGCP Inspection Policy Map for Additional Inspection Control 57

Configuring MGCP Timeout Values 58

Verifying and Monitoring MGCP Inspection 58

NetBIOS Inspection 59

Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 59

PPTP Inspection 61

RADIUS Accounting Inspection 61

Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 62

RSH Inspection 62

RTSP Inspection 62

RTSP Inspection Overview 62

Using RealPlayer 63

Restrictions and Limitations 63

Configuring an RTSP Inspection Policy Map for Additional Inspection Control 64

SIP Inspection 66

SIP Inspection Overview 66

Configuring a SIP Inspection Policy Map for Additional Inspection Control 66

SIP Instant Messaging 67

Configuring a SIP Inspection Policy Map for Additional Inspection Control 68

Configuring SIP Timeout Values 71

Verifying and Monitoring SIP Inspection 72

Skinny (SCCP) Inspection 72

SCCP Inspection Overview 72

Supporting Cisco IP Phones 73

Restrictions and Limitations 73

Verifying and Monitoring SCCP Inspection 74

Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 74

SMTP and Extended SMTP Inspection 76

SNMP Inspection 77

SQL*Net Inspection 78

Sun RPC Inspection 78

Managing Sun RPC Services 79

Verifying and Monitoring Sun RPC Inspection 79

C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters for Transparent Mode 1

Configuring ARP Inspection 1

ARP Inspection Overview 1

Adding a Static ARP Entry 2

Enabling ARP Inspection 2

Customizing the MAC Address Table 3

MAC Address Table Overview 3

Adding a Static MAC Address 3

Setting the MAC Address Timeout 4

Disabling MAC Address Learning 4

Viewing the MAC Address Table 4

Configuring ISAKMP Policies 5

Enabling ISAKMP on the Outside Interface 6

Disabling ISAKMP in Aggressive Mode 6

Determining an ID Method for ISAKMP Peers 7

Enabling IPSec over NAT-T 7

Using NAT-T 8

Enabling IPSec over TCP 8

Waiting for Active Sessions to Terminate Before Rebooting 9

Alerting Peers Before Disconnecting 9

Configuring Certificate Group Matching 9

Creating a Certificate Group Matching Rule and Policy 10

Using the Tunnel-group-map default-group Command 11

Configuring IPSec 11

Understanding IPSec Tunnels 12

Understanding Transform Sets 12

Defining Crypto Maps 12

Applying Crypto Maps to Interfaces 20

Using Interface Access Lists 20

Changing IPSec SA Lifetimes 22

Creating a Basic IPSec Configuration 22

Using Dynamic Crypto Maps 24

Providing Site-to-Site Redundancy 26

Viewing an IPSec Configuration 26

Clearing Security Associations 27

Clearing Crypto Map Configurations 27

Supporting the Nokia VPN Client 28

C H A P T E R 28 Configuring L2TP over IPSec 1

L2TP Overview 1

IPSec Transport and Tunnel Modes 2

Configuring L2TP over IPSec Connections 3

Tunnel Group Switching 5

IKE Settings for Apple iPhone Compatibility 6

Viewing L2TP over IPSec Connection Information 6

Using L2TP Debug Commands 8

Enabling IPSec Debug 8

Getting Additional Information 8

C H A P T E R 29 Setting General IPSec VPN Parameters 1

Configuring VPNs in Single, Routed Mode 1

Configuring IPSec to Bypass ACLs 1

Permitting Intra-Interface Traffic 2

NAT Considerations for Intra-Interface Traffic 3

Setting Maximum Active IPSec VPN Sessions 3

Using Client Update to Ensure Acceptable Client Revision Levels 3

Implementing Load Balancing 6

Prerequisites 6

Eligible Platforms 7

Eligible Clients 7

VPN Load-Balancing Cluster Configurations 7

Some Typical Mixed Cluster Scenarios 8

Scenario 1: Mixed Cluster with No WebVPN Connections 8

Scenario 2: Mixed Cluster Handling WebVPN Connections 8

Configuring the Public and Private Interfaces for Load Balancing 9

Configuring the Load Balancing Cluster Attributes 10

Enabling Redirection Using a Fully-qualified Domain Name 11

Configuring VPN Session Limits 12

C H A P T E R 30 Configuring Connection Profiles, Group Policies, and Users 1

Overview of Connection Profiles, Group Policies, and Users 1

Connection Profiles 2

General Connection Profile Connection Parameters 3

IPSec Tunnel-Group Connection Parameters 4

Connection Profile Connection Parameters for Clientless SSL VPN Sessions 5

Configuring Connection Profiles 6

Default IPSec Remote Access Connection Profile Configuration 6

Configuring IPSec Tunnel-Group General Attributes 7

Configuring IPSec Remote-Access Connection Profiles 7

Specifying a Name and Type for the IPSec Remote Access Connection Profile 7

Configuring IPSec Remote-Access Connection Profile General Attributes 8

Enabling IPv6 VPN Access 12

Configuring IPSec Remote-Access Connection Profile IPSec Attributes 13

Configuring IPSec Remote-Access Connection Profile PPP Attributes 15

Configuring LAN-to-LAN Connection Profiles 16

Default LAN-to-LAN Connection Profile Configuration 16

Specifying a Name and Type for a LAN-to-LAN Connection Profile 16

Configuring LAN-to-LAN Connection Profile General Attributes 16

Configuring LAN-to-LAN IPSec Attributes 17

Configuring Connection Profiles for Clientless SSL VPN Sessions 19

Specifying a Connection Profile Name and Type for Clientless SSL VPN Sessions 19

Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions 19

Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions 22

Customizing Login Windows for Users of Clientless SSL VPN sessions 26

Configuring Microsoft Active Directory Settings for Password Management 27

Using Active Directory to Force the User to Change Password at Next Logon 28

Using Active Directory to Specify Maximum Password Age 29

Using Active Directory to Override an Account Disabled AAA Indicator 30

Using Active Directory to Enforce Minimum Password Length 31

Using Active Directory to Enforce Password Complexity 32

Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client 33

AnyConnect Client and RADIUS/SDI Server Interaction 33

Configuring the Security Appliance to Support RADIUS/SDI Messages 34

Group Policies 35

Default Group Policy 36

Configuring Group Policies 37

Configuring an External Group Policy 37

Configuring an Internal Group Policy 38

Configuring Group Policy Attributes 39

Configuring WINS and DNS Servers 39

Configuring VPN-Specific Attributes 40

Configuring Security Attributes 43

Configuring the Banner Message 45

Configuring IPSec-UDP Attributes 45

Configuring Split-Tunneling Attributes 46

Configuring Domain Attributes for Tunneling 47

Configuring Attributes for VPN Hardware Clients 49

Configuring Backup Server Attributes 52

Configuring Microsoft Internet Explorer Client Parameters 53

Configuring Network Admission Control Parameters 55

Configuring Address Pools 58

Configuring Firewall Policies 59

Configuring Client Access Rules 62

Configuring Group-Policy Attributes for Clientless SSL VPN Sessions 63

Configuring User Attributes 74

Viewing the Username Configuration 74

Configuring Attributes for Specific Users 75

Setting a User Password and Privilege Level 75

Configuring User Attributes 75

Configuring VPN User Attributes 76

Configuring Clientless SSL VPN Access for Specific Users 80

C H A P T E R 31 Configuring IP Addresses for VPNs 1

Configuring an IP Address Assignment Method 1

Configuring Local IP Address Pools 2

Configuring AAA Addressing 2

Configuring DHCP Addressing 3

C H A P T E R 32 Configuring Remote Access IPSec VPNs 1

Summary of the Configuration 1

Configuring Interfaces 2

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 3

Configuring an Address Pool 4

Adding a User 4

Creating a Transform Set 4

Defining a Tunnel Group 5

Creating a Dynamic Crypto Map 6

Creating a Crypto Map Entry to Use the Dynamic Crypto Map 7

C H A P T E R 33 Configuring Network Admission Control 1

Overview 1

Uses, Requirements, and Limitations 2

Viewing the NAC Policies on the Security Appliance 2

Adding, Accessing, or Removing a NAC Policy 4

Configuring a NAC Policy 5

Specifying the Access Control Server Group 5

Setting the Query-for-Posture-Changes Timer 5

Setting the Revalidation Timer 6

Configuring the Default ACL for NAC 6

Configuring Exemptions from NAC 7

Assigning a NAC Policy to a Group Policy 8

Changing Global NAC Framework Settings 8

Changing Clientless Authentication Settings 8

Enabling and Disabling Clientless Authentication 9

Changing the Login Credentials Used for Clientless Authentication 9

Changing NAC Framework Session Attributes 10

C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 1

Specifying the Client/Server Role of the Cisco ASA 5505 2

Specifying the Primary and Secondary Servers 3

Specifying the Mode 3

Configuring Automatic Xauth Authentication 4

Configuring IPSec Over TCP 4

Comparing Tunneling Options 5

Specifying the Tunnel Group or Trustpoint 6

Specifying the Tunnel Group 6

Specifying the Trustpoint 7

Configuring Split Tunneling 8

Configuring Device Pass-Through 8

Configuring Remote Management 9

Guidelines for Configuring the Easy VPN Server 9

Group Policy and User Attributes Pushed to the Client 10

Authentication Options 12

C H A P T E R 35 Configuring the PPPoE Client 1

PPPoE Client Overview 1

Configuring the PPPoE Client Username and Password 2

Enabling PPPoE 3

Using PPPoE with a Fixed IP Address 3

Monitoring and Debugging the PPPoE Client 4

Clearing the Configuration 5

Using Related Commands 5

C H A P T E R 36 Configuring LAN-to-LAN IPSec VPNs 1

Summary of the Configuration 1

Configuring Interfaces 2

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 2

Creating a Transform Set 4

Configuring an ACL 4

Defining a Tunnel Group 5

Creating a Crypto Map and Applying It To an Interface 6

Applying Crypto Maps to Interfaces 7

C H A P T E R 37 Configuring Clientless SSL VPN 1

Getting Started

Observing Clientless SSL VPN Security Precautions 2

Understanding Features Not Supported in Clientless SSL VPN 3

Using SSL to Access the Central Site 3

Using HTTPS for Clientless SSL VPN Sessions 3

Configuring Clientless SSL VPN and ASDM Ports 4

Configuring Support for Proxy Servers 4

Configuring SSL/TLS Encryption Protocols 5

Authenticating with Digital Certificates 6

Enabling Cookies on Browsers for Clientless SSL VPN 6

Managing Passwords 6

Using Single Sign-on with Clientless SSL VPN 8

Configuring SSO with HTTP Basic or NTLM Authentication 8

Configuring SSO Authentication Using SiteMinder 9

Configuring SSO Authentication Using SAML Browser Post Profile 12

Configuring SSO with the HTTP Form Protocol 14

Authenticating with Digital Certificates 20

Creating and Applying Clientless SSL VPN Resources 21

Assigning Users to Group Policies 21

Using the Security Appliance Authentication Server 21

Using a RADIUS Server 21

Configuring Connection Profile Attributes for Clientless SSL VPN 21

Configuring Group Policy and User Attributes for Clientless SSL VPN 22

Configuring Browser Access to Client-Server Plug-ins 23

About Installing Browser Plug-Ins 24

Preparing the Security Appliance for a Plug-in 25

Providing Access to Plug-ins Redistributed By Cisco 25

Providing Access to Plug-ins Not Redistributed By Cisco—Example: Citrix Java Presentation Server Client Plug-in 27

Preparing the Citrix MetraFrame Server for Clientless SSL VPN Access 28

Creating and Installing the Citrix Plug-in 28

Providing a Bookmark and Optional SSO Support for Citrix Sessions 29

Viewing the Plug-ins Installed on the Security Appliance 30

Configuring Application Access 30

Configuring Port Forwarding 30

About Port Forwarding 30

Why Port Forwarding? 31

Port Forwarding Restrictions 31

Adding Applications to Be Eligible for Port Forwarding 32

Assigning a Port Forwarding List 33

Automating Port Forwarding 33

Enabling and Disabling Port Forwarding 34

Configuring Smart Tunnel Access 34

About Smart Tunnels 35

Why Smart Tunnels? 35

Smart Tunnel Requirements and Restrictions 35

Adding Applications to Be Eligible for Smart Tunnel Access 36

Assigning a Smart Tunnel List 38

Automating Smart Tunnel Access 38

Enabling and Disabling Smart Tunnel Access 39

Application Access User Notes 39

Closing Application Access to Prevent hosts File Errors 39

Recovering from hosts File Errors When Using Application Access 40

Configuring File Access 43

Adding Support for File Access 43

Using Clientless SSL VPN with PDAs 45

Using E-Mail over Clientless SSL VPN 45

Configuring E-mail Proxies 46

E-mail Proxy Certificate Authentication 46

Configuring Web E-mail: MS Outlook Web Access 47

Optimizing Clientless SSL VPN Performance 47

Configuring Caching 47

Configuring Content Transformation 48

Configuring a Certificate for Signing Rewritten Java Content 48

Disabling Content Rewrite 48

Using Proxy Bypass 49

Configuring Application Profile Customization Framework 49

APCF Syntax 50

APCF Example 51

Clientless SSL VPN End User Setup 52

Defining the End User Interface 53

Viewing the Clientless SSL VPN Home Page 54

Viewing the Clientless SSL VPN Application Access Panel 55

Viewing the Floating Toolbar 56

Customizing Clientless SSL VPN Pages 56

How Customization Works 57

Exporting a Customization Template 57

Editing the Customization Template 58

Applying Customizations to Connection Profiles, Group Policies and Users 64

Customizing Help 65

Customizing a Help File Provided By Cisco 66

Creating Help Files for Languages Not Provided by Cisco 66

Importing a Help File to Flash Memory 67

Exporting a Previously Imported Help File from Flash Memory 67

Requiring Usernames and Passwords 67

Communicating Security Tips 68

Configuring Remote Systems to Use Clientless SSL VPN Features 68

Translating the Language of User Messages 73

Understanding Language Translation 74

Creating Translation Tables 75

Referencing the Language in a Customization Object 76

Changing a Group Policy or User Attributes to Use the Customization Object 78

Capturing Data 78

Creating a Capture File 78

Using a Browser to Display Capture Data 79

C H A P T E R 38 Configuring AnyConnect VPN Client Connections 1

Installing the AnyConnect SSL VPN Client 2

Remote PC System Requirements 2

Installing the AnyConnect Client 2

Enabling AnyConnect Client Connections 3

Enabling Permanent Client Installation 5

Configuring DTLS 5

Ensuring Reliable DTLS Connections Through Third-Party Firewalls 6

Prompting Remote Users 6

Enabling AnyConnect Client Profile Downloads 7

Enabling Additional AnyConnect Client Features 9

Enabling Start Before Logon 10

Translating Languages for AnyConnect User Messages 10

Understanding Language Translation 11

Creating Translation Tables 11

Configuring Advanced SSL VPN Features 13

Enabling Rekey 13

Enabling and Adjusting Dead Peer Detection 13

Enabling Keepalive 14

Using Compression 15

Adjusting MTU Size 15

Viewing SSL VPN Sessions 16

Logging Off SVC Sessions 16

Updating SSL VPN Client Images 17

C H A P T E R 39 Configuring Certificates 1

Public Key Cryptography 1

About Public Key Cryptography 1

Preparing for Certificates 5

Configuring Key Pairs 6

Generating Key Pairs 6

Removing Key Pairs 7

Configuring Trustpoints 7

Obtaining Certificates 9

Obtaining Certificates with SCEP 9

Obtaining Certificates Manually 11

Configuring CRLs for a Trustpoint 13

Exporting and Importing Trustpoints 14

Exporting a Trustpoint Configuration 15

Importing a Trustpoint Configuration 15

Configuring CA Certificate Map Rules 15

The Local CA 16

Configuring the Local CA Server 17

The Default Local CA Server 17

Customizing the Local CA Server 19

Certificate Characteristics 20

Defining Storage for Local CA Files 22

Default Flash Memory Data Storage 22

Setting up External Local CA File Storage 23

CRL Storage 23

Enrolling Local CA Users 24

Setting Up Enrollment Parameters 25

Enrollment Requirements 26

Starting and Stopping the Local CA Server 27

Enabling the Local CA Server 27

Debugging the Local CA Server 28

Disabling the Local CA Server 28

Managing the Local CA User Database 28

Adding and Enrolling Users 29

Renewing Users 30

Revoking Certificates and Removing or Restoring Users 30

Revocation Checking 31

Displaying Local CA Server Information 31

Display Local CA Configuration 31

Display Certificate Database 31

Display the Local CA Certificate 32

Display the CRL 32

Display the User Database 33

Local CA Server Maintenance and Backup Procedures 34

Maintaining the Local CA User Database 34

Maintaining the Local CA Certificate Database 34

Local CA Certificate Rollover 35

Archiving the Local CA Server Certificate and Keypair 35

Deleting the Local CA Server 35

P A R T 4 System Administration

C H A P T E R 40 Managing System Access 1

Allowing Telnet Access 1

Accessing ASDM from Your PC 4

Managing the Security Appliance on a Different Interface from the VPN Tunnel Termination Interface 5

Configuring AAA for System Administrators 5

Configuring Authentication for CLI and ASDM Access 5

Configuring Authentication To Access Privileged EXEC Mode (the enable Command) 6

Configuring Authentication for the enable Command 6

Authenticating Users Using the Login Command 7

Limiting User CLI and ASDM Access with Management Authorization 7

Configuring Command Authorization 8

Command Authorization Overview 9

Configuring Local Command Authorization 11

Configuring TACACS+ Command Authorization 14

Configuring Command Accounting 18

Viewing the Current Logged-In User 18

Recovering from a Lockout 19

Configuring a Login Banner 20

C H A P T E R 41 Managing Software, Licenses, and Configurations 1

Managing Licenses 1

Obtaining an Activation Key 1

Entering a New Activation Key 2

Viewing Files in Flash Memory 2

Downloading Software or Configuration Files to Flash Memory 3

Downloading a File to a Specific Location 3

Downloading a File to the Startup or Running Configuration 4

Configuring the Application Image and ASDM Image to Boot 5

Configuring the File to Boot as the Startup Configuration 6

Performing Zero Downtime Upgrades for Failover Pairs 6

Upgrading an Active/Standby Failover Configuration 7

Upgrading and Active/Active Failover Configuration 7

Backing Up Configuration Files 8

Backing up the Single Mode Configuration or Multiple Mode System Configuration 8

Backing Up a Context Configuration in Flash Memory 9

Backing Up a Context Configuration within a Context 9

Copying the Configuration from the Terminal Display 9

Backing Up Additional Files Using the Export and Import Commands 9

Using a Script to Back Up and Restore Files 10

Prerequisites 10

Running the Script 11

Sample Script 11

Configuring Auto Update Support 19

Configuring Communication with an Auto Update Server 20

Configuring Client Updates as an Auto Update Server

C H A P T E R 42 Monitoring the Security Appliance 1

Logging in Multiple Context Mode 5

Enabling and Disabling Logging 6

Enabling Logging to All Configured Output Destinations 6

Disabling Logging to All Configured Output Destinations 6

Viewing the Log Configuration 6

Configuring Log Output Destinations 7

Sending System Log Messages to a Syslog Server 7

Sending System Log Messages to the Console Port 8

Sending System Log Messages to an E-mail Address 9

Sending System Log Messages to ASDM 10

Sending System Log Messages to a Telnet or SSH Session 12

Sending System Log Messages to the Log Buffer 13

Filtering System Log Messages 15

Message Filtering Overview 15

Filtering System Log Messages by Class 16

Filtering System Log Messages with Custom Message Lists 18

Customizing the Log Configuration 19

Configuring the Logging Queue 19

Including the Date and Time in System Log Messages 20

Including the Device ID in System Log Messages 20

Generating System Log Messages in EMBLEM Format 21

Disabling a System Log Message 21

Changing the Severity Level of a System Log Message 22

Changing the Amount of Internal Flash Memory Available for Logs 23

Understanding System Log Messages 24

System Log Message Format 24

Severity Levels 24

C H A P T E R 43 Troubleshooting the Security Appliance 1

Testing Your Configuration 1

Enabling ICMP Debug Messages and System Log Messages 1

Pinging Security Appliance Interfaces 2

Pinging Through the Security Appliance 4

Disabling the Test Configuration 5

Traceroute 6

Packet Tracer 6

Reloading the Security Appliance 6

Performing Password Recovery 6

Recovering Passwords for the ASA 5500 Series Adaptive Security Appliance 7

Recovering Passwords for the PIX 500 Series Security Appliance 8

Disabling Password Recovery 9

Resetting the Password on the SSM Hardware Module 10

Using the ROM Monitor to Load a Software Image 10

Erasing the Flash File System 12

Other Troubleshooting Tools 12

Viewing Debug Messages 12

Capturing Packets 12

Viewing the Crash Dump 13

Common Problems 13

A P P E N D I X A Feature Licenses and Specifications 1

Supported Platforms and Feature Licenses 1

Security Services Module Support 10

VPN Specifications 10

Cisco VPN Client Support 11

Cisco Secure Desktop Support 11

Site-to-Site VPN Compatibility 11

Cryptographic Standards 12

A P P E N D I X B Sample Configurations 1

Example 1: Multiple Mode Firewall With Outside Access 1

System Configuration for Example 1 3

Admin Context Configuration for Example 1 4

Customer A Context Configuration for Example 1 4

Customer B Context Configuration for Example 1 5

Customer C Context Configuration for Example 1 5

Example 2: Single Mode Firewall Using Same Security Level 6

Example 3: Shared Resources for Multiple Contexts 8

Admin Context Configuration for Example 3 10

Department 1 Context Configuration for Example 3 11

Department 2 Context Configuration for Example 3 12

Example 4: Multiple Mode, Transparent Firewall with Outside Access 13

System Configuration for Example 4 14

Admin Context Configuration for Example 4 15

Customer A Context Configuration for Example 4 15

Customer B Context Configuration for Example 4 16

Customer C Context Configuration for Example 4 16

Example 5: Single Mode, Transparent Firewall with NAT 17

Example 6: IPv6 Configuration 18

Example 7: Dual ISP Support Using Static Route Tracking 19

Example 8: Multicast Routing 20

For PIM Sparse Mode 21

For PIM bidir Mode 22

Example 9: LAN-Based Active/Standby Failover (Routed Mode) 23

Primary Unit Configuration for Example 9 23

Secondary Unit Configuration for Example 9 24

Example 10: LAN-Based Active/Active Failover (Routed Mode) 24

Primary Unit Configuration for Example 10 25

Primary System Configuration for Example 10 25

Primary admin Context Configuration for Example 10 26

Primary ctx1 Context Configuration for Example 10 27

Secondary Unit Configuration for Example 10 27

Example 11: LAN-Based Active/Standby Failover (Transparent Mode) 28

Primary Unit Configuration for Example 11 28

Secondary Unit Configuration for Example 11 29

Example 12: LAN-Based Active/Active Failover (Transparent Mode) 30

Primary Unit Configuration for Example 12 30

Primary System Configuration for Example 12 31

Primary admin Context Configuration for Example 12 31

Primary ctx1 Context Configuration for Example 12 32

Secondary Unit Configuration for Example 12 32

Example 13: Cable-Based Active/Standby Failover (Routed Mode) 33

Example 14: Cable-Based Active/Standby Failover (Transparent Mode) 34

Example 15: ASA 5505 Base License 35

Example 16: ASA 5505 Security Plus License with Failover and Dual-ISP Backup 37

Primary Unit Configuration for Example 16 37

Secondary Unit Configuration for Example 16 39

Example 17: AIP SSM in Multiple Context Mode 40

System Configuration for Example 17 40

Context 1 Configuration for Example 17 41

Context 2 Configuration for Example 17 42

Context 3 Configuration for Example 17 42

A P P E N D I X C Using the Command-Line Interface 1

Firewall Mode and Security Context Mode 1

Command Modes and Prompts 2

Filtering show Command Output 4

Command Output Paging 5

Adding Comments 6

Text Configuration Files 6

How Commands Correspond with Lines in the Text File 6

Command-Specific Configuration Mode Commands 6

Automatic Text Entries 7

Line Order 7

Commands Not Included in the Text Configuration 7

Passwords 7

Multiple Security Context Files 7

A P P E N D I X D Addresses, Protocols, and Ports 1

IPv4 Addresses and Subnet Masks 1

Classes 1

Private Networks 2

Subnet Masks 2

Determining the Subnet Mask 3

Determining the Address to Use with the Subnet Mask 3

IPv6 Addresses 5

IPv6 Address Format 5

IPv6 Address Types 6

Multicast Address 8

Anycast Address 9

Required Addresses 10

IPv6 Address Prefixes 10

Protocols and Applications 11

TCP and UDP Ports 11

Local Ports and Protocols 14

ICMP Types 15

A P P E N D I X E Configuring an External Server for Authorization and Authentication 1

Selecting LDAP, RADIUS, or Local Authentication and Authorization 1

Understanding Policy Enforcement of Permissions and Attributes 2

Configuring an External LDAP Server 2

Reviewing the LDAP Directory Structure and Configuration Procedure 3

Organizing the Security Appliance LDAP Schema 3

Searching the Hierarchy 4

Binding the Security Appliance to the LDAP Server 5

Defining the Security Appliance LDAP Schema 5

Cisco-AV-Pair Attribute Syntax 13

Example Security Appliance Authorization Schema 15

Loading the Schema in the LDAP Server 17

Defining User Permissions 17

Example User File 18

Reviewing Examples of Active Directory Configurations 18

Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) 18

Example 2: Configuring LDAP Authentication with Microsoft Active Directory 20

Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory 22

Configuring an External RADIUS Server 24

Reviewing the RADIUS Configuration Procedure 24

Security Appliance RADIUS Authorization Attributes 25

Configuring an External RADIUS Server 33

Reviewing the RADIUS Configuration Procedure 33

Security Appliance RADIUS Authorization Attributes 34

Security Appliance TACACS+ Attributes 40

A P P E N D I X A Configuring the Security Appliance for Use with MARS 1

Taskflow for Configuring MARS to Monitor Security Appliances 1

Enabling Administrative Access to MARS on the Security Appliance 2

Adding a Security Appliance to Monitor 3

Adding Security Contexts 4

Adding Discovered Contexts 5

Editing Discovered Contexts 5

Setting the Logging Severity Level for System Log Messages 5

System Log Messages That Are Processed by MARS 5

Configuring Specific Features 8

G L O S S A R Y

I N D E X

About This Guide

This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes

the following sections:

• Document Objectives, page 39

• Audience, page 39

• Related Documentation, page 40

• Document Organization, page 40

• Document Conventions, page 43

• Obtaining Documentation, Obtaining Support, and Security Guidelines, page 43

Document Objectives

The purpose of this guide is to help you configure the security appliance using the command-line interface This guide does not cover every feature, but describes only the most common configuration scenarios

You can also configure and monitor the security appliance by using ASDM, a web-based GUI application ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios For more information, see:

http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html

This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550) Throughout this guide, the term “security appliance” applies generically to all supported models, unless specified otherwise The PIX 501, PIX 506E, and PIX 520 security appliances are not supported

Audience

This guide is for network managers who perform any of the following tasks:

• Manage network security

• Install and configure firewalls/security appliances

• Configure VPNs

• Configure intrusion detection software

Related Documentation

For more information, refer to the following documentation:

• Documentation Roadmap for the Cisco ASA 5500 Series

• Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

• Cisco ASA 5500 Series Release Notes

• Cisco ASDM Release Notes

• Cisco PIX Security Appliance Release Notes

• Cisco Security Appliance Command Reference

• Cisco Security Appliance Logging Configuration and System Log Messages

• Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0

• Migrating to ASA for VPN 3000 Series Concentrator Administrators

• Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators

Document Organization

This guide includes the chapters and appendixes described in Table 1

Table 1 Document Organization

Chapter/Appendix Definition

Part 1: Getting Started and General Information

Chapter 1, “Introduction to the

Security Appliance”

Provides a high-level overview of the security appliance

Chapter 2, “Getting Started” Describes how to access the command-line interface, configure the firewall mode, and

work with the configuration

Chapter 3, “Enabling Multiple

Context Mode”

Describes how to use security contexts and enable multiple context mode

Chapter 4, “Configuring Switch

Ports and VLAN Interfaces for

the Cisco ASA 5505 Adaptive

Security Appliance”

Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive security appliance

Chapter 5, “Configuring

Ethernet Settings, Redundant

Interfaces, and Subinterfaces”

Describes how to configure Ethernet settings for physical interfaces and add subinterfaces

Chapter 6, “Adding and

Managing Security Contexts”

Describes how to configure multiple security contexts on the security appliance