Cisco ASA Series Firewall ASDM Configuration Guide Software Version 7.1 For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module Released: December 3, 2012 Updated: March 31, 2014 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide 21 Document Objectives Related Documentation Conventions 21 21 22 Obtaining Documentation and Submitting a Service Request PART Configuring Service Policies 1 CHAPTER 22 1 Configuring a Service Policy 1-1 Information About Service Policies 1-1 Supported Features 1-1 Feature Directionality 1-2 Feature Matching Within a Service Policy 1-3 Order in Which Multiple Feature Actions are Applied Incompatibility of Certain Feature Actions 1-5 Feature Matching for Multiple Serv
Contents Defining Actions in an Inspection Policy Map 2-3 Identifying Traffic in an Inspection Class Map 2-3 Where to Go Next 2-4 Feature History for Inspection Policy Maps PART Configuring Network Address Translation 2 CHAPTER 2-4 3 Information About NAT (ASA 8.
Contents CHAPTER 4 Configuring Network Object NAT (ASA 8.
Contents Monitoring Twice NAT 5-29 Configuration Examples for Twice NAT 5-30 Different Translation Depending on the Destination (Dynamic PAT) 5-30 Different Translation Depending on the Destination Address and Port (Dynamic PAT) Feature History for Twice NAT CHAPTER 6 5-48 Configuring NAT (ASA 8.
Contents Default Settings 7-7 Configuring Access Rules 7-8 Adding an Access Rule 7-8 Adding an EtherType Rule (Transparent Mode Only) Configuring Management Access Rules 7-10 Advanced Access Rule Configuration 7-11 Configuring HTTP Redirect 7-12 Feature History for Access Rules CHAPTER 8 7-14 Configuring AAA Rules for Network Access AAA Performance 7-9 8-1 8-1 Licensing Requirements for AAA Rules Guidelines and Limitations 8-1 8-2 Configuring Authentication for Network Access 8-2 Information Abo
Contents CHAPTER 10 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection How Inspection Engines Work 10-1 When to Use Application Protocol Inspection 10-2 Guidelines and Limitations 10-4 Configuring Application Layer Protocol Inspection 11 10-1 10-3 Default Settings and NAT Limitations CHAPTER 10-1 10-7 Configuring Inspection of Basic Internet Protocols 11-1 DNS Inspection 11-1 Information About DNS Inspection 11-2 Default Settings
Contents ICMP Inspection 11-39 ICMP Error Inspection 11-39 Instant Messaging Inspection 11-39 IM Inspection Overview 11-40 Adding a Class Map for IM Inspection Select IM Map 11-41 11-40 IP Options Inspection 11-41 IP Options Inspection Overview 11-41 Configuring IP Options Inspection 11-42 Select IP Options Inspect Map 11-43 IP Options Inspect Map 11-44 Add/Edit IP Options Inspect Map 11-44 IPsec Pass Through Inspection 11-45 IPsec Pass Through Inspection Overview 11-45 Select IPsec-Pass-Thru Map 11-
Contents CHAPTER 12 Configuring Inspection for Voice and Video Protocols CTIQBE Inspection 12-1 CTIQBE Inspection Overview 12-1 Limitations and Restrictions 12-2 H.323 Inspection 12-2 H.323 Inspection Overview 12-3 How H.323 Works 12-3 H.239 Support in H.245 Messages 12-4 Limitations and Restrictions 12-4 Select H.323 Map 12-5 H.323 Class Map 12-5 Add/Edit H.323 Traffic Class Map 12-6 Add/Edit H.323 Match Criterion 12-6 H.323 Inspect Map 12-7 Phone Number Filtering 12-8 Add/Edit H.
Contents SIP Class Map 12-23 Add/Edit SIP Traffic Class Map 12-24 Add/Edit SIP Match Criterion 12-24 SIP Inspect Map 12-26 Add/Edit SIP Policy Map (Security Level) 12-27 Add/Edit SIP Policy Map (Details) 12-28 Add/Edit SIP Inspect 12-30 Skinny (SCCP) Inspection 12-32 SCCP Inspection Overview 12-32 Supporting Cisco IP Phones 12-33 Restrictions and Limitations 12-33 Select SCCP (Skinny) Map 12-34 SCCP (Skinny) Inspect Map 12-34 Message ID Filtering 12-35 Add/Edit SCCP (Skinny) Policy Map (Security Level) 12-
Contents Add/Edit GTP Map 14-9 RADIUS Accounting Inspection 14-10 RADIUS Accounting Inspection Overview 14-11 Select RADIUS Accounting Map 14-11 Add RADIUS Accounting Policy Map 14-11 RADIUS Inspect Map 14-12 RADIUS Inspect Map Host 14-12 RADIUS Inspect Map Other 14-13 RSH Inspection 14-13 SNMP Inspection 14-13 SNMP Inspection Overview Select SNMP Map 14-14 SNMP Inspect Map 14-14 XDMCP Inspection PART 14-15 Configuring Unified Communications 5 CHAPTER 14-14 15 Information About Cisco Unified Co
Contents Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the UC-IME by using the Unified Communication Wizard 16-16 Configuring the Topology for the Cisco Intercompany Media Engine Proxy 16-17 Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy 16-18 Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy 16-20 Configur
Contents Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17-17 Creating the Phone Proxy Instance 17-18 Adding or Editing the TFTP Server for a Phone Proxy 17-20 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy Feature History for the Phone Proxy CHAPTER 18 17-22 Configuring the TLS Proxy for Encrypted Voice Inspection 18-1 Information about the TLS Proxy for Encrypted Voice Inspection 18-1 Decryption and Inspection of Unified Commun
Contents Architecture for Cisco Unified Presence for SIP Federation Deployments 20-1 Trust Relationship in the Presence Federation 20-4 Security Certificate Exchange Between Cisco UP and the Security Appliance 20-5 XMPP Federation Deployments 20-5 Configuration Requirements for XMPP Federation 20-6 Licensing for Cisco Unified Presence 20-7 Configuring Cisco Unified Presence Proxy for SIP Federation 20-8 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation Feature History f
Contents CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryonic Connections 22-2 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility Dead Connection Detection (DCD) 22-2 TCP Sequence Randomization 22-3 TCP Normalization 22-3 TCP State Bypass 22-3 Licensing Requirements for Connection Settings Guidelines and Limitations Default Settings 22-2 22-4 22-5 22-5 Configuring Connection Settings 22-6 Task F
Contents Viewing QoS Standard Priority Queue Statistics Feature History for QoS CHAPTER 24 23-13 23-14 Troubleshooting Connections and Resources 24-1 Testing Your Configuration 24-1 Pinging ASA Interfaces 24-1 Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping Determining Packet Routing with Traceroute 24-6 Tracing Packets with Packet Tracer 24-7 Monitoring Performance 24-8 Monitoring System Resources Blocks 24-9 CPU 24-10 Memory 24-10 Monitoring Connections 24-9 24-11
Contents (Optional) Configuring the User Identity Monitor 25-25 Configuring the Cloud Web Security Policy 25-26 Monitoring Cloud Web Security Related Documents 25-26 25-27 Feature History for Cisco Cloud Web Security CHAPTER 26 Configuring the Botnet Traffic Filter 25-27 26-1 Information About the Botnet Traffic Filter 26-1 Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses Botnet Traffic Filter Databases 26-2 How the Botnet Traffic Filter Works 26-5 Licensi
Contents Monitoring Basic Threat Detection Statistics 27-4 Feature History for Basic Threat Detection Statistics 27-5 Configuring Advanced Threat Detection Statistics 27-5 Information About Advanced Threat Detection Statistics 27-5 Guidelines and Limitations 27-5 Default Settings 27-6 Configuring Advanced Threat Detection Statistics 27-6 Monitoring Advanced Threat Detection Statistics 27-7 Feature History for Advanced Threat Detection Statistics 27-8 Configuring Scanning Threat Detection 27-8 Information
Contents Feature History for URL Filtering PART Configuring Modules 8 CHAPTER 29-12 30 Configuring the ASA CX Module 30-1 Information About the ASA CX Module 30-1 How the ASA CX Module Works with the ASA 30-2 Monitor-Only Mode 30-3 Information About ASA CX Management 30-4 Information About Authentication Proxy 30-5 Information About VPN and the ASA CX Module 30-5 Compatibility with ASA Features 30-5 Licensing Requirements for the ASA CX Module Prerequisites 30-6 30-6 Guidelines and Limitations
Contents Feature History for the ASA CX Module CHAPTER 31 Configuring the ASA IPS Module 30-33 31-1 Information About the ASA IPS Module 31-1 How the ASA IPS Module Works with the ASA 31-2 Operating Modes 31-3 Using Virtual Sensors (ASA 5510 and Higher) 31-3 Information About Management Access 31-4 Licensing Requirements for the ASA IPS module Guidelines and Limitations Default Settings 31-5 31-5 31-6 Configuring the ASA IPS module 31-7 Task Flow for the ASA IPS Module 31-7 Connecting the ASA IPS
Contents Connecting to the CSC SSM 32-8 Determining Service Policy Rule Actions for CSC Scanning CSC SSM Setup Wizard 32-10 Activation/License 32-11 IP Configuration 32-11 Host/Notification Settings 32-12 Management Access Host/Networks 32-13 Password 32-13 Restoring the Default Password 32-14 Wizard Setup 32-15 Using the CSC SSM GUI 32-20 Web 32-20 Mail 32-21 SMTP Tab 32-21 POP3 Tab 32-22 File Transfer 32-22 Updates 32-23 Monitoring the CSC SSM 32-24 Threats 32-24 Live Security Events 32-25 Live Security
About This Guide This preface introduces Cisco ASA Series Firewall ASDM Configuration Guide and includes the following sections: • Document Objectives, page 3 • Related Documentation, page 3 • Conventions, page 4 • Obtaining Documentation and Submitting a Service Request, page 4 Document Objectives The purpose of this guide is to help you configure the firewall features for ASA using ASDM. This guide does not cover every feature, but describes only the most common configuration scenarios.
Conventions This document uses the following conventions: Convention Indication bold font Commands and keywords and user-entered text appear in bold font. italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. [ ] Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars.
PART 1 Configuring Service Policies
CH AP TE R 1 Configuring a Service Policy Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple service policy rules applied to an interface or applied globally.
Chapter 1 Configuring a Service Policy Information About Service Policies Table 1-1 Service Policy Rule Features For Through Traffic? Feature Application inspection (multiple All except types) RADIUS accounting For Management Traffic? See: RADIUS accounting only • Chapter 10, “Getting Started with Application Layer Protocol Inspection.” • Chapter 11, “Configuring Inspection of Basic Internet Protocols.” • Chapter 12, “Configuring Inspection for Voice and Video Protocols.
Chapter 1 Configuring a Service Policy Information About Service Policies Note When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.
Chapter 1 Configuring a Service Policy Information About Service Policies For example, if a packet matches a rule for connection limits, and also matches a rule for an application inspection, then both actions are applied. If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP inspection, then the second rule actions are not applied.
Chapter 1 Configuring a Service Policy Licensing Requirements for Service Policies Incompatibility of Certain Feature Actions Some features are not compatible with each other for the same traffic. The following list may not include all incompatibilities; for information about compatibility of each feature, see the chapter or section for your feature: Note • You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
Chapter 1 Configuring a Service Policy Guidelines and Limitations Model License Requirement All models Base License. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode.
Chapter 1 Configuring a Service Policy Default Settings • You can only apply one global policy. For example, you cannot create a global policy that includes feature set 1, and a separate global policy that includes feature set 2. All features must be included in a single policy. • When you make service policy changes to the configuration, all new connections use the new service policy. Existing connections continue to use the policy that was configured at the time of the connection establishment.
Chapter 1 Configuring a Service Policy Task Flows for Configuring Service Policies • IP Options Default Traffic Classes The configuration includes a default traffic class that the ASA uses in the default global policy called Default Inspection Traffic; it matches the default inspection traffic. This class, which is used in the default global policy, is a special shortcut to match the default ports for all inspections.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Through Traffic Note Step 2 When you click the Add button, and not the small arrow on the right of the Add button, you add a through traffic rule by default. If you click the arrow on the Add button, you can choose between a through traffic rule and a management traffic rule. In the Create a Service Policy and Apply To area, click one of the following options: • Interface.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Through Traffic • Global - applies to all interfaces. This option applies the service policy globally to all interfaces. By default, a global policy exists that includes a service policy rule for default application inspection. See the “Default Settings” section on page 1-7 for more information. You can add a rule to the global policy using the wizard. a. If it is a new service policy, enter a name in the Policy Name field. b.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Through Traffic – TCP or UDP Destination Port—The class matches a single port or a contiguous range of ports. Tip For applications that use multiple, non-contiguous ports, use the Source and Destination IP Address (uses ACL) to match each port. – RTP Range—The class map matches RTP traffic. – IP DiffServ CodePoints (DSCP)—The class matches up to eight DSCP values in the IP header.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Through Traffic Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Enter any to specify any source address. Separate multiple addresses by a comma. c. In the Destination field, enter the destination IP address, or click the ... button to choose an IP address that you already defined in ASDM.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Management Traffic Add additional values as desired, or remove them using the Remove button. Step 7 Click Next. The Add Service Policy Rule - Rule Actions dialog box appears. Step 8 Configure one or more rule actions. See the “Supported Features” section on page 1-1 for a list of features. Step 9 Click Finish.
Chapter 1 Configuring a Service Policy Adding a Service Policy Rule for Management Traffic Identify the traffic using one of several criteria: – Source and Destination IP Address (uses ACL)—The class matches traffic specified by an extended ACL. If the ASA is operating in transparent firewall mode, you can use an EtherType ACL. Note When you create a new traffic class of this type, you can only specify one access control entry (ACE) initially.
Chapter 1 Configuring a Service Policy Managing the Order of Service Policy Rules Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Enter any to specify any destination address. Separate multiple addresses by a comma. d. In the Service field, enter an IP service name or number for the destination service, or click the ... button to choose a service.
Chapter 1 Configuring a Service Policy Managing the Order of Service Policy Rules • If the packet matches a subsequent rule for a different feature type, however, then the ASA also applies the actions for the subsequent rule. For example, if a packet matches a rule for connection limits, and also matches a rule for application inspection, then both rule actions are applied.
Chapter 1 Configuring a Service Policy Feature History for Service Policies Feature History for Service Policies Table 1-3 lists the release history for this feature. Table 1-3 Feature History for Service Policies Feature Name Releases Feature Information Modular Policy Framework 7.0(1) Modular Policy Framework was introduced. Management class map for use with RADIUS accounting traffic 7.2(1) The management class map was introduced for use with RADIUS accounting traffic.
Chapter 1 Feature History for Service Policies Cisco ASA Series Firewall ASDM Configuration Guide 1-18 Configuring a Service Policy
CH AP TE R 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the service policy, you can also optionally enable actions as defined in an inspection policy map.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Guidelines and Limitations policy map is that you can create more complex match criteria and you can reuse class maps. However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps. • Parameters—Parameters affect the behavior of the inspection engine.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Defining Actions in an Inspection Policy Map Note There are other default inspection policy maps such as _default_esmtp_map. For example, an ESMTP inspection rule implicitly uses the policy map “_default_esmtp_map.” Defining Actions in an Inspection Policy Map When you enable an inspection engine in the service policy, you can also optionally enable actions as defined in an inspection policy map.
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) Where to Go Next Step 4 Follow the instructions for your inspection type in the inspection chapter. Where to Go Next To use an inspection policy, see Chapter 1, “Configuring a Service Policy.” Feature History for Inspection Policy Maps Table 2-1 lists the release history for this feature. Table 2-1 Feature History for Service Policies Feature Name Releases Feature Information Inspection policy maps 7.
PART 2 Configuring Network Address Translation
CH AP TE R 3 Information About NAT (ASA 8.3 and Later) This chapter provides an overview of how Network Address Translation (NAT) works on the ASA.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Terminology One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NAT Types • NAT Types Overview, page 3-3 • Static NAT, page 3-3 • Dynamic NAT, page 3-8 • Dynamic PAT, page 3-10 • Identity NAT, page 3-12 NAT Types Overview You can implement NAT using the following methods: • Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See the “Static NAT” section on page 3-3.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-1 shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections. Figure 3-1 Static NAT Security Appliance 209.165.201.1 10.1.1.2 209.165.201.2 130035 10.1.1.1 Inside Outside Note You can disable bidirectionality if desired.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Note For applications that require application inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports. Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Static Interface NAT with Port Translation You can configure static NAT to map a real address to an interface address/port combination. For example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you can map the inside host IP address/port 23 to the ASA interface address/port 23.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server (see Figure 3-5). (See the “Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)” section on page 4-29 for details on how to configure this example.) Figure 3-5 One-to-Many Static NAT Host Undo Translation 209.165.201.5 10.1.2.27 Outside Undo Translation 209.165.201.3 10.1.2.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-6 shows a typical few-to-many static NAT scenario. Few-to-Many Static NAT Security Appliance 10.1.2.27 209.165.201.3 10.1.2.28 209.165.201.4 10.1.2.27 209.165.201.5 10.1.2.28 209.165.201.6 10.1.2.27 209.165.201.7 248769 Figure 3-6 Inside Outside For a many-to-few or many-to-one configuration, where you have more real addresses than mapped addresses, you run out of mapped addresses before you run out of real addresses.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Information About Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is created only when the real host initiates the connection.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned. Figure 3-10 Dynamic PAT 209.165.201.1:2020 10.1.1.1:1026 209.165.201.1:2021 10.1.1.2:1025 209.165.201.1:2022 Inside Outside 130034 Security Appliance 10.1.1.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Identity NAT You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-12 shows a typical NAT example in routed mode, with a private network on the inside. Figure 3-12 NAT Example: Routed Mode Web Server www.cisco.com Outside 209.165.201.2 Originating Packet Security Appliance Translation 10.1.2.27 209.165.201.10 Responding Packet Undo Translation 209.165.201.10 10.1.2.27 10.1.2.1 10.1.2.27 130023 Inside 1. When the inside host at 10.1.2.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Figure 3-13 NAT Example: Transparent Mode www.example.com Internet Static route on router: 209.165.201.0/27 to 10.1.1.1 Source Addr Translation 10.1.1.75 209.165.201.15 Static route on ASA: 192.168.1.0/24 to 10.1.1.3 10.1.1.2 Management IP 10.1.1.1 ASA 10.1.1.75 10.1.1.3 Source Addr Translation 192.168.1.2 209.165.201.10 250261 192.168.1.1 Network 2 192.168.1.2 1. When the inside host at 10.1.1.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT and IPv6 NAT and IPv6 You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices: • NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT.
Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented • How source and destination NAT is implemented. – Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination. – Twice NAT—A single rule translates both the source and destination.
Information About NAT (ASA 8.3 and Later) How NAT is Implemented Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition. To start configuring twice NAT, see Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” Figure 3-14 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129.
Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-15 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130.
Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-16 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Rule Order NAT Rule Order Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Table 3-1 shows the order of rules within each section.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Interfaces For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) The resultant ordering would be: 192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (object abc) 172.16.1.
Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Routing NAT Packets The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to determine the egress interface for any packets it receives destined for mapped addresses.
Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for regular static NAT if desired, in which case you need to be sure to have proper routes on the upstream router.
Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Figure 3-19 Proxy ARP and Virtual Telnet Virtual Telnet: 209.165.200.230 Inside 209.165.201.11 Outside Server Identity NAT for 209.165.200.230 between inside and outside with Proxy ARP Telnet to 209.165.200.230. Authenticate. Communicate with server. 1 2 3 Transparent Mode Routing Requirements for Remote Networks When you use NAT in transparent mode,some types of traffic require static routes. See the “MAC Address vs.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-20 Routed Mode Egress Interface Selection Eng Packet Real: 10.1.1.78 Mapped: 209.165.201.08 Dest. 209.165.201.08 Inside Outside 209.165.201.08 to 10.1.1.78 Send packet out Inside interface. Untranslation Where to send 10.1.1.78? Yes NAT rule specifies interface? No NAT rule specifies route lookup? Look up 10.1.1.78 in routing table.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Interface PAT for Internet-Bound VPN Traffic (Intra-Interface) 1. HTTP request to www.example.com 2. ASA decrypts packet; src address is now local address 209.165.201.10 Src: 209.165.201.10 10.3.3.10 ASA Outside IP: 203.0.113.1 Inside VPN Client 209.165.201.10 Internet Src: 203.0.113.1:6070 4. HTTP request to www.example.com 10.1.1.6 10.3.3.10 Src: 10.1.1.6 203.0.113.1:6070 3. ASA performs interface PAT for outgoing traffic.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-22 Identity NAT for VPN Clients 2. ASA decrypts packet; src address is now local address 209.165.201.10 10.3.3.10 3. Identity NAT between inside and VPN Client NWs Src: 10.3.3.10 Dst: 10.1.1.6 1. SMTP request to 10.1.1.6 10.3.3.10 10.1.1.6 Src: 209.165.201.10 4. SMTP request to 10.1.1.6 Src: 10.3.3.10 VPN Client 209.165.201.10 Internet Inside 10.1.1.6 5. SMTP response to VPN Client 8. SMTP response to VPN Client Src: 10.1.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-23 Interface PAT and Identity NAT for Site-to-Site VPN 2. Identity NAT between NWs connected by VPN Src: 10.1.1.6 Dst: 10.2.2.78 1. IM to 10.2.2.78 10.1.1.6 10.2.2.78 3. IM received Src: 10.1.1.6 Src: 10.1.1.6 ASA Outside IP: 203.0.113.1 Internet Inside Boulder ASA1 10.1.1.6 Src: 10.1.1.6 A. HTTP to www.example.com Site-to-Site VPN Tunnel ASA2 203.0.113.1:6070 10.2.2.78 www.example.com B.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface ! Identify inside San Jose network for use in twice NAT rule: object network sanjose_inside subnet 10.2.2.0 255.255.255.
Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-25 shows a VPN client Telnetting to the ASA inside interface. When you use a management-access interface, and you configure identity NAT according to the “NAT and Remote Access VPN” or “NAT and Site-to-Site VPN” section, you must configure NAT with the route lookup option.
Chapter 3 Information About NAT (ASA 8.
Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-26 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.
Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ. Figure 3-27 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks DNS Server 1 DNS Query ftp.cisco.com? 2 DNS Reply 209.165.
Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-28 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Information About NAT (ASA 8.3 and Later) DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts. Figure 3-29 DNS64 Reply Modification Using Outside NAT DNS Server 209.165.201.15 Static Translation on Inside to: 2001:DB8::D1A5:C90F ftp.cisco.com 209.165.200.
Chapter 3 Information About NAT (ASA 8.3 and Later) Where to Go Next Figure 3-30 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user performs a reverse DNS lookup for 10.1.2.56, the ASA modifies the reverse DNS query with the real address, and the DNS server responds with the server name, ftp.cisco.com. Figure 3-30 PTR Modification, DNS Server on Host Network ftp.cisco.com 209.165.201.
CH AP TE R 4 Configuring Network Object NAT (ASA 8.3 and Later) All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Licensing Requirements for Network Object NAT Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the “NAT Rule Order” section on page 3-20. Licensing Requirements for Network Object NAT The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Default Settings • When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT instead. See the “Routing NAT Packets” section on page 3-22 for more information.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • Round robin, especially when combined with extended PAT, can consume a large amount of memory. Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add Automatic Translation Rules check box. Step 5 From the Type drop-down list, choose Dynamic. Choose Dynamic even if you are configuring dynamic PAT with a PAT pool.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT a. Do not enter a value for the Translated Addr. field; leave it blank. b. Check the PAT Pool Translated Address check box, then click the browse button and choose an existing network object or create a new network object from the Browse Translated PAT Pool Address dialog box. Note Step 7 The PAT pool object or group cannot contain a subnet.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 8 (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. • Translate DNS replies for rule—Translates the IP address in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the “DNS and NAT” section on page 3-31 for more information.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide. The Add/Edit Network Object dialog box appears. Step 2 Step 3 For a new object, enter values for the following fields: a.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add Automatic Translation Rules check box. Step 5 From the Type drop-down list, choose Dynamic PAT (Hide). Note Step 6 To configure dynamic PAT using a PAT pool instead of a single address, see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 4-4. Specify a single mapped address. In the Translated Addr.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Note Step 7 You cannot specify an interface in transparent mode. • Click the browse button, and choose an existing host address from the Browse Translated Addr dialog box. • Click the browse button, and create a new named object from the Browse Translated Addr dialog box. (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule. • To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4 Check the Add Automatic Translation Rules check box. Step 5 From the Type drop-down list, choose Static. Step 6 In the Translated Addr. field, do one of the following: • Type an IP address. When you type an IP address, the netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT • Click the browse button, and create a new address from the Browse Translated Addr dialog box. Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the “Static NAT” section on page 3-3. Step 7 (Optional) For NAT46, check Use one-to-one address translation.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 9 Click OK, and then Apply. Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction. Configuring Identity NAT This section describes how to configure an identity NAT rule using network object NAT. For more information, see the “Identity NAT” section on page 3-12.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT c. IP Address—An IPv4 or IPv6 address. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address. d. Netmask/Prefix Length—Enter the subnet mask or prefix length. e. Description—(Optional) The description of the network object (up to 200 characters in length). Step 3 If the NAT section is hidden, click NAT to expand the section.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 6 Step 7 In the Translated Addr. field, do one of the following: • Type the same IP address that you used for the real address. • Click the browse button, and choose a network object with a matching IP address definition from the Browse Translated Addr dialog box. • Click the browse button, and create a new network object with a matching IP address definition from the Browse Translated Addr dialog box.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Configuring Per-Session PAT Rules By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule uses multi-session PAT. For more information about per-session vs. multi-session PAT, see the “Per-Session PAT vs. Multi-Session PAT (Version 9.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Monitoring Network Object NAT A permit rule uses per-session PAT; a deny rule uses multi-session PAT. Step 3 Specify the Source Address either by typing an address or clicking the ... button to choose an object. Step 4 Specify the Source Service, UDP or TCP. You can optionally specify a source port, although normally you only specify the destination port. Either type in UDP/port or TCP/port, or click the ...
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT The Monitoring > Properties > Connection Graphs > Perfmon pane lets you view the performance information in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields • Available Graphs—Lists the components you can graph. – AAA Perfmon—Displays the ASA AAA performance information.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 4-1). Figure 4-1 Static NAT for an Inside Web Server 209.165.201.12 Outside 209.165.201.
Chapter 4 Configuring Network Object NAT (ASA 8.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 5 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) The following example configures dynamic NAT for inside users on a private network when they access the outside.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Figure 4-2 Dynamic NAT for Inside, Static NAT for Outside Web Server Web Server 209.165.201.12 Outside 209.165.201.1 10.1.2.10 Translation 209.165.201.20 Security Appliance Undo Translation 209.165.201.12 10.1.2.20 10.1.2.1 Inside 248773 myInsNet 10.1.2.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 3 Enable dynamic NAT for the inside network: Step 4 For the Translated Addr field, add a new network object for the dynamic NAT pool to which you want to translate the inside addresses by clicking the browse button. a. Add the new network object.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 5 b. Define the NAT pool addresses, and click OK. c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 6 Click OK to return to the Edit Network Object dialog box, click then click OK again to return to the NAT Rules table.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 11 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many) The following example shows an inside load balancer that is translated to multiple IP addresses. When an outside host accesses one of the mapped IP addresses, it is untranslated to the single load balancer address.
Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Figure 4-3 Static NAT with One-to-Many for an Inside Load Balancer Host Undo Translation 209.165.201.5 10.1.2.27 Outside Undo Translation 209.165.201.3 10.1.2.27 Undo Translation 209.165.201.4 10.1.2.27 Inside Load Balancer 10.1.2.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 3 Configure static NAT for the load balancer: Step 4 For the Translated Addr field, add a new network object for the static NAT group of addresses to which you want to translate the load balancer address by clicking the browse button. a. Add the new network object. b. Define the static NAT group of addresses, and click OK.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 5 Configure the real and mapped interfaces by clicking Advanced: Step 6 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation) The following static NAT-with-port-translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT-with-port-translation rules that use the same mapped IP address, but different ports.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 3 Click Advanced to configure the real and mapped interfaces and port translation for FTP.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 6 Click Advanced to configure the real and mapped interfaces and port translation for HTTP.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 9 Click Advanced to configure the real and mapped interfaces and port translation for SMTP. Step 10 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 2 Define the FTP server address, and configure static NAT with DNS modification: Step 3 Click Advanced to configure the real and mapped interfaces and DNS modification. Step 4 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.201.10.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 2 Define the FTP server address, and configure static NAT with DNS modification: Step 3 Click Advanced to configure the real and mapped interfaces and DNS modification. Step 4 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 shows an FTP server and DNS server on the outside IPv4 network. The ASA has a static translation for the outside server. In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT b. Define the FTP server address, and configure static NAT with DNS modification and, because this is a one-to-one translation, configure the one-to-one method for NAT46. c. Click Advanced to configure the real and mapped interfaces and DNS modification.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT d. Step 2 Click OK to return to the Edit Network Object dialog box. Configure NAT for the DNS server. a. Create a network object for the DNS server address. b. Define the DNS server address, and configure static NAT using the one-to-one method.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 3 c. Click Advanced to configure the real and mapped interfaces. d. Click OK to return to the Edit Network Object dialog box. Configure an IPv4 PAT pool for translating the inside IPv6 network. Under NAT, uncheck the Add Automatic Address Translation Rules check box. Step 4 Configure PAT for the inside IPv6 network. a. Create a network object for the inside IPv6 network. b.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT c. Next to the PAT Pool Translated Address field, click the ... button to choose the PAT pool you created earlier, and click OK. d. Click Advanced to configure the real and mapped interfaces.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT e. Step 5 Click OK to return to the Edit Network Object dialog box. Click OK, and then click Apply. Feature History for Network Object NAT Table 4-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases PAT pool and round robin address assignment 8.4(2)/8.5(1) Feature Information You can now specify a pool of PAT addresses instead of a single address.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases PAT pool and round robin address assignment 8.4(2)/8.5(1) Feature Information You can now specify a pool of PAT addresses instead of a single address.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases Automatic NAT rules to translate a VPN peer’s 8.4(3) local IP address back to the peer’s real IP address Feature Information In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address.
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Table 4-1 Feature History for Network Object NAT (continued) Feature Name Platform Releases NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.
Chapter 4 Feature History for Network Object NAT Cisco ASA Series Firewall ASDM Configuration Guide 4-50 Configuring Network Object NAT (ASA 8.
CH AP TE R 5 Configuring Twice NAT (ASA 8.3 and Later) Twice NAT lets you identify both the source and destination address in a single rule.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Licensing Requirements for Twice NAT Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT only accepts inline definition. For detailed information about the differences between twice NAT and network object NAT, see the “How NAT is Implemented” section on page 3-15. Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Guidelines and Limitations IPv6 Guidelines • Supports IPv6. • For routed mode, you can also translate between IPv4 and IPv6. • For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. • For transparent mode, a PAT pool is not supported for IPv6. • For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Default Settings Default Settings • By default, the rule is added to the end of section 1 of the NAT table. • (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces. • (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT • If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2 Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. Step 3 a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Source Destination Inside Real: 10.1.2.2 Mapped: 192.168.2.2 10.1.2.2 ---> 10.1.1.1 Original Packet Outside NAT Real: 192.168.1.1 Mapped: 10.1.1.1 192.168.2.2 ---> 192.168.1.1 Translated Packet a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5 Choose Dynamic from the Match Criteria: Translated Packet > Source NAT Type drop-down list. This setting only applies to the source address; the destination translation is always static. Step 6 Identify the translated packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address).
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Note • The object or group cannot contain a subnet. Dynamic PAT using a PAT pool—.To configure a PAT pool, check the PAT Pool Translated Address check box, then click the browse button and choose an existing network object or group or create a new object or group from the Browse Translated PAT Pool Address dialog box. Note: Leave the Source Address field empty. Note The object or group cannot contain a subnet.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT c. For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface or create a new object or group from the Browse Translated Destination Address dialog box. For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 8 Step 9 (Optional) Configure NAT options in the Options area. a. Enable rule —Enables this NAT rule. The rule is enabled by default. b. (For a source-only rule) Translate DNS replies that match this rule—Rewrites the DNS A record in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Configuring Dynamic PAT (Hide) This section describes how to configure twice NAT for dynamic PAT (hide). For dynamic PAT using a PAT pool, see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 5-4 instead of using this section. For more information, see the “Dynamic PAT” section on page 3-10.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2 Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. Step 3 a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Source Destination Inside Real: 10.1.2.2 Mapped: 192.168.2.2 10.1.2.2 ---> 10.1.1.1 Original Packet Outside NAT Real: 192.168.1.1 Mapped: 10.1.1.1 192.168.2.2 ---> 192.168.1.1 Translated Packet a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5 Choose Dynamic PAT (Hide) from the Match Criteria: Translated Packet > Source NAT Type drop-down list. This setting only applies to the source address; the destination translation is always static. Note Step 6 To configure dynamic PAT using a PAT pool, choose Dynamic instead of Dynamic PAT (Hide), see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 5-4.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Source Destination Inside Real: 10.1.2.2 Mapped: 192.168.2.2 10.1.2.2 ---> 10.1.1.1 Original Packet a. Outside NAT Real: 192.168.1.1 Mapped: 10.1.1.1 192.168.2.2 ---> 192.168.1.1 Translated Packet For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or interface or create a new object from the Browse Translated Source Address dialog box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped destination port. Dynamic PAT does not support additional port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 9 Click OK. Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see the “Static NAT” section on page 3-3. Detailed Steps To configure static NAT, perform the following steps: Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2 Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. Step 3 a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Source Destination Inside Real: 10.1.2.2 Mapped: 192.168.2.2 10.1.2.2 ---> 10.1.1.1 Original Packet Outside NAT Real: 192.168.1.1 Mapped: 10.1.1.1 192.168.2.2 ---> 192.168.1.1 Translated Packet a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5 Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting. This setting only applies to the source address; the destination translation is always static.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For static interface NAT with port translation, you can specify the interface instead of a network object/group for the mapped address. If you want to use the IPv6 address of the interface, check the Use IPv6 for interface PAT check box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 8 (Optional) For NAT46, check the Use one-to-one address translation check box. For NAT46, specify one-to-one to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword. Step 9 (Optional) Configure NAT options in the Options area. a. Enable rule —Enables this NAT rule.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 10 Click OK. Configuring Identity NAT This section describes how to configure an identity NAT rule using twice NAT. For more information about identity NAT, see the “Identity NAT” section on page 3-12. Detailed Steps To configure identity NAT, perform the following steps: Step 1 Choose Configuration > Firewall > NAT Rules, and then click Add.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2 Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. Step 3 a. From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b. From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Source Destination Inside 10.1.2.2 Identity Outside NAT 10.1.2.2 ---> 10.1.1.1 Original Packet Real: 192.168.1.1 Mapped: 10.1.1.1 10.1.2.2 ---> 192.168.1.1 Translated Packet a. For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5 Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting. This setting only applies to the source address; the destination translation is always static. Step 6 Identify the translated packet addresses; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address).
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses. If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the “Static NAT” section on page 3-3.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Monitoring Twice NAT a. Enable rule —Enables this NAT rule. The rule is enabled by default. b. Disable Proxy ARP on egress interface—Disables proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-22 for more information. c.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Fields • Available Graphs—Lists the components you can graph. – Xlate Utilization—Displays the ASA NAT utilization. • Graph Window Title—Shows the graph window name to which you want to add a graph type. To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title.
Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Figure 5-1 Twice NAT with Different Destination Addresses Server 1 209.165.201.11 Server 2 209.165.200.225 209.165.201.0/27 209.165.200.224/27 DMZ Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Inside 10.1.2.0/24 Packet Dest. Address: 209.165.201.11 Step 1 10.1.2.27 Packet Dest. Address: 209.165.200.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 2 Set the source and destination interfaces: Step 3 For the Original Source Address, click the browse button to add a new network object for the inside network in the Browse Original Source Address dialog box. a. Add the new network object. b. Define the inside network addresses, and click OK.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Step 4 Step 5 Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. For the Original Destination Address, click the browse button to add a new network object for DMZ network 1 in the Browse Original Destination Address dialog box. a. Add the new network object. b. Define the DMZ network 1 addresses, and click OK. c.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 6 Step 7 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a. Add the new network object. b. Define the PAT address, and click OK. c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 8 Click OK to add the rule to the NAT table. Step 9 Add a NAT rule for traffic from the inside network to DMZ network 2: By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 10 Set the source and destination interfaces: Step 11 For the Original Source Address, type the name of the inside network object (myInsideNetwork) or click the browse button to choose it. Step 12 For the Original Destination Address, click the browse button to add a new network object for DMZ network 2 in the Browse Original Destination Address dialog box. a. Add the new network object. b.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 13 Set the NAT Type to Dynamic PAT (Hide): Step 14 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a. Add the new network object. b. Define the PAT address, and click OK.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Step 15 Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. For the Translated Destination Address, type the name of the Original Destination Address (DMZnetwork2) or click the browse button to choose it.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Different Translation Depending on the Destination Address and Port (Dynamic PAT) Figure 5-2 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 2 Set the source and destination interfaces: Step 3 For the Original Source Address, click the browse button to add a new network object for the inside network in the Browse Original Source Address dialog box. a. Add the new network object. b. Define the inside network addresses, and click OK.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Step 4 Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. For the Original Destination Address, click the browse button to add a new network object for the Telnet/Web server in the Browse Original Destination Address dialog box. a. Add the new network object. b. Define the server address, and click OK. c. Choose the new network object by double-clicking it.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 5 Step 6 For the Original Service, click the browse button to add a new service object for Telnet in the Browse Original Service dialog box. a. Add the new service object. b. Define the protocol and port, and click OK. c. Choose the new service object by double-clicking it. Click OK to return to the NAT configuration.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 7 Step 8 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a. Add the new network object. b. Define the PAT address, and click OK. c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 9 Click OK to add the rule to the NAT table. Step 10 Add a NAT rule for traffic from the inside network to the web server: By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 11 Set the real and mapped interfaces: Step 12 For the Original Source Address, type the name of the inside network object (myInsideNetwork) or click the browse button to choose it. Step 13 For the Original Destination Address, type the name of the Telnet/web server network object (TelnetWebServer) or click the browse button to choose it.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Choose the new service object by double-clicking it. Click OK to return to the NAT configuration. Step 15 Set the NAT Type to Dynamic PAT (Hide): Step 16 For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a. Add the new network object. b. Define the PAT address, and click OK.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c. Step 17 Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. For the Translated Destination Address, type the name of the Original Destination Address (TelnetWebServer) or click the browse button to choose it.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Feature History for Twice NAT Table 5-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 5-1 Feature History for Twice NAT Feature Name Platform Releases Twice NAT 8.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Round robin PAT pool allocation uses the same 8.4(3) IP address for existing hosts Feature Information When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any screens.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases Automatic NAT rules to translate a VPN peer’s 8.4(3) local IP address back to the peer’s real IP address Feature Information In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address.
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Table 5-1 Feature History for Twice NAT (continued) Feature Name Platform Releases NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.
Chapter 5 Feature History for Twice NAT Cisco ASA Series Firewall ASDM Configuration Guide 5-52 Configuring Twice NAT (ASA 8.
CH AP TE R 6 Configuring NAT (ASA 8.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview general operations configuration guide for more information about security levels. See the “NAT Control” section on page 6-4 for more information about NAT control. Note In this document, all types of translation are referred to as NAT. When describing NAT, the terms inside and outside represent the security relationship between any two interfaces. The higher security level is inside and the lower security level is outside.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT in Transparent Mode Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. For example, a transparent firewall ASA is useful between two VRFs so you can establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might not be supported. In this case, using NAT in transparent mode is essential.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-2 NAT Example: Transparent Mode www.example.com Internet Static route on router to 209.165.201.0/27 through security appliance Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 Management IP 10.1.2.2 Host 10.1.2.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown in Figure 6-4. Figure 6-4 NAT Control and Same Security Traffic Security Appliance Security Appliance 10.1.1.1 Dyn. NAT 10.1.1.1 No NAT 209.165.201.1 10.1.1.1 10.1.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT Types This section describes the available NAT types, and includes the following topics: • Dynamic NAT, page 6-6 • PAT, page 6-8 • Static NAT, page 6-9 • Static PAT, page 6-9 • Bypassing NAT When NAT Control is Enabled, page 6-10 You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static PAT, or as a mix of these types.
Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-6 Remote Host Attempts to Connect to the Real Address Web Server www.example.com Outside 209.165.201.2 Security Appliance Translation 10.1.2.27 209.165.201.10 10.1.2.27 10.1.2.1 132216 Inside 10.1.2.27 Figure 6-7 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the ASA drops the packet.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Dynamic NAT has these disadvantages: • If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Static NAT Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports (see Figure 6-8). Figure 6-8 Static PAT Host Undo Translation 209.165.201.3:21 10.1.2.27 Outside Undo Translation 209.165.201.3:25 10.1.2.29 Undo Translation 209.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your ACLs. For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface ACL allows it).
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-9 Policy NAT with Different Destination Addresses Server 1 209.165.201.11 Server 2 209.165.200.225 209.165.201.0/27 209.165.200.224/27 DMZ Translation 10.1.2.27 209.165.202.129 Translation 10.1.2.27 209.165.202.130 Inside Packet Dest. Address: 209.165.201.11 10.1.2.27 Packet Dest. Address: 209.165.200.225 130039 10.1.2.0/24 Figure 6-10 shows the use of source and destination ports. The host on the 10.1.2.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT rule specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the rule identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Order of NAT Rules Used to Match Real Addresses The ASA matches real addresses to NAT rules in the following order: 1. NAT exemption—In order, until the first match. 2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category. 3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed. 4. Regular dynamic NAT—Best match.
Configuring NAT (ASA 8.2 and Earlier) NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Configuring NAT Control Figure 6-13 shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Using Dynamic NAT This section describes how to configure dynamic NAT, including dynamic NAT and PAT, dynamic policy NAT and PAT, and identity NAT. Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic NAT rule, you specify real addresses and then pair them with a global pool of addresses to which the real addresses are mapped when they exit another interface (in the case of PAT, this is one address, and in the case of identity NAT, this is the same as the real address). Each global pool is assigned a pool ID.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-15). Figure 6-15 NAT Rules and Global Pools using the Same ID on Multiple Interfaces Web Server: www.cisco.com Outside Translation 10.1.1.15 209.165.201.4 Global 1: 209.165.201.3209.165.201.10 NAT 1: 10.1.1.0/24 Global 1: 10.1.1.23 Translation 10.1.2.27 209.165.201.3 DMZ 10.1.1.15 NAT 1: 10.1.2.0/24 Translation 10.1.2.27 10.1.1.23:2024 132926 Inside 10.1.2.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-16 Different NAT IDs Web Server: www.cisco.com Outside Global 1: 209.165.201.3209.165.201.10 Global 2: 209.165.201.11 192.168.1.14 Translation 209.165.201.11:4567 NAT 1: 10.1.2.0/24 Translation 10.1.2.27 209.165.201.3 NAT 2: 192.168.1.0/24 10.1.2.27 132927 Inside 192.168.1.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-17 NAT and PAT Together Web Server: www.cisco.com Translation 10.1.2.27 209.165.201.3 Outside Global 1: 209.165.201.3209.165.201.4 Global 1: 209.165.201.5 10.1.2.29 Translation 209.165.201.5:6096 Translation 10.1.2.28 209.165.201.4 NAT 1: 10.1.2.0/24 Inside 10.1.2.29 132928 10.1.2.27 10.1.2.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-18 Outside NAT and Inside NAT Combined Translation 10.1.1.15 209.165.201.4 Outside Global 1: 209.165.201.3209.165.201.10 Outside NAT 1: 10.1.1.0/24 NAT 1: 10.1.1.0/24 DMZ 10.1.1.15 Global 1: 10.1.2.3010.1.2.40 Static to DMZ: 10.1.2.27 10.1.1.5 Translation 10.1.1.15 10.1.2.30 Inside 10.1.2.27 132940 Undo Translation 10.1.1.5 10.1.2.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 For a new pool, from the Interface drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a new pool, in the Pool ID field, enter a number between 1 and 2147483647. Do not enter a pool ID that is already in use, or your configuration will be rejected.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT To configure a dynamic NAT, PAT, or identity NAT rule, perform the following steps. Step 1 In the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule. The Add Dynamic NAT Rule dialog box appears. Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT TCP initial sequence number randomization can be disabled if required. For example: – If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. – If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3 Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Note • You can also set these values using a security policy rule. To set the number of rate intervals maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat Detection Host drop-down list.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. See the “Policy NAT” section on page 6-11 for more information. Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a mapped port.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 1 In the Configuration > Firewall > NAT Rules pane, choose Add > Add Static NAT Rule. The Add Static NAT Rule dialog box appears. Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3 Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Note • You can also set these values using a security policy rule. To set the number of rate intervals maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat Detection Host drop-down list.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 6-22 shows typical static policy NAT, static policy PAT, and static policy identity NAT scenarios. The translation is always active so both translated and remote hosts can originate connections. Figure 6-22 Static Policy NAT Scenarios Static Policy NAT Static Policy PAT Security Appliance Security Appliance 10.1.1.1 209.165.201.1 10.1.1.1:23 209.165.201.1:23 10.1.1.2 209.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 6 Specify the mapped IP address by clicking one of the following: • Use IP Address Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption – You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. Step 11 • Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. • Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited.
Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption Step 3 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to exempt. Step 4 Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24.
PART 3 Configuring Access Control
CH AP TE R 7 Configuring Access Rules This chapter describes how to control network access through the ASA using access rules and includes the following sections: Note • Information About Access Rules, page 7-1 • Licensing Requirements for Access Rules, page 7-7 • Guidelines and Limitations, page 7-7 • Default Settings, page 7-7 • Configuring Access Rules, page 7-8 • Feature History for Access Rules, page 7-14 You use access rules to control network access in both routed and transparent fire
Chapter 7 Configuring Access Rules Information About Access Rules General Information About Rules This section describes information for both access rules and EtherType rules, and it includes the following topics: • Implicit Permits, page 7-2 • Information About Interface Access Rules and Global Access Rules, page 7-2 • Using Access Rules and EtherType Rules on the Same Interface, page 7-2 • Rule Order, page 7-3 • Implicit Deny, page 7-3 • Using Remarks, page 7-3 • NAT and Access Rules, page
Chapter 7 Configuring Access Rules Information About Access Rules Rule Order The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA tests the packet against each rule in the order in which the rules are listed. After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked.
Chapter 7 Configuring Access Rules Information About Access Rules Note “Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.
Chapter 7 Configuring Access Rules Information About Access Rules Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6.
Chapter 7 Configuring Access Rules Information About Access Rules Table 7-1 lists common traffic types that you can allow through the transparent firewall. Table 7-1 Transparent Firewall Special Traffic Traffic Type Protocol or Port Notes DHCP UDP ports 67 and 68 If you enable the DHCP server, then the ASA does not pass DHCP packets. EIGRP Protocol 88 — OSPF Protocol 89 — Multicast streams The UDP ports vary depending on the application.
Chapter 7 Configuring Access Rules Licensing Requirements for Access Rules Access Rules for Returning Traffic Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic to pass in both directions.
Chapter 7 Configuring Access Rules Guidelines and Limitations Configuring Access Rules This section includes the following topics: • Adding an Access Rule, page 7-8 • Adding an EtherType Rule (Transparent Mode Only), page 7-9 • Configuring Management Access Rules, page 7-10 • Advanced Access Rule Configuration, page 7-11 • Configuring HTTP Redirect, page 7-12 • Configuring Transactional Commit Model, page 7-13 Adding an Access Rule To apply an access rule, perform the following steps.
Chapter 7 Configuring Access Rules Guidelines and Limitations Step 9 Select the service type. Step 10 (Optional) To add a time range to your access rule that specifies when traffic can be allowed or denied, click More Options to expand the list. a. To the right of the Time Range drop down list, click the browse button. The Browse Time Range dialog box appears. b. Click Add. The Add Time Range dialog box appears. Step 11 c. In the Time Range Name field, enter a time range name, with no spaces. d.
Chapter 7 Configuring Access Rules Guidelines and Limitations Step 5 In the Action field, click one of the following radio buttons next to the desired action: • Permit—Permits access if the conditions are matched. • Deny—Denies access if the conditions are matched. Step 6 In the EtherType field, choose an EtherType value from the drop-down list. Step 7 (Optional) In the Description field, add a test description about the rule.
Chapter 7 Configuring Access Rules Guidelines and Limitations Step 8 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you can change the logging level from the drop-down list. The default logging level is Informational. Step 9 (Optional) To add a source service (TCP, UDP, and TCP-UDP only) and a time range to your access rule that specifies when traffic can be allowed or denied, click More Options to expand the list.
Chapter 7 Configuring Access Rules Guidelines and Limitations • Alert Interval—The amount of time (1-3600 seconds) between system log messages (number 106101) that identify that the maximum number of deny flows was reached. The default is 300 seconds. • Per User Override table—Specifies the state of the per user override feature. If the per user override feature is enabled on the inbound access rule, the access rule provided by a RADIUS server replaces the access rule configured on that interface.
Chapter 7 Configuring Access Rules Guidelines and Limitations The Configuration > Device Management > Advanced > HTTP Redirect > Edit pane lets you change the HTTP redirect setting of an interface or the port from which it redirects HTTP connections. Select the interface in the table and click Edit. You can also double-click an interface. The Edit HTTP/HTTPS Settings dialog box opens.
Chapter 7 Configuring Access Rules Feature History for Access Rules Feature History for Access Rules Table 7-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 7-2 Feature History for Access Rules Feature Name Platform Releases Feature Information Interface access rules 7.0(1) Controlling network access through the ASA using ACLs.
Chapter 7 Configuring Access Rules Feature History for Access Rules Table 7-2 Feature History for Access Rules (continued) Feature Name Platform Releases Extended ACLand object enhancement to filter 9.0(1) ICMP traffic by ICMP code Feature Information ICMP traffic can now be permitted/denied based on ICMP code.
Chapter 7 Feature History for Access Rules Cisco ASA Series Firewall ASDM Configuration Guide 7-16 Configuring Access Rules
CH AP TE R 8 Configuring AAA Rules for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 45-12 in the general operations configuration guide.
Chapter 8 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines In clustering, this feature is only supported on the master unit.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access One-Time Authentication A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane for timeout values.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Note If you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent on to the destination web server as well. See the “Enabling Secure Authentication of Web Clients” section on page 8-8 for information to secure your credentials.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access • For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the Telnet and FTP servers. • A user can specify an Active Directory domain while providing login credentials (in the format, domain\username). The ASA automatically selects the associated AAA server group for the specified domain.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Instead, the ASA sends an error message to the web browser, indicating that the user must be authenticated before using the requested service. When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT pool.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3 In the AAA Server Group drop-down list, choose a server group. To add a AAA server to the server group, click Add Server. If you chose LOCAL for the AAA server group, you can optionally add a new user by clicking Add User. See the “Adding a User Account to the Local Database” section on page 33-3 in the general operations configuration guide for more information.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3 For the Protocol, choose either HTTP or HTTPS. You can enable both by repeating this procedure and creating two separate rules. Step 4 In the Interface drop-down list, choose the interface on which you want to enable the listener. Step 5 In the Port drop-down list, choose the port or enter a number.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access This is the only method that protects credentials between the client and the ASA, as well as between the ASA and the destination server. You can use this method alone, or in conjunction with either of the other methods so you can maximize your security. After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects the HTTP user to an HTTPS prompt.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access server; you are not prompted separately for the HTTP server username and password. Assuming the username and password are not the same for the AAA and HTTP servers, then the HTTP authentication fails. This feature redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP traffic through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the ASA, and the ASA issues a Telnet prompt.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Configuring Authorization for Network Access After a user authenticates for a given connection, the ASA can use authorization to further control traffic from the user.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Step 8 In the Service field, enter an IP service name or number for the destination service, or click the ellipsis (...) to choose a service. Step 9 (Optional) In the Description field, enter a description. Step 10 (Optional) Click More Options to do any of the following: • To specify a source service for TCP or UDP, enter a TCP or UDP service in the Source Service field.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authorization for Network Access Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes the following topics: • About the Downloadable ACL Feature and Cisco Secure ACS, page 8-14 • Configuring Cisco Secure ACS for Downloadable ACLs, page 8-15 • Configuring Any RADIUS Server for Downloadable ACLs, page 8-16 • Converting Wi
Chapter 8 Configuring AAA Rules for Network Access Configuring Authorization for Network Access 4. After receipt of a RADIUS authentication request that has a username attribute that includes the name of a downloadable ACL, Cisco Secure ACS authenticates the request by checking the Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect, Cisco Secure ACS ignores the request.
Chapter 8 Configuring AAA Rules for Network Access Configuring Authorization for Network Access | permit udp any host 10.0.0.253 | | permit icmp any host 10.0.0.253 | | permit tcp any host 10.0.0.252 | | permit udp any host 10.0.0.252 | | permit icmp any host 10.0.0.252 | | permit ip any any | +--------------------------------------------+ For more information about creating downloadable ACLs and associating them with users, see the user guide for your version of Cisco Secure ACS.
Chapter 8 Configuring AAA Rules for Network Access Configuring Accounting for Network Access The username argument is the name of the user that is being authenticated. The downloaded ACL on the ASA consists of the following lines. Notice the order based on the numbers identified on the RADIUS server. access-list access-list access-list access-list access-list AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 permit tcp 10.1.
Chapter 8 Configuring AAA Rules for Network Access Configuring Accounting for Network Access accounting information by IP address. Accounting information includes session start and stop times, username, the number of bytes that pass through the ASA for the session, the service used, and the duration of each session. To configure accounting, perform the following steps: Step 1 If you want the ASA to provide accounting data per user, you must enable authentication.
Chapter 8 Configuring AAA Rules for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization of these users, you can enable AAA to allow only authenticated and/or authorized users to connect through the ASA. (The Telnet server enforces authentication, too; the ASA prevents unauthorized users from attempting to access the server.
Chapter 8 Configuring AAA Rules for Network Access Feature History for AAA Rules Feature History for AAA Rules Table 8-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 8-1 Feature History for AAA Rules Feature Name Platform Releases AAA Rules 7.0(1) Feature Information AAA Rules describe how to enable AAA for network access.
CH AP TE R 9 Configuring Public Servers This section describes how to configure public servers, and includes the following topics: • Information About Public Servers, page 9-1 • Licensing Requirements for Public Servers, page 9-1 • Guidelines and Limitations, page 9-1 • Adding a Public Server that Enables Static NAT, page 9-2 • Adding a Public Server that Enables Static NAT with PAT, page 9-2 • Editing Settings for a Public Server, page 9-3 • Feature History for Public Servers, page 9-4 Info
Chapter 9 Configuring Public Servers Adding a Public Server that Enables Static NAT Firewall Mode Guidelines Supported in routed and transparent firewall mode. Adding a Public Server that Enables Static NAT To add a public server that enables static NAT and creates a fixed translation of a real address to a mapped address, perform the following steps: Step 1 In the Configuration > Firewall > Public Servers pane, click Add to add a new server. The Add Public Server dialog box appears.
Chapter 9 Configuring Public Servers Editing Settings for a Public Server Step 4 In the Private Service field, click Browse to display the Browse Service dialog box Step 5 Choose the actual service that is exposed to the outside, and click OK. Optionally, from the Browse Service dialog box, click Add to create a new service or service group. Multiple services from various ports can be opened to the outside.
Chapter 9 Configuring Public Servers Feature History for Public Servers Feature History for Public Servers Table 9-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 9-1 Feature History for Public Servers Feature Name Platform Releases Public Servers 8.
PART 4 Configuring Application Inspection
CH AP TE R 10 Getting Started with Application Layer Protocol Inspection This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.
Chapter 10 Getting Started with Application Layer Protocol Inspection Information about Application Layer Protocol Inspection Figure 10-1 How Inspection Engines Work ACL 2 Client ASA 6 7 5 3 XLATE CONN Server 4 Inspection 132875 1 In Figure 10-1, operations are numbered in the order they occur, and are described as follows: 1. A TCP SYN packet arrives at the ASA to establish a new connection. 2. The ASA checks the ACL database to determine if the connection is permitted. 3.
Chapter 10 Getting Started with Application Layer Protocol Inspection Guidelines and Limitations When you enable application inspection for a service that embeds IP addresses, the ASA translates embedded addresses and updates any checksum or other fields that are affected by the translation.
Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections is not automatically replicated. While these connections are replicated to the standby unit, there is a best-effort attempt to re-establish a TCP state.
Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Table 10-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments ICMP ERROR — — — — ILS (LDAP) TCP/389 No extended PAT. — — RFC 3860 — No NAT64. Instant Messaging (IM) Varies by client No extended PAT. IP Options — No NAT64. RFC 791, RFC 2113 — IPsec Pass Through UDP/500 No PAT. — — IPv6 — No NAT64.
Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations Table 10-1 Supported Application Inspection Engines (continued) Application1 Default Port NAT Limitations Standards2 Comments SIP TCP/5060 UDP/5060 RFC 2543 — — Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances. — No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.
Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection This feature uses Security Policy Rules to create a service policy. Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.
Chapter 10 Configuring Application Layer Protocol Inspection Cisco ASA Series Firewall ASDM Configuration Guide 10-8 Getting Started with Application Layer Protocol Inspection
CH AP TE R 11 Configuring Inspection of Basic Internet Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection • Configuring DNS Inspection, page 11-16 Information About DNS Inspection • General Information About DNS, page 11-2 • DNS Inspection Actions, page 11-2 General Information About DNS A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol).
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map To match DNS packets with certain characteristics and perform special actions, create a DNS inspection policy map. You can also configure a DNS inspection class map to group multiple match criteria for reference within the inspection policy map. You can then apply the inspection policy map when you enable DNS inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection • To use one of the preset security levels (Low, Medium, or High), drag the Security Level knob, then click OK to add the inspection policy map. You can skip the rest of this procedure. • To customize each parameter and/or to configure packet matching inspection, click Details.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Detailed Steps—Filtering Step 1 Click the Filtering tab. Step 2 Global Settings: Drop packets that exceed specified maximum length (global)—Sets the maximum DNS message length, from 512 to 65535 bytes.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2 Enable logging when DNS ID mismatch rate exceeds specified rate—Enables logging for excessive DNS ID mismatches, where the Mismatch Instance Threshold and Time Interval fields specify the maximum number of mismatch instances per x seconds before a system message log is sent. Detailed Steps—Inspections Step 1 Click the Inspections tab.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2 Click Add. The Add DNS Inspect dialog box appears.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 3 You can configure DNS inspections using the following methods: • Single Match—Match a single criterion, and identify the action for the match. • Multiple matches—Match multiple criteria by creating an inspection class map.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection • Enforce TSIG: Requires a TSIG resource record to be present. – Do not enforce – Drop packet – Log – Drop packet and log Not all combinations are valid for all matching criteria. For example, you can configure both Mask and Enforce TSIG together only for the Criterion: Header Flag option.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 5 From the Criterion drop-down list, choose one of the following criteria: • Header Flag: Set the following Value parameters: – Match Option: Equals or Contains. If you choose Header Flag Name, and check multiple flags, you can set the ASA to match a packet only if all flags are present (Equals) or if any one of the flags is present (Contains). – Match Value: Header Flag Name or Header Flag Value.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: – DNS Type Field Name—Lists the DNS types to select. A—IPv4 address AXFR—Full (zone) transfer CNAME—Canonical name IXFR—Incremental (zone) transfer NS—Authoritative name server SOA—Start of a zone of authority TSIG—Transaction signature – DNS Type Field Value: Value—Lets you enter a value between 0 and 65535 to match. Range—Lets you enter a range match. Both values between 0 and 65535.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: – DNS Class Field Name: Internet—Internet is the only option. – DNS Class Field Value: Value—Lets you enter a value between 0 and 65535. Range—Lets you enter a range match. Both values between 0 and 65535. • Question: Matches a DNS question.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection • Resource Record: Cisco ASA Series Firewall ASDM Configuration Guide 11-13
Chapter 11 DNS Inspection Set the following Value parameters: – Resource Record: additional—DNS additional resource record answer—DNS answer resource record authority—DNS authority resource record • Domain Name: Cisco ASA Series Firewall ASDM Configuration Guide 11-14 Configuring Inspection of Basic Internet Protocols
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: – Regular Expression—Choose an existing regular expression from the drop-down menu, or click Manage to add a new one. See the “Creating a Regular Expression” section on page 20-11 in the general operations configuration guide. – Regular Expression Class—Choose an existing regular expression class map from the drop-down menu, or click Manage to add a new one.
Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection map that have the same match, then the order in the configuration determines which match is used, so these buttons are enabled. See the “Guidelines and Limitations” section on page 2-2 for more information. Step 10 Click OK to save the DNS inspect map. Step 11 Click Apply. Configuring DNS Inspection The default ASA configuration includes many default inspections on default ports applied globally on all interfaces.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. See the “Enabling DNS Snooping” section on page 26-9. Step 8 Click OK to return to the Protocol Inspections tab. Step 9 Click OK to finish editing the service policy. Step 10 Click Apply. FTP Inspection This section describes the FTP inspection engine.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Caution • An FTP command must be acknowledged before the ASA allows a new command. • The ASA drops connections that send embedded commands. • The 227 and PORT commands are checked to ensure they do not appear in an error string. Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Fields • FTP Strict (prevent web browsers from sending embedded commands in FTP requests)—Enables strict FTP application inspection, which causes the ASA to drop the connection when an embedded command is included in an FTP request. • Use the default FTP inspection map—Specifies to use the default FTP map.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection • Delete—Deletes an FTP class map. Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box is accessible as follows: Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • File Type Criterion Values—Specifies to match on the FTP transfer file type. – Regular Expression—Lists the defined regular expressions to match.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection • Delete—Deletes the inspect map selected in the FTP Inspect Maps table. • Security Level—Select the security level (medium or low). – Low Mask Banner Disabled Mask Reply Disabled – Medium—Default. Mask Banner Enabled Mask Reply Enabled – File Type Filtering—Opens the Type Filtering dialog box to configure file type filters. – Customize—Opens the Add/Edit FTP Policy Map dialog box for additional settings.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection • Description—Enter the description of the FTP map, up to 200 characters in length. • Security Level—Select the security level (medium or low). – Low Mask Banner Disabled Mask Reply Disabled – Medium—Default. Mask Banner Enabled Mask Reply Enabled – File Type Filtering—Opens the Type Filtering dialog box to configure file type filters. – Default Level—Sets the security level back to the default level of Medium.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Add/Edit FTP Map The Add/Edit FTP Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map. Fields • Single Match—Specifies that the FTP inspect has only one match statement.
Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • File Type Criterion Values—Specifies the value details for FTP file type match. – Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. HTTP Inspection This section describes the HTTP inspection engine.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection The Select HTTP Map dialog box lets you select or create a new HTTP map. An HTTP map lets you change the configuration values used for HTTP application inspection. The Select HTTP Map table provides a list of previously configured maps that you can select for application inspection. Fields • Use the default HTTP inspection map—Specifies to use the default HTTP map.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection • Edit—Edits an HTTP class map. • Delete—Deletes an HTTP class map. Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Criterion dialog box is accessible as follows: Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map > Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. – Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection HTTP Inspect Map The HTTP Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection. HTTP application inspection scans HTTP headers and body, and performs various checks on the data.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection URI Filtering The URI Filtering dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP > URI Filtering The URI Filtering dialog box lets you configure the settings for an URI filter. Fields • Match Type—Shows the match type, which can be a positive or negative match. • Criterion—Shows the criterion of the inspection. • Value—Shows the value to match in the inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection URI filtering: Not configured Advanced inspections: Not configured – High Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured – URI Filtering—Opens the URI Filtering dialog box which lets you configure the settings for an URI filter.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection – Add—Opens the Add HTTP Inspect dialog box to add an HTTP inspection. – Edit—Opens the Edit HTTP Inspect dialog box to edit an HTTP inspection. – Delete—Deletes an HTTP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-aut
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.
Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. – Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.
Chapter 11 Configuring Inspection of Basic Internet Protocols ICMP Inspection – H323 Traffic Class—Specifies the HTTP traffic class match. – Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class Maps. • Action—Drop connection, reset, or log. • Log—Enable or disable. ICMP Inspection The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic.
Chapter 11 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection IM Inspection Overview The IM inspect engine lets you apply fine grained controls on the IM application to control the network usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. Adding a Class Map for IM Inspection Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection • Source IP Address—Select to match the source IP address of the IM message. In the Value fields, enter the IP address and netmask of the message source. • Destination IP Address—Select to match the destination IP address of the IM message. In the Value fields, enter the IP address and netmask of the message destination. • Filename—Select to match the filename of the IM message.
Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection Note • End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length. • No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable.
Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection Step 5 • Click the Use the default IP-Options inspection map radio button to use the default IP Options map. The default map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No Operation (NOP), and Router Alert (RTRALT). • Click the Select an IP-Options inspect map for fine control over inspection radio button to select a defined application inspection map.
Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map. Use this inspection map to control whether the ASA drops, passes, or clears IP packets containing the following IP options—End of Options List, No Operations, and Router Alert. Fields • Use the default IP-Options inspection map—Specifies to use the default IP Options map.
Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection – Allow packets with the No Operation (NOP) option The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align the options on a 32-bit boundary.
Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection Select IPsec-Pass-Thru Map The Select IPsec-Pass-Thru Map dialog box is accessible as follows: Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IPsec-Pass-Thru Map The Select IPsec-Pass-Thru dialog box lets you select or create a new IPsec map. An IPsec map lets you change the configuration values used for IPsec application inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection – Default Level—Sets the security level back to the default level of Low.
Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection • Parameters—Configures ESP and AH parameter settings. – Limit ESP flows per client—Limits ESP flows per client. Maximum—Specify maximum limit. – Apply ESP idle timeout—Applies ESP idle timeout. Timeout—Specify timeout. – Limit AH flows per client—Limits AH flows per client. Maximum—Specify maximum limit. – Apply AH idle timeout—Applies AH idle timeout. Timeout—Specify timeout.
Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Step 2 Click Add. The Add IPv6 Inspection Map dialog box appears. Step 3 Enter a name and description for the inspection map. By default, the Enforcement tab is selected and the following options are selected: • Permit only known extension headers • Enforce extension header order When Permit only known extension headers is selected, the ASA verifies the IPv6 extension header.
Chapter 11 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection You can configure IPv6 inspection as part of a new service policy rule, or you can edit an existing service policy. Step 2 On the Rule Actions dialog box, click the Protocol Inspections tab. Step 3 Check the IPv6 check box. Step 4 (Optional) To add an IPv6 inspection policy map that you configured in the “(Optional) Configuring an IPv6 Inspection Policy Map” section on page 11-48: a. Click Configure.
Chapter 11 Configuring Inspection of Basic Internet Protocols PPTP Inspection • Add—Opens the Add Policy Map dialog box for the inspection. NetBIOS Inspect Map The NetBIOS Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > NetBIOS The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702]. Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete commands are discarded.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection ESMTP Inspect Map The ESMTP Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection – Default Level—Sets the security level back to the default level of Low. MIME File Type Filtering The MIME File Type Filtering dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255 – High Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connection
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection – Action—Shows the action if the match condition is met. – Log—Shows the log state. – Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection. – Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection. – Delete—Deletes an ESMTP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection • Body Line Length Criterion Values—Specifies the value details for body line length match. – Greater Than Length—Body line length in bytes. – Action—Reset, drop connection, log. – Log—Enable or disable. • Commands Criterion Values—Specifies the value details for command match.
Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection 8bitmime auth binarymime checkpoint dsn ecode etrn others pipelining size vrfy – Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table. – Remove—Removes the selected command from the Selected Commands table. – Action—Reset, Drop Connection, Mask, Log. – Log—Enable or disable. • Header Length Criterion Values—Specifies the value details for header length match.
Chapter 11 Configuring Inspection of Basic Internet Protocols TFTP Inspection • MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match. – Greater Than Length—MIME filename length in bytes. – Action—Reset, Drop Connection, Log. – Log—Enable or disable. • MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.
Chapter 11 Configuring Inspection of Basic Internet Protocols TFTP Inspection The ASA inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR). A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request.
Chapter 11 TFTP Inspection Cisco ASA Series Firewall ASDM Configuration Guide 11-62 Configuring Inspection of Basic Internet Protocols
CH AP TE R 12 Configuring Inspection for Voice and Video Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Limitations and Restrictions The following summarizes limitations that apply when using CTIQBE application inspection: • CTIQBE application inspection does not support configurations with the alias command. • Stateful failover of CTIQBE calls is not supported. • Debugging CTIQBE inspection may delay message transmission, which may have a performance impact in a real-time environment.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The ASA supports H.323 through Version 6, including H.323 v3 feature Multiple Calls on One Call Signaling Channel. With H.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection After inspecting the H.225 messages, the ASA opens the H.245 channel and then inspects traffic sent over the H.245 channel as well. All H.245 messages passing through the ASA undergo H.245 application inspection, which translates embedded IP addresses and opens the media channels negotiated in H.245 messages. The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Not supported with dynamic NAT or PAT. • Not supported with extended PAT. • Not supported with NAT between same-security-level interfaces. • Not supported with outside NAT. • Not supported with NAT64. • When a NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that is also registered with the H.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection • Edit—Edits an H.323 class map. • Delete—Deletes an H.323 class map. Add/Edit H.323 Traffic Class Map Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map. Fields • Name—Enter the name of the H.323 class map, up to 40 characters in length. • Description—Enter the description of the H.323 class map.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • Media Type Criterion Values—Specifies which media type to match. – Audio—Match audio type. – Video—Match video type. – Data—Match data type. H.323 Inspect Map Configuration > Global Objects > Inspect Maps > H.323 The H.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Call Party Number Enabled Call duration Limit 1:00:00 RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes – Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters. – Customize—Opens the Add/Edit H.323 Policy Map dialog box for additional settings. – Default Level—Sets the security level back to the default level of Medium.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Note • You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0.
Chapter 12 Configuring Inspection for Voice and Video Protocols H.323 Inspection Add/Edit HSI Group Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View > Add/Edit HSI Group The Add/Edit HSI Group dialog box lets you configure HSI Groups. Fields • Group ID—Enter the HSI group ID. • IP Address—Enter the HSI IP address. • Endpoints—Lets you configure the IP address and interface of the endpoints. – IP Address—Enter an endpoint IP address.
Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • Media Type Criterion Values—Specifies which media type to match. – Audio—Match audio type. – Video—Match video type. – Data—Match data type. • Multiple Matches—Specifies multiple matches for the H.323 inspection.
Configuring Inspection for Voice and Video Protocols MGCP Inspection Note To avoid policy failure when upgrading from ASA version 7.1, all layer 7 and layer 3 policies must have distinct names. For instance, a previously configured policy map with the same name as a previously configured MGCP map must be changed before the upgrade. MGCP messages are transmitted over UDP.
Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection • RestartInProgress The first four commands are sent by the call agent to the gateway. The Notify command is sent by the gateway to the call agent. The gateway may also send a DeleteConnection. The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command. The AuditEndpoint and the AuditConnection commands are sent by the call agent to the gateway.
Chapter 12 Configuring Inspection for Voice and Video Protocols MGCP Inspection Gateways and Call Agents Configuration > Global Objects > Inspect Maps > MGCP > Gateways and Call Agents The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map. Fields • Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID.
Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection – Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection • Using RealPlayer, page 12-17 • Restrictions and Limitations, page 12-18 • Select RTSP Map, page 12-18 • RTSP Inspect Map, page 12-18 • Add/Edit RTSP Policy Map, page 12-19 • RTSP Class Map, page 12-19 • Add/Edit RTSP Traffic Class Map, page 12-20 RTSP Inspection Overview The RTSP inspection engine lets the ASA pass RTSP packets.
Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Restrictions and Limitations The following restrictions apply to the RSTP inspection. • The ASA does not support multicast RTSP or RTSP messages over UDP. • The ASA does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages. • The ASA cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages.
Chapter 12 Configuring Inspection for Voice and Video Protocols RTSP Inspection Add/Edit RTSP Policy Map Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View The Add/Edit RTSP Policy Map pane lets you configure the parameters and inspections settings for RTSP application inspection maps. Fields • Name—When adding an RTSP map, enter the name of the RTSP map. When editing an RTSP map, the name of the previously configured RTSP map is shown.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Criterion—Shows the criterion of the RTSP class map. – Value—Shows the value to match in the RTSP class map. • Description—Shows the description of the class map. • Add—Adds a RTSP class map. • Edit—Edits a RTSP class map. • Delete—Deletes a RTSP class map.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • SIP Inspection Overview, page 12-21 • SIP Instant Messaging, page 12-22 • Select SIP Map, page 12-22 • SIP Class Map, page 12-23 • Add/Edit SIP Traffic Class Map, page 12-24 • Add/Edit SIP Match Criterion, page 12-24 • SIP Inspect Map, page 12-26 • Add/Edit SIP Policy Map (Security Level), page 12-27 • Add/Edit SIP Policy Map (Details), page 12-28 • Add/Edit SIP Inspect, page 12-30 • SIP Inspection Overvi
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP Instant Messaging Instant Messaging refers to the transfer of messages between users in near real-time. SIP supports the Chat feature on Windows XP using Windows Messenger RTC Client version 4.7.0105 only.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection The Select SIP Map dialog box lets you select or create a new SIP map. A SIP map lets you change the configuration values used for SIP application inspection. The Select SIP Map table provides a list of previously configured maps that you can select for application inspection. Fields • Use the default SIP inspection map—Specifies to use the default SIP map.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection Fields • Name—Shows the SIP class map name. • Match Conditions—Shows the type, match criterion, and value in the class map. – Match Type—Shows the match type, which can be a positive or negative match. – Criterion—Shows the criterion of the SIP class map. – Value—Shows the value to match in the SIP class map. • Description—Shows the description of the class map. • Add—Adds a SIP class map.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Message Path—Match the SIP Via header. – Request Method—Match the SIP request method. – Third-Party Registration—Match the requester of a third-party registration. – URI Length—Match a URI in the SIP headers, between 0 and 65536. • Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match. – Regular Expression—Lists the defined regular expressions to match.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match. – Regular Expression—Lists the defined regular expressions to match. – Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. – Regular Expression Class—Lists the defined regular expression classes to match.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation. – Medium SIP instant messaging (IM) extensions: Enabled.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Low—Default. SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide server’s and endpoint’s IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection • Description—Enter the description of the SIP map, up to 200 characters in length. • Security Level—Shows the security level settings to configure • Filtering—Tab that lets you configure the filtering settings for SIP. – Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled. – Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Add—Opens the Add SIP Inspect dialog box to add a SIP inspection. – Edit—Opens the Edit SIP Inspect dialog box to edit a SIP inspection. – Delete—Deletes a SIP inspection. – Move Up—Moves an inspection up in the list. – Move Down—Moves an inspection down in the list.
Chapter 12 Configuring Inspection for Voice and Video Protocols SIP Inspection – Regular Expression Class—Lists the defined regular expression classes to match. – Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. • Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified. – Greater Than Length—Enter a header length value in bytes.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • URI Length Criterion Values—Specifies to match a URI in the SIP headers greater than specified length. – URI type—Specifies to match either SIP URI or TEL URI. – Greater Than Length—Length in bytes. • Multiple Matches—Specifies multiple matches for the SIP inspection. – SIP Traffic Class—Specifies the SIP traffic class match.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The ASA also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Select SCCP (Skinny) Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SCCP Map The Select SCCP (Skinny) Map dialog box lets you select or create a new SCCP (Skinny) map. An SCCP (Skinny) map lets you change the configuration values used for SCCP (Skinny) application inspection.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced. – Medium Registration: Not enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No. – High Registration: Enforced. Maximum message ID: 0x141.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection • Delete—Deletes a message ID filter. • Move Up—Moves an entry up in the list. • Move Down—Moves an entry down in the list.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Limit payload to audio or video, based on the signaling exchange: Yes. – Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters. – Default Level—Sets the security level back to the default. • Details—Shows additional parameter, RTP conformance, and message ID filtering settings to configure.
Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection – Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter. – Delete—Deletes a message ID filter. – Move Up—Moves an entry up in the list. – Move Down—Moves an entry down in the list.
CH AP TE R 13 Configuring Inspection of Database and Directory Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 13 Configuring Inspection of Database and Directory Protocols SQL*Net Inspection During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.
Chapter 13 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.
Chapter 13 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection The Configuration > Firewall > Advanced > SUNRPC Server pane shows which SunRPC services can traverse the ASA and their specific timeout, on a per server basis. Fields • Interface—Displays the interface on which the SunRPC server resides. • IP address—Displays the IP address of the SunRPC server. • Mask—Displays the subnet mask of the IP Address of the SunRPC server.
CH AP TE R 14 Configuring Inspection for Management Application Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.
Chapter 14 Configuring Inspection for Management Application Protocols DCERPC Inspection This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service.
Chapter 14 Configuring Inspection for Management Application Protocols DCERPC Inspection DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages.
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection Endpoint mapper service: not enforced Endpoint mapper service lookup: enabled Endpoint mapper service lookup timeout: 00:05:00 – Medium—Default. Pinhole timeout: 00:01:00 Endpoint mapper service: not enforced Endpoint mapper service lookup: disabled.
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection GTP Inspection Overview GPRS provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. The GGSN is the interface between the GPRS wireless data network and other networks. The SGSN performs mobility, data session management, and data compression (See Figure 14-1).
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection The Select GTP Map dialog box lets you select or create a new GTP map. A GTP map lets you change the configuration values used for GTP application inspection. The Select GTP Map table provides a list of previously configured maps that you can select for application inspection. GTP inspection requires a special license.
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection • Default Level—Sets the security level back to the default. IMSI Prefix Filtering Configuration > Global Objects > Inspect Maps > GTP > IMSI Prefix Filtering The IMSI Prefix tab lets you define the IMSI prefix to allow within GTP requests. Fields • Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code.
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection Add/Edit GTP Policy Map (Details) Configuration > Global Objects > Inspect Maps > GTP > GTP Inspect Map > Advanced View The Add/Edit GTP Policy Map pane lets you configure the security level and additional settings for GTP application inspection maps. Fields • Name—When adding a GTP map, enter the name of the GTP map. When editing a GTP map, the name of the previously configured GTP map is shown.
Chapter 14 Configuring Inspection for Management Application Protocols GTP Inspection Signaling—Lets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. Tunnel—Lets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour.
Chapter 14 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection – Message Length—Match on the message length – Version—Match on the version. • Access Point Name Criterion Values—Specifies an access point name to be matched. By default, all messages with valid APNs are inspected, and any APN is allowed. – Regular Expression—Lists the defined regular expressions to match.
Chapter 14 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection • Select RADIUS Accounting Map, page 14-11 • Add RADIUS Accounting Policy Map, page 14-11 • RADIUS Inspect Map, page 14-12 • RADIUS Inspect Map Host, page 14-12 • RADIUS Inspect Map Other, page 14-13 RADIUS Accounting Inspection Overview One of the well known problems is the over-billing attack in GPRS networks.
Chapter 14 Configuring Inspection for Management Application Protocols RADIUS Accounting Inspection Fields • Name—Enter the name of the previously configured RADIUS accounting map. • Description—Enter the description of the RADIUS accounting map, up to 100 characters in length. • Host Parameters tab: – Host IP Address—Specify the IP address of the host that is sending the RADIUS messages. – Key: (optional)—Specify the key. – Add—Adds the host entry to the Host table.
Chapter 14 Configuring Inspection for Management Application Protocols RSH Inspection Fields • Name—Shows the name of the previously configured RADIUS accounting map. • Description—Enter the description of the RADIUS accounting map, up to 200 characters in length. • Host Parameters—Lets you configure host parameters. – Host IP Address—Specify the IP address of the host that is sending the RADIUS messages. – Key: (optional)—Specify the key. • Add—Adds the host entry to the Host table.
Chapter 14 Configuring Inspection for Management Application Protocols SNMP Inspection • “Select SNMP Map” section on page 14-14 • “SNMP Inspect Map” section on page 14-14 SNMP Inspection Overview SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3.
Chapter 14 Configuring Inspection for Management Application Protocols XDMCP Inspection The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection. Fields • SNMP Map Name—Defines the name of the application inspection map. • SNMP version 1—Enables application inspection for SNMP version 1. • SNMP version 2 (party based)—Enables application inspection for SNMP version 2.
Chapter 14 XDMCP Inspection Cisco ASA Series Firewall ASDM Configuration Guide 14-16 Configuring Inspection for Management Application Protocols
PART 5 Configuring Unified Communications
CH AP TE R 15 Information About Cisco Unified Communications Proxy Features This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
Chapter 15 Information About the Adaptive Security Appliance in Cisco Unified Communications Information About Cisco Unified Communications Proxy Features TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions.
Chapter 15 Information About Cisco Unified Communications Proxy Features TLS Proxy Applications in Cisco Unified Communications The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unathorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic.
Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The ASA is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client.
Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features Table 15-2 shows the default and maximum TLS session details by platform.
CH AP TE R 16 Using the Cisco Unified Communication Wizard This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features.
Chapter 16 Using the Cisco Unified Communication Wizard Information about the Cisco Unified Communication Wizard The wizard simplifies the configuration of the Unified Communications proxies in the following ways: • You enter all required data in the wizard steps. You are not required to navigate various ASDM screens to configure the Unified Communications proxies.
Chapter 16 Using the Cisco Unified Communication Wizard Licensing Requirements for the Unified Communication Wizard Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers.
Chapter 16 Using the Cisco Unified Communication Wizard Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6 addresses.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Note Any configuration created by the wizard should be maintained through the wizard to ensure proper synchronization. For example, if you create a phone proxy configuration through the UC wizard and then modify the configuration outside of the wizard, the rest of the wizard configuration is not updated, and the wizard configuration is not synchronized.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Step 2 Specify each entity in the network (all Cisco UCM and TFTP servers) that the IP phones must trust. Click Add to add the servers. See Configuring Servers for the Phone Proxy, page 16-6. To modify the configuration of a server already added to the configuration, select the server in the table and click Edit. The Edit Server dialog appears.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard statements, you must delete them manually by using the appropriate area of ASDM or rerun the Unified Communications wizard without making any changes and apply the configuration to to remove these statements.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Selecting the Use interface IP radio button configures the server to use the IP address of the public interface. You select the public interface in step 4 of the wizard when you configure the public network for the phone proxy. If the Use interface IP radio button is selected, you must specify port translation settings in the Voice and TFTP sections.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard See also the Cisco Unified Communications Manager Security Guide for information on Using the Certificate Authority Proxy Function (CAPF) to install a locally significant certificate (LSC). If your network includes Cisco IP Communicators (CIPC) or you have LSC enabled IP phones, you must import the CAPF certificate from the Cisco UCM.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Phone Proxy by using the Unified Communication Wizard Step 3 • PC Port • Voice VLAN access • Gratuitous ARP • Span to PC Port To configure address translation for IP phones, check the Enable address translation for IP phones check box. Select whether to use the IP address of the ASA private interface (which you selected in step 2 of the wizard) or enter an IP address.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Step 1 In the field for the private IP address, enter the IP address on which private media traffic terminates. The IP address must be within the same subnet as the private interface IP address. The correct subnet range is provided to the right of the field for the private IP address.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard Configuring the Topology for the Cisco Mobility Advantage Proxy When configuring the Mobility Advantage Proxy, you specify settings to define the private and public network topology, such the private and public network interfaces, and the private and public IP addresses of the Cisco Mobility Advantage server.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Mobility Advantage by using the Unified Communication Wizard • When using the wizard to configure the Cisco Mobility Advantage proxy, the wizard only supports installing self-signed certificates. Step 2 Export the identity certificate generated by the wizard for the ASA. See Exporting an Identity Certificate, page 16-23. Step 3 In the Unified MA Server’s Certificate area, click Install Unified MA Server’s Certificate.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Note The Unified Communication Wizard is supported for the ASA version 8.3(1) and later. To configure the Cisco Unified Presence proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the Presence Federation Proxy by using the Unified Communication Wizard Step 3 In the FQDN field, enter the domain name for the Unified Presence server. This domain name is included in the certificate signing request that you generate later in this wizard. Step 4 In the Public Network area, choose the interface of the public network from the drop-down list.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard For the TLS handshake, the two entities, namely the local entity and a remote entity, could validate the peer certificate via a certificate chain to trusted third-party certificate authorities. The local entity and the remote entity enroll with the CAs. The ASA as the TLS proxy must be trusted by both the local and remote entities.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard To configure the Cisco Intercompany Media Engine Proxy by using ASDM, choose Wizards > Unified Communication Wizard from the menu. The Unified Communication Wizard opens. From the first page, select the Cisco Intercompany Media Engine Proxy option under the Business-to-Business section and click Next.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Step 2 Click Next. Basic Deployment In a basic deployment, the Cisco Intercompany Media Engine Proxy sits in-line with the Internet firewall such that all Internet traffic traverses the ASA. In this deployment, a single Cisco UCM or a Cisco UCM cluster is centrally deployed within the enterprise, along with a Cisco Intercompany Media Engine server (and perhaps a backup).
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Step 1 To configure the Cisco Intercompany Media Engine Proxy as part of a basic deployment, select the interface that connects to the local Cisco Unified Communications servers. Or To configure the Cisco Intercompany Media Engine Proxy as part of an off-path deployment, complete the following steps: a.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy You must include an entry for each Cisco UCM in the cluster with Cisco Intercompany Media Engine Proxy that has a SIP trunk enabled. Step 1 Enter the private IP address and port number (in the range 5000-6000) for the Cisco UCM server.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Local-Side Certificates for the Cisco Intercompany Media Engine Proxy Completing this step of the wizard generates a self-signed certificate for the ASA. The server proxy certificate is automatically generated using the subject name provided in an earlier step of this wizard. The wizard supports using self-signed certificates only.
Chapter 16 Using the Cisco Unified Communication Wizard Configuring the UC-IME by using the Unified Communication Wizard Configuring the Remote-Side Certificates for the Cisco Intercompany Media Engine Proxy Establishing a trust relationship cross enterprises or across administrative domains is key. Cross enterprises you must use a trusted third-party CA (such as, VeriSign). The ASA obtains a certificate with the FQDN of the Cisco Unified Communications Manager server (certificate impersonation).
Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Working with Certificates in the Unified Communication Wizard This section includes the following topics: • Exporting an Identity Certificate, page 16-23 • Installing a Certificate, page 16-23 • Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy, page 16-24 • Saving the Identity Certificate Request, page 16-25 • Installing the ASA Identity Certificat
Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Presence Federation server, and the Cisco Unified Communications Manager servers, respectively, on the ASA. See the documentation for each of these products for information about obtaining the identity certificates from each.
Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard • Remote Presence Federation servers for the Cisco Presence Federation Proxy • The remote ASAfor the Cisco Intercompany Media Engine Proxy Before generating the CSR, you can enter additional parameters. When configuring a Unified Communications proxy by using the wizard, you click the Generate CSR button while in the client-side or remote-side certificate management step of the wizard.
Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Submit the CSR to the certificate authority (CA), for example, by pasting the CSR text into the CSR enrollment page on the CA website. When the CA returns the signed identity certificate, rerun the Unified Communications Wizard. From the client-side or remote-side certificate management step of the wizard, click Install ASA’s Identity Certificate.
Chapter 16 Using the Cisco Unified Communication Wizard Working with Certificates in the Unified Communication Wizard Typically, a certificate authority returns two certificates: your signed identity certificate and the certificate authority’s certificate (referred to as the root certificate). The root certificate from the certificate authority is used to sign other certificates.
Chapter 16 Working with Certificates in the Unified Communication Wizard Cisco ASA Series Firewall ASDM Configuration Guide 16-28 Using the Cisco Unified Communication Wizard
CH AP TE R 17 Configuring the Cisco Phone Proxy This chapter describes how to configure the ASA for Cisco Phone Proxy feature.
Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Figure 17-1 Phone Proxy Secure Deployment Trusted / Inside / Un-Secured M ASA TCP/RTP M M M Un-trusted / Outside / Secured TLS/SRTP Internet IP Home Router w/NAT M Remote IP phone IP Internal IP phone IP Home Router w/NAT Remote IP phone Unencrypted signaling Encrypted signaling 271631 Enterprise The phone proxy supports a Cisco UCM cluster in mixed mode or nonsecure mode.
Chapter 17 Configuring the Cisco Phone Proxy Information About the Cisco Phone Proxy Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy • Cisco Unified IP Phone 7941G-GE • Cisco Unified IP Phone 7940 (SCCP protocol support only) • Cisco Unified Wireless IP Phone 7921 • Cisco Unified Wireless IP Phone 7925 Note • Note Note To support Cisco Unified Wireless IP Phone 7925, you must also configure MIC or LSC on the IP phone so that it properly works with the phone proxy.
Chapter 17 Configuring the Cisco Phone Proxy Licensing Requirements for the Phone Proxy Model License Requirement1 ASA 5512-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5515-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, or 500 sessions. ASA 5525-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5545-X Base License: 2 sessions.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy For more information about licensing, see Chapter 5, “Managing Feature Licenses.” in the general operations configuration guide.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy • For IP phones behind a router or gateway, you must also meet this prerequisite. On the router or gateway, add routes to the media termination address on the ASA interface that the IP phones communicate with so that the phone can reach the media termination address. Certificates from the Cisco UCM Import the following certificates which are stored on the Cisco UCM.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy If NAT is configured for the TFTP server or Cisco UCMs, the translated “global” address must be used in the ACLs.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Prerequisites for IP Phones on Multiple Interfaces When IP phones reside on multiple interfaces, the phone proxy configuration must have the correct IP address set for the Cisco UCM in the CTL file.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy • The phone must be configured to use only the SCCP protocol because the SIP protocol does not support encryption on these IP phones. • If LSC provisioning is done via the phone proxy, you must add an ACL to allow the IP phones to register with the Cisco UCM on the nonsecure port 2000.
Chapter 17 Configuring the Cisco Phone Proxy Prerequisites for the Phone Proxy Rate Limiting Configuration Example The following example describes how you configure rate limiting for TFTP requests by using the police command and the Modular Policy Framework. Begin by determining the conformance rate that is required for the phone proxy.
Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations Note As an alternative to authenticating remote IP phones through the TLS handshake, you can configure authentication via LSC provisioning. With LSC provisioning you create a password for each remote IP phone user and each user enters the password on the remote IP phones to retrieve the LSC.
Chapter 17 Configuring the Cisco Phone Proxy Phone Proxy Guidelines and Limitations format: SEP.cnf.xml. If the device name does not follow this format (SEP), CIPC cannot retrieve its configuration file from Cisco UMC via the phone proxy and CIPC will not function. • The phone proxy does not support IP phones sending SCCP video messages using Cisco VT Advantage because SCCP video messages do not support SRTP keys.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy • If you decide to configure a media-termination address on interfaces (rather than using a global interface), you must configure a media-termination address on at least two interfaces (the inside and an outside interface) before applying the phone-proxy service policy. Otherwise, you will receive an error message when enabling the Phone Proxy with SIP and Skinny Inspection.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Creating the CTL File Create a Certificate Trust List (CTL) file that is required by the Phone Proxy. Specify the certificates needed by creating a new CTL file or by specifying the path of an exiting CTL file to parse from Flash memory. Create trustpoints and generate certificates for each entity in the network (CUCM, CUCM and TFTP, TFTP server, CAPF) that the IP phones must trust. The certificates are used in creating the CTL file.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Because the Phone Proxy generates the CTL file, it needs to create the System Administrator Security Token (SAST) key to sign the CTL file itself. This key can be generated on the ASA. A SAST is created as a self-signed certificate. Typically, a CTL file contains more than one SAST. In case a SAST is not recoverable, the other one can be used to sign the file later. Step 5 Click Apply to save the CTL file configuration settings.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 6 (Optional) In the Domain Name field, specify the domain name of the trustpoint used to create the DNS field for the trustpoint. This is appended to the Common Name field of the Subject DN to create the DNS Name. The domain name should be configured when the FQDN is not configured for the trustpoint. Only one domain-name can be specified.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Step 4 Specify the minimum and maximum values for the RTP port range for the media termination instance. The minimum port and the maximum port can be a value from 1024 to 65535. Step 5 Click Apply to save the media termination address configuration settings. Creating the Phone Proxy Instance Create the phone proxy instance.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy • Step 6 Step 7 To create a new CTL file for the Phone Proxy, click the link Generate Certificate Trust List File. The Create a Certificate Trust List (CTL) File pane opens. See “Creating the CTL File” section on page 17-15.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy The IP address you enter should be the global IP address based on where the IP phone and HTTP proxy server is located. You can enter a hostname in the IP Address field when that hostname can be resolved to an IP address by the ASA (for example, DNS lookup is configured) because the ASA will resolve the hostname to an IP address. If a port is not specified, the default will be 8080. c.
Chapter 17 Configuring the Cisco Phone Proxy Configuring the Phone Proxy Note If NAT is configured for the TFTP server, the NAT configuration must be configured prior to specifying the TFTP server while creating the Phone Proxy instance. Step 4 In the TFTP Server IP Address field, specify the address of the TFTP server. Create the TFTP server using the actual internal IP address. Step 5 (Optional) In the Port field, specify the port the TFTP server is listening in on for the TFTP requests.
Chapter 17 Configuring the Cisco Phone Proxy Feature History for the Phone Proxy Step 4 Table 17-2 Port Forwarding Values to Add to Router Application Start End Protocol IP Address Enabled IP phone 1024 65535 UDP Phone IP address Checked TFTP 69 69 UDP Phone IP address Checked Click Save Settings. Port forwarding is configured. Feature History for the Phone Proxy Table 17-3 lists the release history for this feature.
CH AP TE R 18 Configuring the TLS Proxy for Encrypted Voice Inspection This chapter describes how to configure the ASA for the TLS Proxy for Encrypted Voice Inspection feature.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection Figure 18-1 TLS Proxy Flow Cisco IP Phone Cisco ASA Cisco CallManager M IP Client Hello (Proxy) Server Hello (Proxy) Server Certificate (Proxy) Server Key Exchange Certificate Request (Proxy) Server Hello Done Client Certificate Client Key Exchange Certificate Verify [Change Cipher Spec] Finished [Change Cipher Spec] Finished (Proxy) Client Hello Server Hello Server Cer
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Information about the TLS Proxy for Encrypted Voice Inspection proxy, the CTL file must contain the certificate that the security appliance creates for the Cisco UCMs. To proxy calls on behalf of the Cisco IP Phone, the security appliance presents a certificate that the Cisco UCM can verify, which is a Local Dynamic Certificate for the phone, issued by the certificate authority on the security appliance.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy • Cisco Unified Wireless IP Phone 7925 • Cisco IP Communicator (CIPC) for softphones Licensing for the TLS Proxy The TLS proxy for encrypted voice inspection feature supported by the ASA require a Unified Communications Proxy license. The following table shows the Unified Communications Proxy license details by platform: Note This feature is not available on No Payload Encryption models.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Licensing for the TLS Proxy Model License Requirement1 ASA 5585-X with SSP-20, -40, or -60 Base License: 2 sessions. ASA SM Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2 1. The following applications use TLS proxy sessions for their connections.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection Prerequisites for the TLS Proxy for Encrypted Voice Inspection Before configuring TLS proxy, the following prerequisites are required: • You must set clock on the security appliance before configuring TLS proxy. To set the clock manually and display clock, use the clock set and show clock commands.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider • Client Details—Lists the name and IP address of the client. – Interface Name—Lists the defined interface name. – IP Address—Lists the defined interface IP address. • Certificate Name—Lists the certificate to be exported. • Add—Adds a CTL Provider. • Edit—Edits a CTL Provider. • Delete—Deletes a CTL Provider.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Configure TLS Proxy Pane Note This feature is not supported for the Adaptive Security Appliance version 8.1.2. You can configure the TLS Proxy from the Configuration > Firewall > Unified Communications > TLS Proxy pane.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Adding a TLS Proxy Instance Note This feature is not supported for the Adaptive Security Appliance version 8.1.2. Use the Add TLS Proxy Instance Wizard to add a TLS Proxy to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco Call Manager and to support the Cisco Unified Communications features on the ASA.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider When the Phone Proxy is operating in a mixed-mode CUCM cluster, you must import the CUCM certificate by clicking Add in the Manage Identify Certificates dialog box. See the “Configuring Identity Certificates Authentication” section on page 40-24 in the general operations configuration guide. • To select an existing certificate, select one from the drop-down list.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider This wizard is available from the Configuration > Firewall > Unified Communications > TLS Proxy pane. Step 1 Complete the first two steps of the Add TLS Proxy Instance Wizard. See Adding a TLS Proxy Instance, page 18-9 and Add TLS Proxy Instance Wizard – Client Configuration, page 18-10. The Add TLS Proxy Instance Wizard – Client Configuration dialog box opens.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring Identity Certificates Authentication” section on page 40-24 in the general operations configuration guide for details about the Key Pair fields. Step 4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched during the TLS handshake.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider For information on the Cisco CTL Client, see “Configuring the Cisco CTL Client” in Cisco Unified CallManager Security Guide. http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/5_0_4/secuauth.html To install the CTL file on the ASA, go to Configuration > Firewall > Unified Communications > CTL Provider > Add. The Add CTL Provider dialog box opens.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider The Manage CA Certificates dialog box opens. See the “Guidelines and Limitations” section on page 40-10 in the general operations configuration guide. Click Add to open the Install Certificate dialog box. See the “Configuring CA Certificate Authentication” section on page 40-12 in the general operations configuration guide.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection CTL Provider Note When you are configuring the TLS Proxy for the Phone Proxy and it is using the mixed security mode for the CUCM cluster, you must configure the LDC Issuer. The LDC Issuer lists the local certificate authority to issue client or server dynamic certificates. Step 5 To specify an LDC Issuer to use for the TLS Proxy, perform the following.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection TLS Proxy TLS Proxy This feature is supported only for ASA versions 8.0.x prior to 8.0.4 and for version 8.1. Note This feature is not supported for the Adaptive Security Appliance versions prior to 8.0.4 and for version 8.1.2. Use the TLS Proxy option to enable inspection of SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with Cisco CallManager.
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection Feature History for the TLS Proxy for Encrypted Voice Inspection Certificate Authority Server—Specifies the certificate authority server. Certificate—Specifies a certificate. Manage—Configures the local certificate authority. To make configuration changes after it has been configured for the first time, disable the local certificate authority.
Chapter 18 Feature History for the TLS Proxy for Encrypted Voice Inspection Cisco ASA Series Firewall ASDM Configuration Guide 18-18 Configuring the TLS Proxy for Encrypted Voice Inspection
CH AP TE R 19 Configuring Cisco Mobility Advantage This chapter describes how to configure the ASA for Cisco Unified Communications Mobility Advantage Proxy features.
Chapter 19 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 19-1 OML MMP Stack HTTP etc. MMP TLS/SSL IP 271645 TCP The TCP/TLS default port is 5443. There are no embedded NAT or secondary connections. Cisco UMA client and server communications can be proxied via TLS, which decrypts the data, passes it to the inspect MMP module, and re-encrypt the data before forwarding it to the endpoint.
Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 19-2 The TLS proxy for the Cisco Mobility Advantage solution does not support client authentication because the Cisco UMA client cannot present a certificate. Security Appliance as Firewall with Mobility Advantage Proxy and MMP Inspection Enterprise Services Mobile Data Network (GPRS Data Channel) Network: Active Directory 10.1.1.0/24 Exchange IP Address: 10.1.1.
Chapter 19 Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 19-3 Cisco UMC/Cisco UMA Architecture – Scenario 2: Security Appliance as Mobility Advantage Proxy Only Client connects to cuma.example.com (192.0.2.41) Cisco UMC Client Internet ISP Gateway DMZ Corporate Firewall Internal Network IP Address: 172.16.27.41 (DMZ routable) 192.0.2.41/24 outside 192.0.2.
Configuring Cisco Mobility Advantage Information about the Cisco Mobility Advantage Proxy Feature Figure 19-4 shows how you can import the Cisco UMA server certificate onto the ASA. When the Cisco UMA server has already enrolled with a third-party CA, you can import the certificate with the private key onto the ASA. Then, the ASA has the full credentials of the Cisco UMA server.
Chapter 19 Configuring Cisco Mobility Advantage Licensing for the Cisco Mobility Advantage Proxy Feature Figure 19-5 How the Security Appliance Represents Cisco UMA – Certificate Impersonation 3rd Party CA Certificate Authority Enroll with FQDN of Cisco UMA Certificate Cisco UMA 271644 ASA Internet Cisco UMC Client TLS (ASA Certificate with Cisco UMA FQDN) Key 1 Inspected and Modified (if needed) TLS (Self-signed, or from local CA) Key 2 A trusted relationship between the ASA and the Cisco UMA se
Chapter 19 Configuring Cisco Mobility Advantage Feature History for Cisco Mobility Advantage Task Flow for Configuring Cisco Mobility Advantage To configure for the ASA to perform TLS proxy and MMP inspection as shown in Figure 19-2 and Figure 19-3, perform the following tasks. It is assumed that self-signed certificates are used between the ASA and the Cisco UMA server. To configure the Cisco Mobility Advantage Proxy by using ASDM, choose Wizards > Unified Communications Wizard from the menu.
Chapter 19 Feature History for Cisco Mobility Advantage Cisco ASA Series Firewall ASDM Configuration Guide 19-8 Configuring Cisco Mobility Advantage
CH AP TE R 20 Configuring Cisco Unified Presence This chapter describes how to configure the adaptive security appliance for Cisco Unified Presence.
Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence Figure 20-1 Typical Cisco Unified Presence/LCS Federation Scenario Enterprise X private Cisco UCM Cisco UCM Cisco UP (UK) Cisco UP (HK) Enterprise Y DMZ DMZ private network AD Cisco UCM Cisco UP (US) Orative (Ann) 192.0.2.1 Routing Inside ASA Outside Proxy 8.0.4 (Cisco UP) IPPM (Ann) SIP Internet 192.0.2.
Configuring Cisco Unified Presence Information About Cisco Unified Presence ciscoasa(config-network-object)# nat (inside,outside) static 192.0.2.1 service tcp 5060 5060 For another Cisco UP with the address 10.0.0.
Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Trust Relationship in the Presence Federation Within an enterprise, setting up a trust relationship is achievable by using self-signed certificates or you can set it up on an internal CA. Establishing a trust relationship cross enterprises or across administrative domains is key for federation.
Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence Security Certificate Exchange Between Cisco UP and the Security Appliance You need to generate the keypair for the certificate (such as cup_proxy_key) used by the ASA, and configure a trustpoint to identify the self-signed certificate sent by the ASA to Cisco UP (such as cup_proxy) in the TLS handshake.
Chapter 20 Configuring Cisco Unified Presence Information About Cisco Unified Presence For further information about configuring Cisco Unified Presence Federation for XMPP Federation, see the Integration Guide for Configuring Cisco Unified Presence Release 8.0 for Interdomain Federation: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.ht ml Configuration Requirements for XMPP Federation For XMPP Federation, ASA acts as a firewall only.
Chapter 20 Configuring Cisco Unified Presence Licensing for Cisco Unified Presence nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_ obj_host_ service obj_udp_source_eq_5269 obj_udp_source_eq_5269 n
Chapter 20 Configuring Cisco Unified Presence Configuring Cisco Unified Presence Proxy for SIP Federation Model License Requirement1 ASA 5545-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5555-X Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5585-X with SSP-10 Base License: 2 sessions. ASA 5585-X with SSP-20, -40, or -60 Base License: 2 sessions. ASA SM Base License: 2 sessions.
Chapter 20 Configuring Cisco Unified Presence Feature History for Cisco Unified Presence • Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation, page 20-9 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation To configure a Cisco Unified Presence/LCS Federation scenario with the ASA as the TLS proxy where there is a single Cisco UP that is in the local domain and self-signed certificates are used between the Cisco UP and the ASA (like the sc
Chapter 20 Feature History for Cisco Unified Presence Cisco ASA Series Firewall ASDM Configuration Guide 20-10 Configuring Cisco Unified Presence
CH AP TE R 21 Configuring Cisco Intercompany Media Engine Proxy This chapter describes how to configure the ASA for Cisco Intercompany Media Engine Proxy.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy • Works with existing phone numbers: Cisco Intercompany Media Engine works with the phone numbers an enterprise currently has and does not require an enterprise to learn new numbers or change providers to use Cisco Intercompany Media Engine. • Works with existing IP phones: Cisco Intercompany Media Engine works with the existing IP phones within an enterprise.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy On successful verification, the terminating side creates a ticket that grants permission to the call originator to make a Cisco IME call to a specific number. See Tickets and Passwords, page 21-3 for information.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Ticket Verification Process with Cisco Intercompany Media Engine 1 Enterprise A UC-IME Server Enterprise B gets authorization ticket from A at end of validation protocol Enterprise B 2 UC-IME server passes ticket to UCM and it’s stored as part of VoIP route UC-IME Server Internet M M Cisco UCM Cisco UCM ASA IP IP 4 ASA validates ticket 3 Enterprise B calls A and includes tick
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Call Fallback to the PSTN Cisco Intercompany Media Engine provides features that manage the QoS on the Internet, such as the ability to monitor QoS of the RTP traffic in real-time and fallback to PSTN automatically if problems arise.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy • Cisco Intercompany Media Engine (UC-IME) Bootstrap server—Provides a certificate required admission onto the public peer-to-peer network for Cisco Intercompany Media Engine. Figure 21-3 illustrates the components of the Cisco Intercompany Media Engine in a basic deployment.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Information About Cisco Intercompany Media Engine Proxy Basic Deployment Scenario UC-IME Bootstrap Server Enterprise A Enterprise B Internet UC-IME Server UC-IME Server SIP Trunk M M Cisco UCM Cisco UCM ASA Enabled with UC-IME Proxy IP ASA Enabled with UC-IME Proxy IP IP V PSTN Gateway PSTN IP V 248762 Figure 21-4 PSTN Gateway Off Path Deployment In an off path deployment, inbound and outbound Cisco Intercompany Media Engine
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Licensing for Cisco Intercompany Media Engine Off Path Deployment of the Adaptive Security Appliance Inside Enterprise DMZ UC-IME Server Cisco UCM Cluster Outside Enterprise Permiter Security Figure 21-5 UC-IME Bootstrap Server M M M Internet M M Internet Firewall Intranet Firewall ASA enabled with UC-IME proxy IP IP Only UC-IME calls pass through the ASA enabled with the UC-IME proxy.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations Model License Requirement All models Intercompany Media Engine license. When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions up to the configured TLS proxy limit.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Guidelines and Limitations • Having Cisco UCMs on more than one of the ASA interfaces is not supported with the Cisco Intercompany Media Engine Proxy. Having the Cisco UCMs on one trusted interface is especially necessary in an off path deployment because the ASA requires that you specify the listening interface for the mapping service and the Cisco UCMs must be connected on one trusted interface. • Multipart MIME is not supported.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy This section contains the following topics: • Task Flow for Configuring Cisco Intercompany Media Engine, page 21-11 • Configuring NAT for Cisco Intercompany Media Engine Proxy, page 21-12 • Configuring PAT for the Cisco UCM Server, page 21-14 • Creating ACLs for Cisco Intercompany Media Engine Proxy, page 21-16 • Creating the Media Termin
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Or Configure PAT for the UCM server. See Configuring PAT for the Cisco UCM Server, page 21-14. Step 2 Create ACLs for Cisco Intercompany Media Engine Proxy. See Creating ACLs for Cisco Intercompany Media Engine Proxy, page 21-16. Step 3 Create the media termination address instance for Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 21-17.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Figure 21-7 Example for Configuring NAT for a Deployment Local Enterprise Local Cisco UCMs 192.168.10.30 199.168.10.31 Configure NAT: 192.168.10.30 192.168.10.31 209.165.200.227 209.165.200.228 M M TLS Corporate Network Local ASA IP IP IP Internet Outside Cisco UCM addresses 209.165.200.227 209.165.200.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 8 hostname(config-network-object)# exit Exits from the objects configuration mode. Step 9 hostname(config)# nat (inside,outside) source static real_obj mapped_obj Examples: hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.30 ucm_209.165.200.228 hostname(config)# nat (inside,outside) source static ucm_real_192.168.10.31 ucm_209.165.200.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# object network name Examples: hostname(config)# object network ucm-pat-209.165.200.228 Configures a network object for the outside IP address of Cisco UCM that you want to translate. Step 2 hostname(config-network-object)# host ip_address Example: hostname(config-network-object)# host 209.165.200.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating ACLs for Cisco Intercompany Media Engine Proxy To configure ACLs for the Cisco Intercompany Media Engine Proxy to reach the Cisco UCM server, perform the following steps. The example command lines in this task are based on a basic (in-line) deployment. See Figure 21-6 on page 21-11 for an illustration explaining the example command lines in this task.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy What to Do Next Create the media termination instance on the ASA for the Cisco Intercompany Media Engine Proxy. See Creating the Media Termination Instance, page 21-17.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# media-termination instance_name Example: hostname(config)# media-termination uc-ime-media-term Creates the media termination instance that you attach to the Cisco Intercompany Media Engine Proxy. Step 2 hostname(config-media-termination)# address ip_address interface intf_name Examples: hostname(config-media-termination)# address 209.165.200.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 1 You cannot change any of the configuration settings for the Cisco Intercompany Media Engine Proxy described in this procedure when the proxy is enabled for SIP inspection. Remove the Cisco Intercompany Media Engine Proxy from SIP inspection before changing any of the settings described in this procedure.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 4 Command Purpose hostname(config-uc-ime)# ticket epoch n password password Example: hostname(config-uc-ime)# ticket epoch 1 password password1234 Configures the ticket epoch and password for Cisco Intercompany Media Engine. Where n is an integer from 1-255. The epoch contains an integer that updates each time that the password is changed.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose (Optional) Specifies the fallback timers for Cisco Intercompany Media Engine.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy connections between the local Cisco UCM and the local ASA. The instructions in that task describe how to create trustpoints between the local Cisco UCM and the local ASA. Prerequisites for Installing Certificates To create a proxy certificate on the ASA that is trusted by the remote entity, obtain a certificate from a trusted CA or export it from the remote enterprise ASA.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 4 hostname(config-ca-trustpoint)# keypair keyname Example: hostname(config-ca-trustpoint)# keypair local-ent-key Specifies the key pair whose public key is to be certified. Step 5 hostname(config-ca-trustpoint)# enroll terminal Specifies that you will use the “copy and paste” method of enrollment with this trustpoint (also known as manual enrollment).
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Creating the TLS Proxy Because either enterprise, namely the local or remote Cisco UCM servers, can initiate the TLS handshake (unlike IP Telephony or Cisco Mobility Advantage, where only the clients initiate the TLS handshake), you must configure by-directional TLS proxy rules. Each enterprise can have an ASA as the TLS proxy.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Command Purpose hostname(config-tlsp)# server trust-point proxy_trustpoint Example: hostname(config-tlsp)# server trust-point local-ent For inbound connections, specifies the proxy trustpoint certificate presented during TLS handshake. The certificate must be owned by the adaptive security appliance (identity certificate).
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 1 hostname(config)# class-map class_map_name Examples: hostname(config)# class-map ime-inbound-sip Defines a class for the inbound Cisco Intercompany Media Engine SIP traffic. Step 2 hostname(config-cmap)# match access-list access_list_name Examples: hostname(config-cmap)# match access-list ime-inbound-sip Identifies the SIP traffic to inspect.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Command Purpose Step 14 hostname(config-pmap)# exit Exits from the policy map configuration mode. Step 15 hostname(config)# service-policy policymap_name global Examples: hostname(config)# service-policy ime-policy global Enables the service policy for SIP inspection for all interfaces. Where policymap_name is the name of the policy map you created in Step 7 of this task.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 1 Commands Purpose hostname(config)# crypto key generate rsa label key-pair-label hostname(config)# crypto ca trustpoint trustpoint_name hostname(config-ca-trustpoint)# enroll self hostname(config-ca-trustpoint)# keypair keyname hostname(config-ca-trustpoint)# subject-name x.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 6 Commands Purpose hostname(config)# crypto ca authenticate trustpoint Example: hostname(config)# crypto ca authenticate local-ent-ucm Imports the certificate from local Cisco UCM. Where trustpoint is the trustpoint for the local Cisco UCM. Paste the certificate downloaded from the local Cisco UCM.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy (Optional) Configuring Off Path Signaling Perform this task only when you are configuring the Cisco Intercompany Media Engine Proxy as part of an off path deployment. You might choose to have an off path deployment when you want to use the Cisco Intercompany Media Engine but do not want to replace your existing Internet firewall with an ASA enabled with the Cisco Intercompany Media Engine Proxy.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 5 Command Purpose hostname(config)# uc-ime uc_ime_name Example: hostname(config)# uc-ime local-ent-ime Specifies the Cisco Intercompany Media Engine Proxy that you created in the task Creating the Cisco Intercompany Media Engine Proxy, page 21-18. Where uc_ime_name is the name you specified in Step 1 of Creating the Cisco Intercompany Media Engine Proxy, page 21-18.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 2 Check the Enable Cisco UC-IME proxy check box to enable the feature. Step 3 In the Unified CM Servers area, enter an IP address or hostname for the Cisco Unified Communications Manager (Cisco UCM) or click the ellipsis to open a dialog and browse for an IP address or hostname. Step 4 In the Trunk Security Mode field, click a security option.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Note Step 10 In the Fallback area, configure the fallback timer for the Cisco Intercompany Media Engine by specifying the following settings: a. In the Fallback Sensitivity File field, enter the path to a file in flash memory that the ASA uses for mid-call PSTN fallback. The file name that you enter must be the name of a file on disk that includes the .fbs file extension.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Step 4 Specify the public network settings. Step 5 Specify the media termination address settings of Cisco UCM. Step 6 Configure the local-side certificate management, namely the certificates that are exchanged between the local Cisco Unified Communications Manager servers and the ASA.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy SIP Trunk URI: 81a985c9-f3a1-55a0-3b19-9654@UCM-30;maddr=192.168.10.30 Codec-name: G722 Payload type: 9 Note If calls are not going through the Cisco Intercompany Media Engine, you can also use the show tls-proxy session command to troubleshoot the success of the TLS handshake between the components in the Cisco Intercompany Media Engine system.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Configuring Cisco Intercompany Media Engine Proxy Max_BLS_ms : 0 Max_PDV_usec : 1000 Min_PDV_usec : 0 Mov_avg_PDV_usec : 109 Total_ITE_count : 0 Total_sec_count : 403 Concealed_sec_count : 0 Severely_concealed_sec_count : 0 Max_call_interval_ms : 118 Total_SequenceNumber_Resets : 0 Media-session: 192.168.10.3/30930 :: client ip 10.194.108.119/29824 Call ID: N/A Lcl RTP conn 192.168.10.3/30930 to 192.168.10.
Chapter 21 Configuring Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Feature History for Cisco Intercompany Media Engine Proxy Table 21-1 lists the release history for this feature. Table 21-1 Feature History for Cisco Phone Proxy Feature Name Releases Feature Information Cisco Intercompany Media Engine Proxy 8.3(1) The Cisco Intercompany Media Engine Proxy was introduced.
Chapter 21 Feature History for Cisco Intercompany Media Engine Proxy Cisco ASA Series Firewall ASDM Configuration Guide 21-38 Configuring Cisco Intercompany Media Engine Proxy
PART 6 Configuring Connection Settings and QoS
CH AP TE R 22 Configuring Connection Settings This chapter describes how to configure connection settings for connections that go through the ASA, or for management connections, that go to the ASA.
Chapter 22 Configuring Connection Settings Information About Connection Settings TCP Intercept and Limiting Embryonic Connections Limiting the number of embryonic connections protects you from a DoS attack. The ASA uses the per-client limits and the embryonic connection limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets.
Chapter 22 Configuring Connection Settings Information About Connection Settings TCP Sequence Randomization Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.
Chapter 22 Configuring Connection Settings Licensing Requirements for Connection Settings fast path (an established connection), or the control plane path (advanced inspection). See the “Stateful Inspection Overview” section on page 1-22 in the general operations configuration guide for more detailed information about the stateful firewall. TCP packets that match existing connections in the fast path can pass through the ASA without rechecking every aspect of the security policy.
Chapter 22 Configuring Connection Settings Guidelines and Limitations Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent mode. Failover Guidelines Failover is supported.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Configuring Connection Settings This section includes the following topics: • Customizing the TCP Normalizer with a TCP Map, page 22-6 • Configuring Connection Settings, page 22-8 • Configuring Global Timeouts, page 22-9 Task Flow For Configuring Connection Settings Step 1 For TCP normalization customization, create a TCP map according to the “Customizing the TCP Normalizer with a TCP Map” section on page 22-6.
Chapter 22 Configuring Connection Settings Configuring Connection Settings If they are not put in order and passed on within the timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set the limit to be 1 or above for the Timeout to take effect. Step 5 In the Reserved Bits area, click Clear and allow, Allow only, or Drop. Allow only allows packets with the reserved bits in the TCP header.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Step 8 • Clear Selective Ack—Sets whether the selective-ack TCP option is allowed or cleared. • Clear TCP Timestamp—Sets whether the TCP timestamp option is allowed or cleared. • Clear Window Scale—Sets whether the window scale timestamp option is allowed or cleared. • Range—Sets the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound should be less than or equal to the upper bound.
Chapter 22 Configuring Connection Settings Configuring Connection Settings Step 5 • Send reset to TCP endpoints before timeout—Specifies that the ASA should send a TCP reset message to the endpoints of the connection before freeing the connection slot. • Embryonic Connection Timeout—Specifies the idle time until an embryonic (half-open) connection slot is freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
Chapter 22 Configuring Connection Settings Configuring Connection Settings • UDP—Modifies the idle time until a UDP protocol connection closes. This duration must be at least 1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout. • ICMP—Modifies the idle time after which general ICMP states are closed. • H.323—Modifies the idle time until an H.323 media connection closes. The default is 5 minutes. Enter 0:0:0 to disable timeout. • H.225—Modifies the idle time until an H.
Chapter 22 Configuring Connection Settings Feature History for Connection Settings Note When Authentication Absolute = 0, HTTPS authentication may not work. If a browser initiates multiple TCP connections to load a web page after HTTPS authentication, the first connection is permitted through, but subsequent connections trigger authentication. As a result, users are continuously presented with an authentication page, even after successful authentication.
Chapter 22 Configuring Connection Settings Feature History for Connection Settings Table 22-1 Feature History for Connection Settings (continued) Feature Name Platform Releases Configurable timeout for PAT xlate 8.4(3) Feature Information When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a new translation, some upstream routers might reject the new connection because the previous connection might still be open on the upstream device.
CH AP TE R 23 Configuring QoS Have you ever participated in a long-distance phone call that involved a satellite connection? The conversation might be interrupted with brief, but perceptible, gaps at odd intervals. Those gaps are the time, called the latency, between the arrival of packets being transmitted over the network. Some network traffic, such as voice and video, cannot tolerate long latency times.
Chapter 23 Configuring QoS Information About QoS Supported QoS Features The ASA supports the following QoS features: • Policing—To prevent individual flows from hogging the network bandwidth, you can limit the maximum bandwidth used per flow. See the “Information About Policing” section on page 23-3 for more information.
Chapter 23 Configuring QoS Information About QoS For traffic shaping, a token bucket permits burstiness but bounds it. It guarantees that the burstiness is bounded so that the flow will never send faster than the token bucket capacity, divided by the time interval, plus the established rate at which tokens are placed in the token bucket.
Chapter 23 Configuring QoS Information About QoS Information About Traffic Shaping Traffic shaping is used to match device and link speeds, thereby controlling packet loss, variable delay, and link saturation, which can cause jitter and delay. Note Traffic shaping is only supported on the ASA 5505, 5510, 5520, 5540, and 5550. • Traffic shaping must be applied to all outgoing traffic on a physical interface or in the case of the ASA 5505, on a VLAN.
Chapter 23 Configuring QoS Licensing Requirements for QoS You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. For example, if you configure standard priority queuing for the global policy, and then configure traffic shaping for a specific interface, the feature you configured last is rejected because the global policy overlaps the interface policy.
Chapter 23 Configuring QoS Configuring QoS • (ASA 5512-X through ASA 5555-X) Priority queuing is not supported on the Management 0/0 interface. • (ASASM) Only policing is supported. Additional Guidelines and Limitations • QoS is applied unidirectionally; only traffic that enters (or exits, depending on the QoS feature) the interface to which you apply the policy map is affected. See the “Feature Directionality” section on page 1-2 for more information.
Chapter 23 Configuring QoS Configuring QoS Determining the Queue and TX Ring Limits for a Standard Priority Queue To determine the priority queue and TX ring limits, use the worksheets below. Table 23-1 shows how to calculate the priority queue size. Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped (called tail drop).
Chapter 23 Configuring QoS Configuring QoS 2. Typically, the maximum size is 1538 bytes, or 1542 bytes for tagged Ethernet. If you allow jumbo frames (if supported for your platform), then the packet size might be larger. 3. The delay depends on your application. For example, to control jitter for VoIP, you should use 20 ms.
Chapter 23 Configuring QoS Configuring QoS This option sets the maximum number of low-latency or normal priority packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears. The upper limit of the range of values is determined dynamically at run time. The key determinants are the memory needed to support the queues and the memory available on the device.
Chapter 23 Configuring QoS Configuring QoS Step 4 Click Finish. The service policy rule is added to the rule table. Step 5 To configure policing, configure a service policy rule for the same interface in the Configuration > Firewall > Service Policy Rules pane according to Chapter 1, “Configuring a Service Policy.” For policing traffic, you can choose to police all traffic that you are not prioritizing, or you can limit the traffic to certain types.
Chapter 23 Configuring QoS Monitoring QoS • For traffic shaping, you can only use the class-default class map, which is automatically created by the ASA, and which matches all traffic. • You cannot configure traffic shaping and standard priority queuing for the same interface; only hierarchical priority queuing is allowed. See the “How QoS Features Interact” section on page 23-4 for information about valid QoS configurations. • You cannot configure traffic shaping in the global policy.
Chapter 23 Configuring QoS Monitoring QoS • Viewing QoS Standard Priority Queue Statistics, page 23-13 Viewing QoS Police Statistics To view the QoS statistics for traffic policing, use the show service-policy command with the police keyword: ciscoasa# show service-policy police The following is sample output for the show service-policy police command: ciscoasa# show service-policy police Global policy: Service-policy: global_fw_policy Interface outside: Service-policy: qos Class-map: browse police In
Chapter 23 Configuring QoS Monitoring QoS Viewing QoS Shaping Statistics To view statistics for service policies implementing the shape command, use the show service-policy command with the shape keyword: ciscoasa# show service-policy shape The following is sample output for the show service-policy shape command: ciscoasa# show service-policy shape Interface outside Service-policy: shape Class-map: class-default Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/
Chapter 23 Configuring QoS Feature History for QoS Priority-Queue Statistics interface test Queue Type Packets Dropped Packets Transmit Packets Enqueued Current Q Length Max Q Length = = = = = = BE 0 0 0 0 0 Queue Type Packets Dropped Packets Transmit Packets Enqueued Current Q Length Max Q Length ciscoasa# = = = = = = LLQ 0 0 0 0 0 In this statistical report, the meaning of the line items is as follows: • “Packets Dropped” denotes the overall number of packets that have been dropped in this queue
CH AP TE R 24 Troubleshooting Connections and Resources This chapter describes how to troubleshoot the ASA and includes the following sections: • Testing Your Configuration, page 24-1 • Monitoring Performance, page 24-8 • Monitoring System Resources, page 24-9 • Monitoring Connections, page 24-11 • Monitoring Per-Process CPU Usage, page 24-12 Testing Your Configuration This section describes how to test connectivity for the single mode ASA or for each security context, how to ping the ASA interf
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration The diagram should also include any directly connected routers and a host on the other side of the router from which you will ping the ASA. (See Figure 24-1.) Network Diagram with Interfaces, Routers, and Hosts Host Host Host 10.1.1.56 Host 209.265.200.230 Router 10.1.3.6 Router Router outside 209.165.201.1 security0 dmz1 192.1 68.1. 209.165.201.24 Router dmz3 192.1 68.3. outside security0 Transp. ASA 10.1.0.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Figure 24-3 Ping Failure Because of IP Addressing Problems Ping Router 192.168.1.2 192.168.1.1 Security Appliance 126696 192.168.1.2 Host Step 3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the ASA, and whether the ASA can correctly route the packet back to the host.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Administrators can use the ASDM Ping interactive diagnostic tool in these ways: • Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same ASA, as an external loopback test to verify basic “up” status and operation of each interface. • Pinging to an ASA—The Ping tool can ping an interface on another ASA to verify that it is up and responding.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration • Verify that devices in the intermediate communications path, such as switches or routers, are correctly delivering other types of network traffic. • Make sure that traffic of other types from “known good” sources is being passed. Choose Monitoring > Interfaces > Interface Graphs. Using the Ping Tool To use the Ping tool, perform the following steps: Step 1 In the main ASDM application window, choose Tools > Ping.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Determining Packet Routing with Traceroute The Traceroute tool helps you to determine the route that packets will take to their destination. The tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following table lists the output symbols printed by this tool. Output Symbol Description * No response was received for the probe within the timeout period.
Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Tracing Packets with Packet Tracer The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as detailed information about the packets and how they are processed by the ASA. If a configuration command did not cause the packet to drop, the packet tracer tool can provide information about the cause in an easily readable format.
Chapter 24 Troubleshooting Connections and Resources Monitoring Performance • FQDN • Security Tag • Security Name Step 8 Based on the option you selected from the Destination drop-down list, enter the corresponding text for the item you want to trace; for example, enter the source IP address for the packet trace in the Destination IP Address field. Step 9 For TCP and UDP only, choose the destination port for the packet trace from the drop-down list.
Chapter 24 Troubleshooting Connections and Resources Monitoring System Resources Step 7 (Optional) Click Export to display the Export Graph Data dialog box. The selected performance statistics to export are already checked. Step 8 (Optional) Click Export again to display the Save dialog box. Step 9 (Optional) Click Save to save the performance statistics to a text file (.txt) on your local drive for future reference. Step 10 (Optional) Click Print to display the Print Graph dialog box.
Chapter 24 Troubleshooting Connections and Resources Monitoring System Resources Step 9 (Optional) Click Save to save the memory block statistics to a text file (.txt) on your local drive for future reference. Step 10 (Optional) Click Print to display the Print Graph dialog box. Step 11 (Optional) Choose the graph or table name from the drop-down list, then click Print to display the Print dialog box. Step 12 (Optional) Click OK to print the selected memory block statistics.
Chapter 24 Troubleshooting Connections and Resources Monitoring Connections Step 2 Select one or more entries from the Available Graphs list, then click Add to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click Remove. The available options are the following: • Free Memory—Displays the ASA free memory. • Used Memory—Displays the ASA used memory. You can choose up to four types of statistics to show in one graph window.
Chapter 24 Troubleshooting Connections and Resources Monitoring Per-Process CPU Usage • Idle time since the last packet was sent or received • Amount of sent and received traffic on the connection Monitoring Per-Process CPU Usage You can monitor the processes that run on the CPU. You can obtain information about the percentage of CPU that is used by a certain process. CPU usage statistics are sorted in descending order to display the highest consumer at the top.
PART 7 Configuring Advanced Network Protection
CH AP TE R 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud Web Security provides web security and web filtering services through the Software-as-a-Service (SaaS) model. Enterprises with the ASA in their network can use Cloud Web Security services without having to install additional hardware. When Cloud Web Security is enabled on the ASA, the ASA transparently redirects selected HTTP and HTTPS traffic to the Cloud Web Security proxy servers.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapter includes the following sections: • Information About Cisco Cloud Web Security, page 25-2 • Licensing Requirements for Cisco Cloud Web Security, page 25-6 • Prerequisites for Cloud Web Security, page 25-7 • Guidelines and Limitations, page 25-7 • Default Settings, page 25-8 • Configuring Cisco Cloud Web Security, page 25-8 • Monitoring Cloud Web Security, page 25-26 • Related
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security The ASA supports the following methods of determining the identity of a user, or of providing a default identity: • AAA rules—When the ASA performs user authentication using a AAA rule, the username is retrieved from the AAA server or local database. Identity from AAA rules does not include group information. If configured, the default group is used.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security For more information, see the Cloud Web Security documentation: http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h tml. ScanCenter Policy In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security then applies the configured action for the rule.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security – AAA usernames, when using RADIUS or TACACS+, are sent in the following format: LOCAL\username – AAA usernames, when using LDAP, are sent in the following format: domain-name\username – For the default username, it is sent in the following format: [domain-name\]username For example, if you configure the default username to be “Guest,” then the ASA sends “Guest.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Licensing Requirements for Cisco Cloud Web Security Bypassing Scanning with Whitelists If you use AAA rules or IDFW, you can configure the ASA so that web traffic from specific users or groups that otherwise match the service policy rule is not redirected to the Cloud Web Security proxy server for scanning.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Prerequisites for Cloud Web Security Model License Requirement All models Strong Encryption (3DES/AES) License to encrypt traffic between the security appliance and the Cloud Web Security server. On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication keys.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Default Settings • When an interface to the Cloud Web Security proxy servers goes down, output from the show scansafe server command shows both servers up for approximately 15-25 minutes. This condition may occur because the polling mechanism is based on the active connection, and because that interface is down, it shows zero connection, and it takes the longest poll time approach. • Cloud Web Security is not supported with the ASA CX module.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Choose Configuration > Device Management > Cloud Web Security. Step 2 In the Primary Server area, enter the following: Step 3 Step 4 Step 5 • IP Address/Domain Name—Enter the IPv4 address or FQDN of the primary server. • HTTP Port—Enter the HTTP port of the primary server (port to which traffic must be redirected).
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security (Multiple Context Mode) Allowing Cloud Web Security Per Security Context In multiple context mode, you must allow Cloud Web Security per context. See the “Configuring a Security Context” section on page 8-20 in the general operations configuration guide. Note You must configure a route pointing to the Scansafe towers in both; the admin context and the specific context.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security When you create a new traffic class of this type, you can only specify one access control entry (ACE) initially. After you finish adding the rule, you can add additional ACEs by adding a new rule to the same interface or global policy, and then specifying Add rule to existing traffic class on the Traffic Classification dialog box. The Traffic Match - Source and Destination dialog box appears. a.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 4 On the Protocol Inspection tab, check the Cloud Web Security check box. Step 5 Click Configure to set the traffic action (fail open or fail close) and add the inspection policy map. The inspection policy map configures essential parameters for the rule and also optionally identifies the whitelist.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security d. In the Name field, specify a name for the inspection policy map, up to 40 characters in length. e. (Optional) Enter a description. f. (Optional) On the Parameters tab, specify a Default User and/or a Default Group. If the ASA cannot determine the identity of the user coming into the ASA, then the default user and/or group is applied. g.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security – Click Add to choose the inspection class map you created in the “(Optional) Configuring Whitelisted Traffic” section on page 25-23. The Add Cloud Web Security Match Criterion dialog box appears. – From the Cloud Web Security Traffic Class drop-down menu, choose an inspection class map. To add or edit a class map, click Manage. – For the Action, click Whitelist.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security c. On the Traffic Classification Criteria dialog box, choose Add Rule to Existing Traffic Class, and choose the name you created in Step 3. Click Next. d. In the Traffic Match - Source and Destination dialog box, choose Match to add inspect additional traffic, or Do Not Match to exempt traffic from Cloud Web Security inspections.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security e. On the Rule Actions dialog box, do not make any changes; click Finish. For this traffic class, you can have only one set of rule actions even if you add multiple ACEs, so the previously-specified actions are inherited. Step 8 Repeat this entire procedure to create an additional traffic class, for example for HTTPS traffic. You can create as many rules and sub-rules as needed.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 10 Click Apply. Examples The following example exempts all IPv4 HTTP and HTTPS traffic going to the 10.6.6.0/24 (test_network), and sends all other HTTPS and HTTPS traffic to Cloud Web Security, and applies this service policy rule to all interfaces as part of the existing global policy. If the Cloud Web Security server is unreachable, the ASA drops all matching traffic (fail close).
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 2 Add a new traffic class called “scansafe-http,” and specify an ACL for traffic matching: Step 3 Choose Match, and specify any4 for the Source and Destination. Specify tcp/http for the Service.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 4 Check Cloud Web Security and click Configure. Step 5 Accept the default Fail Close action, and click Add.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 6 Name the inspection policy map “http-map,” set the Default User to Boulder and the default group to Cisco. Choose HTTP. Step 7 Click OK, OK, and then Finish. The rule is added to the Service Policy Rules table. Step 8 Choose Configuration > Firewall > Service Policy Rules, and click Add > Service Policy Rule.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 9 Click Add rule to existing traffic class, and choose scansafe-http. Step 10 Choose Do not match, set any4 as the Source, and 10.6.6.0/24 as the Destination. Set the Service to tcp/http.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11 Click Finish. Step 12 Reorder the rules so the Do not match rule is above the Match rule.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security User traffic is compared to these rules in order; if this Match rule is first in the list, then all traffic, including traffic to test_network, will match only that rule and the Do not match rule will never be hit. If you move the Do not match rule above the Match rule, then traffic to test_network will match the Do not match rule, and all other traffic will match the Match rule.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Detailed Steps Step 1 Choose Configuration > Firewall > Objects > Class Maps > Cloud Web Security. Step 2 Click Add to create a new class map. The Add Cloud Web Security Traffic Class Map screen appears. Step 3 In the Name field, enter the name of the new class map (40 characters or less). Step 4 In the Description field, provide a description for the class map (200 characters or less).
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11 Click OK to add the class map. Step 12 Click Apply. Step 13 Use the whitelist in the Cloud Web Security policy according to the “Configuring a Service Policy to Send Traffic to Cloud Web Security” section on page 25-10.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Monitoring Cloud Web Security Repeat for additional groups. Step 6 After you add the groups you want to monitor, click Apply. Configuring the Cloud Web Security Policy After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content scanning, filtering, malware protection services, and reports. Detailed Steps Go to: https://scancenter.scansafe.com/portal/admin/login.jsp.
Chapter 25 Configuring the ASA for Cisco Cloud Web Security Related Documents Related Documents Related Documents URL Cisco ScanSafe Cloud Web Security Configuration Guides http://www.cisco.com/en/US/products/ps11720/products_installati on_and_configuration_guides_list.html Feature History for Cisco Cloud Web Security Table 25-1 lists each feature change and the platform release in which it was implemented.
Chapter 25 Feature History for Cisco Cloud Web Security Cisco ASA Series Firewall ASDM Configuration Guide 25-28 Configuring the ASA for Cisco Cloud Web Security
CH AP TE R 26 Configuring the Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter • Botnet Traffic Filter Databases, page 26-2 • How the Botnet Traffic Filter Works, page 26-5 Botnet Traffic Filter Address Types Addresses monitored by the Botnet Traffic Filter include: • Known malware addresses—These addresses are on the blacklist identified by the dynamic database and the static blacklist. • Known allowed addresses—These addresses are on the whitelist.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter 3. In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs or drops any traffic to that IP address without having to inspect DNS requests. Database Files The database files are downloaded from the Cisco update server, and then stored in running memory; they are not stored in flash memory.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping.
Chapter 26 Configuring the Botnet Traffic Filter Information About the Botnet Traffic Filter How the Botnet Traffic Filter Works Figure 26-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection with Botnet Traffic Filter snooping. Figure 26-1 How the Botnet Traffic Filter Works with the Dynamic Database Security Appliance DNS Reverse Lookup Cache Infected Host 3 DNS Server 1a. Match? DNS Snoop 3a. Match? 2 DNS Reply: 209.165.201.3 Internet Connection to: 209.
Chapter 26 Configuring the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter Licensing Requirements for the Botnet Traffic Filter The following table shows the licensing requirements for this feature: Model License Requirement All models You need the following licenses: • Botnet Traffic Filter License. • Strong Encryption (3DES/AES) License to download the dynamic database.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter This section includes the following topics: • Task Flow for Configuring the Botnet Traffic Filter, page 26-7 • Configuring the Dynamic Database, page 26-8 • Enabling DNS Snooping, page 26-9 • Adding Entries to the Static Database, page 26-9 • Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 26-10 • Blocking Botnet Traffic Manually, page 26-1
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the downloaded dynamic database by the ASA. In multiple context mode, the system downloads the database for all contexts using the admin context interface. You can configure use of the database on a per-context basis. By default, downloading and using the dynamic database is disabled.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter section on page 26-13. What to Do Next See the “Adding Entries to the Static Database” section on page 26-9. Adding Entries to the Static Database The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. Static blacklist entries are always designated with a Very High threat level.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter • You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter. See the “DNS Inspection” section on page 11-1 and Chapter 1, “Configuring a Service Policy,” for detailed information about configuring advanced DNS inspection options using the Modular Policy Framework.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter When an address matches, the ASA sends a syslog message. The only additional action currently available is to drop the connection. Prerequisites In multiple context mode, perform this procedure in the context execution space.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter Note • We highly recommend using the default setting unless you have strong reasons for changing the setting. Value—Specify the threat level you want to drop: – Very Low – Low – Moderate – High – Very High Note Static blacklist entries are always designated with a Very High threat level. • Range—Specify a range of threat levels. d.
Chapter 26 Configuring the Botnet Traffic Filter Configuring the Botnet Traffic Filter For example, you receive the following syslog message: ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com You can then perform one of the following actions: • Create an access rule to deny traffic.
Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Detailed Steps Step 1 Step 2 Go to the Search Dynamic Database area: • In Single mode or within a context, choose the Configuration > Firewall > Botnet Traffic Filter > Botnet Database Update pane. • In multiple context mode in the System execution space, choose the Configuration > Device Management > Botnet Database Update pane.
Chapter 26 Configuring the Botnet Traffic Filter Monitoring the Botnet Traffic Filter Botnet Traffic Filter Monitor Panes To monitor the Botnet Traffic Filter, see the following panes: Command Purpose Home > Firewall Dashboard Shows the Top Botnet Traffic Filter Hits, which shows reports of the top 10 malware sites, ports, and infected hosts. This report is a snapshot of the data, and may not match the top 10 items since the statistics started to be collected.
Chapter 26 Configuring the Botnet Traffic Filter Where to Go Next Command Purpose Monitoring > Botnet Traffic Filter > Dynamic Database Shows information about the dynamic database, including when the dynamic database was last downloaded, the version of the database, how many entries the database contains, and 10 sample entries. Monitoring > Botnet Traffic Filter > ASP Table Hits Shows the Botnet Traffic Filter rules that are installed in the accelerated security path.
CH AP TE R 27 Configuring Threat Detection This chapter describes how to configure threat detection statistics and scanning threat detection and includes the following sections: • Information About Threat Detection, page 27-1 • Licensing Requirements for Threat Detection, page 27-1 • Configuring Basic Threat Detection Statistics, page 27-2 • Configuring Advanced Threat Detection Statistics, page 27-5 • Configuring Scanning Threat Detection, page 27-8 Information About Threat Detection The threat
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Configuring Basic Threat Detection Statistics Basic threat detection statistics include activity that might be related to an attack, such as a DoS attack.
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Guidelines and Limitations This section includes the guidelines and limitations for this feature: Security Context Guidelines Supported in single mode only. Multiple mode is not supported. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
Chapter 27 Configuring Threat Detection Configuring Basic Threat Detection Statistics Table 27-1 Basic Threat Detection Default Settings (continued) Trigger Settings Packet Drop Reason Average Rate Burst Rate Interface overload 2000 drops/sec over the last 600 seconds. 8000 drops/sec over the last 20 second period. 1600 drops/sec over the last 3600 seconds. 6400 drops/sec over the last 120 second period.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Feature History for Basic Threat Detection Statistics Table 27-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics Security Context Guidelines Only TCP Intercept statistics are available in multiple mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Default Settings By default, statistics for ACLs are enabled.
Chapter 27 Configuring Threat Detection Configuring Advanced Threat Detection Statistics • Burst Threshold Rate—Sets the threshold for syslog message generation, between 25 and 2147483647. The default is 400 per second. When the burst rate is exceeded, syslog message 733104 is generated. • Average Threshold Rate—Sets the average rate threshold for syslog message generation, between 25 and 2147483647. The default is 200 per second. When the average rate is exceeded, syslog message 733105 is generated.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Advanced Threat Detection Statistics Table 27-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection • Feature History for Scanning Threat Detection, page 27-11 Information About Scanning Threat Detection A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Default Settings Table 27-4 lists the default rate limits for scanning threat detection. Table 27-4 Default Rate Limits for Scanning Threat Detection Average Rate Burst Rate 5 drops/sec over the last 600 seconds. 10 drops/sec over the last 20 second period. 5 drops/sec over the last 3600 seconds. 10 drops/sec over the last 120 second period.
Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection Table 27-5 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 27-5 Feature History for Scanning Threat Detection Feature Name Platform Releases Feature Information Scanning threat detection 8.
Chapter 27 Configuring Scanning Threat Detection Cisco ASA Series Firewall ASDM Configuration Guide 27-12 Configuring Threat Detection
CH AP TE R 28 Using Protection Tools This chapter describes some of the many tools available to protect your network and includes the following sections: • Preventing IP Spoofing, page 28-1 • Configuring the Fragment Size, page 28-2 • Configuring TCP Options, page 28-3 • Configuring IP Audit for Basic IPS Support, page 28-5 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface.
Chapter 28 Using Protection Tools Configuring the Fragment Size • Anti-Spoofing Enabled—Shows whether an interface has Unicast RPF enabled, Yes or No. • Enable—Enables Unicast RPF for the selected interface. • Disable—Disables Unicast RPF for the selected interface. Configuring the Fragment Size By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly.
Chapter 28 Using Protection Tools Configuring TCP Options • Timeout—Display only. Displays the number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds displayed, all fragments of the packet that were already received will be discarded. The default is 5 seconds. • Threshold—Display only.
Chapter 28 Using Protection Tools Configuring TCP Options alters the packet to request 1200 bytes. See the “Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size” section on page 11-8 for more information. – Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less than the number of bytes you set, between 48 and any maximum number. This feature is disabled by default (set to 0).
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Fields • Policy Name—Sets the IP audit policy name. You cannot edit the name after you add it. • Policy Type—Sets the policy type. You cannot edit the policy type after you add it. – Attack—Sets the policy type as attack. – Information—Sets the policy type as informational. • Action—Sets one or more actions to take when a packet matches a signature. If you do not choose an action, then the default policy is used.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 1002 400002 IP options-Timestamp Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp).
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 2002 400012 ICMP Source Quench Informational Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench).
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 2150 400023 Fragmented ICMP Traffic Attack Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6051 400035 DNS Zone Transfer Informational Triggers on normal DNS zone transfers, in which the source port is 53. 6052 400036 DNS Zone Transfer from High Port Informational Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53.
Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Table 28-1 Signature IDs and System Message Numbers (continued) Signature Message ID Number Signature Title Signature Type Description 6180 400049 rexd (remote execution daemon) Attempt Informational Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.
Chapter 28 Configuring IP Audit for Basic IPS Support Cisco ASA Series Firewall ASDM Configuration Guide 28-12 Using Protection Tools
CH AP TE R 29 Configuring Filtering Services This chapter describes how to use filtering services to provide greater control over traffic passing through the ASA and includes the following sections: • Information About Web Traffic Filtering, page 29-1 • Configuring Filtering Rules, page 29-6 • Filtering the Rule Table, page 29-11 • Defining Queries, page 29-12 • Filtering URLs and FTP Requests with an External Server, page 29-2 Information About Web Traffic Filtering You can use web traffic filt
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Filtering URLs and FTP Requests with an External Server This section describes how to filter URLs and FTP requests with an external server and includes the following topics: • Information About URL Filtering, page 29-2 • Licensing Requirements for URL Filtering, page 29-3 • Guidelines and Limitations for URL Filtering, page 29-3 • Identifying the Filtering Server, page 29-3 • Configuring Additional
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Licensing Requirements for URL Filtering The following table shows the licensing requirements for URL filtering: Table 29-1 Licensing Requirements Model License Requirement All models Base License. Guidelines and Limitations for URL Filtering This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server • Enter the number of seconds after which the request to the URL filtering server times out. The default is 30 seconds.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server • Buffering the Content Server Response, page 29-5 • Caching Server Addresses, page 29-5 • Filtering HTTP URLs, page 29-6 Buffering the Content Server Response When you issue a request to connect to a content server, the ASA sends the request to the content server and to the filtering server at the same time.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Step 5 Click OK to close this dialog box. Filtering HTTP URLs This section describes how to configure HTTP filtering with an external filtering server and includes the following topics: • Enabling Filtering of Long HTTP URLs, page 29-6 Enabling Filtering of Long HTTP URLs By default, the ASA considers an HTTP URL to be a long URL if it is greater than 1159 characters.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server – Enter a hostname. – Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. – Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. • Enter the destination of the traffic to which the filtering action applies.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server – Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. – Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. • Identify the service of the traffic to which the filtering action applies.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server >—Greater than. For example, >tcp/2000. - —Range. For example, tcp/2000-3000. – Enter a well-known service name, such as HTTP or FTP. – Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Step 6 • Choose the action to take when the URL exceeds the specified size from the drop-down list.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server – Enter a well-known service name, such as HTTP or FTP. – Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Step 7 • Check the Allow outbound traffic if URL server is not available check box to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server • Click OK to close this dialog box. • Click Apply to save your changes. Step 8 To modify a filtering rule, select it and click Edit to display the Edit Filter Rule dialog box for the specified filtering rule. Step 9 Make the required changes, then click OK to close this dialog box. Step 10 Click Apply to save your changes.
Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Step 12 To delete a selected filter rule, click Delete. Defining Queries To define queries, perform the following steps: Step 1 Enter the IP address or hostname of the source. Choose is for an exact match or choose contains for a partial match. Click the ellipses to display the Browse Source dialog box. You can specify a network mask using CIDR notation (address/bit-count).
PART 8 Configuring Modules
CH AP TE R 30 Configuring the ASA CX Module This chapter describes how to configure the ASA CX module that runs on the ASA.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module How the ASA CX Module Works with the ASA The ASA CX module runs a separate application from the ASA. The ASA CX module includes external management interface(s) so you can connect to the ASA CX module directly. Any data interfaces on the ASA CX module are used for ASA traffic only. Traffic goes through the firewall checks before being forwarded to the ASA CX module.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Monitor-Only Mode For demonstration purposes, you can configure a service policy or a traffic-forwarding interface in monitor-only mode. For guidelines and limitations for monitor-only mode, see the “Guidelines and Limitations” section on page 30-6.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module Figure 30-3 ASA CX Traffic-Forwarding Switch ASA SPAN Port Main System Gig 0/3 ASA CX 303699 ASA CX inspection Backplane Forwarded Traffic Information About ASA CX Management • Initial Configuration, page 30-4 • Policy Configuration and Management, page 30-5 Initial Configuration For initial configuration, you must use the CLI on the ASA CX module to run the setup command and configure other optional settings.
Chapter 30 Configuring the ASA CX Module Information About the ASA CX Module or ASDM). However, physical characteristics (such as enabling the interface) are configured on the ASA. You can remove the ASA interface configuration (specifically the interface name) to dedicate this interface as an ASA CX-only interface. This interface is management-only. Policy Configuration and Management After you perform initial configuration, configure the ASA CX policy using Cisco Prime Security Manager (PRSM).
Chapter 30 Configuring the ASA CX Module Licensing Requirements for the ASA CX Module • Do not configure ASA inspection on HTTP traffic. • Do not configure Cloud Web Security (ScanSafe) inspection. If you configure both the ASA CX action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX action. • Other application inspections on the ASA are compatible with the ASA CX module, including the default inspections.
Chapter 30 Configuring the ASA CX Module Guidelines and Limitations Firewall Mode Guidelines Supported in routed and transparent firewall mode. Traffic-forwarding interfaces are only supported in transparent mode. Failover Guidelines Does not support failover directly; when the ASA fails over, any existing ASA CX flows are transferred to the new ASA, but the traffic is allowed through the ASA without being inspected by the ASA CX. ASA Clustering Guidelines Does not support clustering.
Chapter 30 Configuring the ASA CX Module Default Settings Additional Guidelines and Limitations • See the “Compatibility with ASA Features” section on page 30-5. • You cannot change the software type installed on the hardware module; if you purchase an ASA CX module, you cannot later install other software on it. Default Settings Table 30-1 lists the default settings for the ASA CX module.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 3 (ASA 5585-X) Configure the ASA CX module management IP address for initial SSH access. See the “(ASA 5585-X) Changing the ASA CX Management IP Address” section on page 30-14. Step 4 On the ASA CX module, configure basic settings. You must use the CLI to configure these settings. See the “Configuring Basic ASA CX Settings at the ASA CX CLI” section on page 30-16.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module If you have an inside router If you have an inside router, you can route between the management network, which can include both the ASA Management 0/0 and ASA CX Management 1/0 interfaces, and the ASA inside network for Internet access. Be sure to also add a route on the ASA to reach the Management network through the inside router.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module ASA 5512-X through ASA 5555-X (Software Module) These models run the ASA CX module as a software module, and the ASA CX management interface shares the Management 0/0 interface with the ASA. ASA CX Management 0/0 Default IP: 192.168.1.2 ASA Management 0/0 Default IP: 192.168.1.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module CX IP address for that interface. Because the ASA CX module is essentially a separate device from the ASA, you can configure the ASA CX management address to be on the same network as the inside interface.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module The boot software lets you set basic ASA CX network configuration, partition the SSD, and download the larger system software from a server of your choice to the SSD. Step 2 Download the ASA CX system software from Cisco.com to an HTTP, HTTPS, or FTP server accessible from the ASA CX management interface. If you have a Cisco.com login, you can obtain the boot software from the following website: http://www.cisco.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module asacx-boot> system install https://upgrades.example.com/packages/asacx-sys-9.1.1.pkg Username: buffy Password: angelforever Verifying Downloading Extracting Package Detail Description: Requires reboot: Cisco ASA CX System Upgrade Yes Do you want to continue with upgrade? [n]: Y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Upgrading Stopping all the services ...
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Command Purpose session 1 do setup host ip ip_address/mask,gateway_ip Sets the ASA CX management IP address, mask, and gateway. Example: ciscoasa# session 1 do setup host ip 10.1.1.2/24,10.1.1.1 Step 3 Click Send. Single Context Mode Step 1 In ASDM, choose Wizards > Startup Wizard. Step 2 Click Next to advance through the initial screens until you reach the ASA CX Basic Configuration screen.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 5 Click Finish to skip the remaining screens, or click Next to advance through the remaining screens and complete the wizard. Configuring Basic ASA CX Settings at the ASA CX CLI You must configure basic network settings and other parameters on the ASA CX module before you can configure your security policy. Detailed Steps Step 1 Do one of the following: • (All models) Use SSH to connect to the ASA CX management IP address.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 4 After you complete the final prompt, you are presented with a summary of the settings. Look over the summary to verify that the values are correct, and enter Y to apply your changed configuration. Enter N to cancel your changes. Example: Apply the changes?(y,n) [Y]: Y Configuration saved successfully! Applying... Done. Generating self-signed certificate, the web server will be restarted after that ... Done.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module • Launch PRSM from ASDM by choosing Home > ASA CX Status, and clicking the Connect to the ASA CX application link. • (Optional) Configure the authentication proxy port. See the “(Optional) Configuring the Authentication Proxy Port” section on page 30-18. • Redirect traffic to the ASA CX module. See the “Redirecting Traffic to the ASA CX Module” section on page 30-19.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 2 Enter a port greater than 1024. The default is 885. Step 3 Click Apply. Redirecting Traffic to the ASA CX Module You can redirect traffic to the ASA CX module by creating a service policy that identifies specific traffic. For demonstration purposes only, you can also enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Detailed Steps Step 1 Choose Configuration > Firewall > Service Policy Rules. Step 2 Choose Add > Add Service Policy Rule. The Add Service Policy Rule Wizard - Service Policy dialog box appears. Step 3 Complete the Service Policy dialog box as desired. See the ASDM online help for more information about these screens. Step 4 Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Step 8 Check the Enable ASA CX for this traffic flow check box. Step 9 In the If ASA CX Card Fails area, click one of the following: • Permit traffic—Sets the ASA to allow all traffic through, uninspected, if the ASA CX module is unavailable. • Close traffic—Sets the ASA to block all traffic if the ASA CX module is unavailable.
Chapter 30 Configuring the ASA CX Module Configuring the ASA CX Module Configuring Traffic-Forwarding Interfaces (Monitor-Only Mode) This section configures traffic-forwarding interfaces, where all traffic is forwarded directly to the ASA CX module. This method is for demonstration purposes only. For a normal ASA CX service policy, see the “Creating the ASA CX Service Policy” section on page 30-19. For more information see the “Monitor-Only Mode” section on page 30-3.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Examples The following example makes GigabitEthernet 0/5 a traffic-forwarding interface: Managing the ASA CX Module This section includes procedures that help you manage the module.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module To reset the module password to the default of Admin123, perform the following steps. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps Step 1 From the ASDM menu bar, choose Tools > ASA CX Password Reset. The Password Reset confirmation dialog box appears. Step 2 Click OK to reset the password to the default Admin123.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module Detailed Steps Command Purpose For a hardware module (ASA 5585-X): Reloads the module software. hw-module module 1 reload For a software module (ASA 5512-X through ASA 5555-X): sw-module module cxsc reload Example: ciscoasa# hw-module module 1 reload For a hardware module: Performs a reset, and then reloads the module.
Chapter 30 Configuring the ASA CX Module Managing the ASA CX Module (ASA 5512-X through ASA 5555-X) Uninstalling a Software Module Image To uninstall a software module image and associated configuration, perform the following steps. Guidelines In multiple context mode, perform this procedure in the system execution space. Detailed Steps Step 1 Command Purpose sw-module module cxsc uninstall Permanently uninstalls the software module image and associated configuration.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Detailed Steps Command Purpose Telnet session. Accesses the module using Telnet. You are prompted for the username and password. The default username is admin, and the default password is Admin123. session cxsc Example: ciscoasa# session cxsc Opening command session with slot 1. Connected to module cxsc. Escape character sequence is 'CTRL-^X'. cxsc login: admin Password: Admin123 Console session. Accesses the module console.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Showing Module Status See the “ASA CX Status Tab” section on page 4-30 in the general operations configuration guide. Showing Module Statistics To show module statistics, enter the following command: Command Purpose show service-policy cxsc Displays the ASA CX statistics and status per service policy.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module Command Purpose show asp drop Shows dropped packets. The following drop types are used: Frame Drops: • cxsc-bad-tlv-received—This occurs when ASA receives a packet from CXSC without a Policy ID TLV. This TLV must be present in non-control packets if it does not have the Standy Active bit set in the actions field.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module in id=0x7ffedb4ada00, priority=50, domain=cxsc, deny=false hits=0, user_data=0x7ffedb4ac840, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.
Chapter 30 Configuring the ASA CX Module Monitoring the ASA CX Module ciscoasa# show asp drop Frame drop: CXSC Module received packet with bad TLV's (cxsc-bad-tlv-received) CXSC Module requested drop (cxsc-request) CXSC card is down (cxsc-fail-close) CXSC config removed for flow (cxsc-fail) CXSC Module received malformed packet (cxsc-malformed-packet) 2 1 1 3 1 Last clearing: 18:12:58 UTC May 11 2012 by enable_15 Flow drop: Flow terminated by CXSC (cxsc-request) Flow reset by CXSC (reset-by-cxsc) CXSC f
Chapter 30 Configuring the ASA CX Module Troubleshooting the ASA CX Module Capturing Module Traffic To configure and view packet captures for the ASA CX module, enter one of the following commands: Command Purpose capture name interface asa_dataplane Captures packets between ASA CX module and the ASA on the backplane. copy capture Copies the capture file to a server. show capture Shows the capture at the ASA console.
Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module ciscoasa# show running-config cxsc cxsc auth-proxy port 2000 2. Check the authentication proxy rules: ciscoasa# show asp table classify domain cxsc-auth-proxy Input Table in id=0x7ffed86cc470, priority=121, domain=cxsc-auth-proxy, deny=false hits=0, user_data=0x7ffed86ca220, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=192.168.0.100, mask=255.255.255.
Chapter 30 Configuring the ASA CX Module Feature History for the ASA CX Module Table 30-2 Feature History for the ASA CX Module (continued) Feature Name Monitor-only mode for demonstration purposes Platform Releases Feature Information ASA 9.1(2) For demonstration purposes only, you can enable ASA CX 9.1(2) monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
CH AP TE R 31 Configuring the ASA IPS Module This chapter describes how to configure the ASA IPS module. The ASA IPS module might be a hardware module or a software module, depending on your ASA model. For a list of supported ASA IPS modules per ASA model, see the Cisco ASA Compatibility Matrix: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module How the ASA IPS Module Works with the ASA The ASA IPS module runs a separate application from the ASA. The ASA IPS module might include an external management interface so you can connect to the ASA IPS module directly; if it does not have a management interface, you can connect to the ASA IPS module through the ASA interface.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Operating Modes You can send traffic to the ASA IPS module using one of the following modes: • Inline mode—This mode places the ASA IPS module directly in the traffic flow (see Figure 31-1). No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the ASA IPS module.
Chapter 31 Configuring the ASA IPS Module Information About the ASA IPS Module Figure 31-3 Security Contexts and Virtual Sensors ASA Context 1 Main System Context 2 Context 3 Sensor 1 251160 Sensor 2 IPS Figure 31-4 shows a single mode ASA paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.
Chapter 31 Configuring the ASA IPS Module Licensing Requirements for the ASA IPS module See the following information about the management interface: – ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X—The IPS management interface is a separate external Gigabit Ethernet interface. – ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X—These models run the ASA IPS module as a software module. The IPS management interface shares the Management 0/0 interface with the ASA.
Chapter 31 Configuring the ASA IPS Module Default Settings http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html • The ASA 5505 does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC. • The ASA IPS module for the ASA 5510 and higher supports higher performance requirements, while the ASA IPS module for the ASA 5505 is designed for a small office installation.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Configuring the ASA IPS module This section describes how to configure the ASA IPS module and includes the following topics: • Task Flow for the ASA IPS Module, page 31-7 • Connecting the ASA IPS Management Interface, page 31-8 • Sessioning to the Module from the ASA (May Be Required), page 31-11 • Configuring Basic IPS Module Network Settings, page 31-12 • (ASA 5512-X through ASA 5555-X) Booting the Software Module, page 31
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Connecting the ASA IPS Management Interface In addition to providing management access to the IPS module, the IPS management interface needs access to an HTTP proxy server or a DNS server and the Internet so it can download global correlation, signature updates, and license requests. This section describes recommended network configurations. Your network may differ.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network, which would require an inside router to route between the networks. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not have an inside router If you have only one inside network, then you cannot also have a separate management network. In this case, you can manage the ASA from the inside interface instead of the Management 0/0 interface. If you remove the ASA-configured name from the Management 0/0 interface, you can still configure the IPS IP address for that interface.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Sessioning to the Module from the ASA (May Be Required) To access the IPS module CLI from the ASA, you can session from the ASA. For software modules, you can either session to the module (using Telnet) or create a virtual console session. A console session might be useful if the control plane is down and you cannot establish a Telnet session.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5512-X through ASA 5555-X) Booting the Software Module Your ASA typically ships with IPS module software present on Disk0. If the module is not running, or if you are adding the IPS module to an existing ASA, you must boot the module software.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module (ASA 5510 and Higher) Configuring Basic Network Settings In single context mode, you can use the Startup Wizard in ASDM to configure basic IPS network configuration. These settings are saved to the IPS configuration, not the ASA configuration. In multiple context mode, session to the module from the ASA and configure basic settings using the setup command.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Detailed Steps—Multiple Mode Using the CLI Command Purpose Step 1 Session to the IPS module according to the “Sessioning to the Module from the ASA (May Be Required)” section on page 31-11. Step 2 setup Runs the setup utility for initial configuration of the ASA IPS module. You are prompted for basic settings. For the default gateway, specify the IP address of the upstream router.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module b. Enter the IPS management IP address. Make sure this address is on the same subnet as the ASA VLAN IP address. For example, if you assigned 10.1.1.1 to the VLAN for the ASA, then assign another address on that network, such as 10.1.1.2, for the IPS management address. By default, the address is 192.168.1.2 c. Choose the subnet mask from the drop-down list. d. Enter the default gateway IP address.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module Step 3 Enter the IP address, username and password that you set in the “Configuring Basic IPS Module Network Settings” section on page 31-12, as well as the port. The default IP address and port is 192.168.1.2:443. The default username and password is cisco and cisco. If the password to access IDM is lost, you can reset the password using ASDM. See the “Resetting the Password” section on page 31-23, for more information.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module What to Do Next • For the ASA in multiple context mode, see the “Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)” section on page 31-17. • For the ASA in single context mode, see the “Diverting Traffic to the ASA IPS module” section on page 31-18.
Chapter 31 Configuring the ASA IPS Module Configuring the ASA IPS module If you do not specify a sensor name when you configure IPS within the context configuration, the context uses this default sensor. You can only configure one default sensor per context. If you do not specify a sensor as the default, and the context configuration does not include a sensor name, then traffic uses the default sensor on the ASA IPS module. Step 8 Repeat this procedure for each security context.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Step 3 Complete the Service Policy dialog box as desired. See the ASDM online help for more information about these screens. Step 4 Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears. Step 5 Complete the Traffic Classification Criteria dialog box as desired. See the ASDM online help for more information about these screens.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module This section includes procedures that help you recover or troubleshoot the module and includes the following topics: • Installing and Booting an Image on the Module, page 31-20 • Shutting Down the Module, page 31-22 • Uninstalling a Software Module Image, page 31-22 • Resetting the Password, page 31-23 • Reloading or Resetting the Module, page 31-24 Installing and Booting an Image on the Module If the module suffers a failure
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Detailed Steps Step 1 Command Purpose For a hardware module (for example, the ASA 5585-X): Specifies the location of the new image. sw-module module ips recover configure image disk0:file_path For a hardware module—This command prompts you for the URL for the TFTP server, the management interface IP address and netmask, gateway address, and VLAN ID (ASA 5505 only).
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Shutting Down the Module Shutting down the module software prepares the module to be safely powered off without losing configuration data. Note: If you reload the ASA, the module is not automatically shut down, so we recommend shutting down the module before reloading the ASA. To gracefully shut down the module, perform the following steps at the ASA CLI.
Chapter 31 Configuring the ASA IPS Module Managing the ASA IPS module Resetting the Password You can reset the module password to the default. For the user cisco, the default password is cisco. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting. If you cannot connect to ASDM with the new password, restart ASDM and try to log in again.
Chapter 31 Configuring the ASA IPS Module Monitoring the ASA IPS module Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Detailed Steps Command Purpose For a hardware module (for example, the ASA 5585-X): Reloads the module software.
Chapter 31 Configuring the ASA IPS Module Feature History for the ASA IPS module Feature History for the ASA IPS module Table 31-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 31-2 Feature History for the ASA IPS module Feature Name Platform Releases AIP SSM 7.
Chapter 31 Feature History for the ASA IPS module Cisco ASA Series Firewall ASDM Configuration Guide 31-26 Configuring the ASA IPS Module
CH AP TE R 32 Configuring the ASA CSC Module This chapter describes how to configure the Content Security and Control (CSC) application that is installed in a CSC SSM in the ASA.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-1 Flow of Scanned Traffic with the CSC SSM ASA Main System modular service policy Request sent Request forwarded inside Client Diverted Traffic content security scan CSC SSM Reply sent Server 148386 Reply forwarded outside You use ASDM for system setup and monitoring of the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-2 CSC SSM Deployment with a Management Network ASA Trend Micro Update Server inside 192.168.100.1 Main System management port 192.168.50.1 Internet CSC SSM ASDM Syslog outside 10.6.13.67 192.168.50.
Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Based on the configuration shown in Figure 32-3, configure the ASA to divert to the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network.
Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This setting protects the SMTP server and inside users who download e-mail from the SMTP server on the DMZ network, without having to scan connections from SMTP clients to the server.
Chapter 32 Configuring the ASA CSC Module Guidelines and Limitations – Domain name and hostname for the CSC SSM. – An e-mail address and an SMTP server IP address and port number for e-mail notifications. – E-mail address(es) for product license renewal notifications. – IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. – Password for the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section describes how to configure the CSC SSM and includes the following topics: • Before Configuring the CSC SSM, page 32-7 • Connecting to the CSC SSM, page 32-8 • Determining Service Policy Rule Actions for CSC Scanning, page 32-9 Before Configuring the CSC SSM Before configuring the ASA and the CSC SSM, perform the following steps: Step 1 If the CSC SSM did not come preinstalled in a Cisco ASA, insta
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM • If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. • If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. Step 6 Open ASDM. Step 7 Connect to and log in to the CSC SSM. For instructions, see the “Connecting to the CSC SSM” section on page 32-8.
Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM To connect to the CSC SSM, perform the following steps: Step 1 In the ASDM main application window, click the Content Security tab. Step 2 In the Connecting to CSC dialog box, click one of the following radio buttons: • To connect to the IP address of the management port on the SSM, click Management IP Address. ASDM automatically detects the IP address for the SSM in the ASA.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 4 Click the Create a new traffic class option, type a name for the traffic class in the adjacent field, check the Any traffic check box, and then click Next. The Rule Actions screen appears. Step 5 Click the CSC Scan tab, and then check the Enable CSC scan for this traffic flow check box.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Activation/License The Activation/License pane lets you review or renew activation codes for the CSC SSM Basic License and the Plus License. You can use ASDM to configure CSC licenses only once each for the two licenses. Renewed license activation codes are downloaded automatically with scheduled software updates. Links to the licensing status pane and the CSC UI home pane appear at the bottom of this window.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 3 Step 4 Set parameters of the DNS servers for the network that includes the management IP address of the CSC SSM. • Enter the IP address of the primary DNS server. • (Optional) Enter the IP address of the secondary DNS server, if configured. (Optional) Enter parameters for an HTTP proxy server, used by the CSC SSM to contact a CSC SSM software update server.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard What to Do Next See the “Management Access Host/Networks” section on page 32-13. Management Access Host/Networks The Management Access Host/Networks pane lets you specify the hosts and networks for which management access to the CSC SSM is permitted. You must specify at least one permitted host or network, up to a maximum of eight permitted hosts or networks.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Tip Whenever the connection to the CSC SSM is dropped, you can reestablish it. To do so, click the Connection to Device icon on the status bar to display the Connection to Device dialog box, and then click Reconnect. ASDM prompts you for the CSC SSM password, which is the new password that you have defined. Passwords must be 5 - 32 characters long. Passwords appears as asterisks when you type them. Note The default password is “cisco.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 4 After you have reset the password, you should change it to a unique value. What to Do Next See the “Password” section on page 32-13. Wizard Setup The Wizard Setup screen lets you start the CSC Setup Wizard. To start the CSC Setup Wizard, click Launch Setup Wizard. To access the Wizard Setup screen, choose Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard IP Configuration To display the IP configuration settings that you have entered for the CSC SSM, perform the following steps: Choose Configuration > Trend Micro Content Security > CSC Setup > IP Configuration. The IP configuration settings that you have entered for the CSC SSM appear, including the following: • The IP address for the management interface of the CSC SSM.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Management Access Configuration To display the subnet and host settings that you have entered to grant access to the CSC SSM, perform the following steps: Step 1 Choose Configuration > Trend Micro Content Security > CSC Setup > Management Access Configuration.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard The traffic selection for CSC scanning configuration settings that you have entered for the CSC SSM appear, including the following: Step 2 • The interface to the CSC SSM that you have chosen from the drop-down list. • The source of network traffic for the CSC SSM to scan. • The destination of network traffic for the CSC SSM to scan. • The source or destination service for the CSC SSM to scan.
Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard CSC Setup Wizard Summary To review the settings that you have made with the CSC Setup Wizard, perform the following steps: Step 1 Choose Configuration > Trend Micro Content Security > CSC Setup > Summary.
Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI What to Do Next See the “Using the CSC SSM GUI” section on page 32-20. Using the CSC SSM GUI This section describes how to configure features using the CSC SSM GUI, and includes the following topics: • Web, page 32-20 • Mail, page 32-21 • SMTP Tab, page 32-21 • POP3 Tab, page 32-22 • File Transfer, page 32-22 • Updates, page 32-23 Web Note To access the CSC SSM, you must reenter the CSC SSM password.
Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI Step 6 Click Configure Web Reputation to open a screen for configuring the Web Reputation service on the CSC SSM. What to Do Next See the “Mail” section on page 32-21. Mail The Mail pane lets you see whether or not e-mail-related features are enabled and lets you access the CSC SSM GUI to configure these features. To configure e-mail related features, choose Configuration > Trend Micro Content Security > Mail.
Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI Step 7 The Global Approved List area is display-only and shows whether or not the SMTP global approved list feature is enabled on the CSC SSM. Click Configure Global Approved List to open a screen for configuring SMTP global approved list settings on the CSC SSM. POP3 Tab Note To access the CSC SSM, you must reenter the CSC SSM password. Sessions in the CSC SSM browser time out after ten minutes of inactivity.
Chapter 32 Configuring the ASA CSC Module Using the CSC SSM GUI The File Scanning area is display-only and shows whether or not FTP file scanning is enabled on the CSC SSM. Step 2 Click Configure File Scanning to open a window for configuring FTP file scanning settings on the CSC SSM. The File Blocking area is display-only and shows whether or not FTP blocking is enabled on the CSC SSM. Step 3 Click Configure File Blocking to open a window for configuring FTP file blocking settings on the CSC SSM.
Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM What to Do Next See the “Monitoring the CSC SSM” section on page 32-24. Monitoring the CSC SSM ASDM lets you monitor the CSC SSM statistics as well as CSC SSM-related features. Note If you have not completed the CSC Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panes under Monitoring > Trend Micro Content Security.
Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM Step 4 To remove the selected statistics type from the Selected Graphs list, click Remove. The button name changes to Delete if the item you are removing was added from another pane, and is not being returned to the Available Graphs pane. Step 5 To display a new window that shows a Graph tab and an updated graph with the selected statistics, click Show Graphs. Click the Table tab to display the same information in tabular form.
Chapter 32 Configuring the ASA CSC Module Monitoring the CSC SSM Step 3 • The subject of e-mails that include a threat, or the names of FTP files that include a threat, or blocked or filtered URLs. • The recipient of e-mails that include a threat, or the IP address or hostname of a threatened node, or the IP address of a threatened client. • The type of event (such as Web, Mail, or FTP), or the name of a user or group for HTTP or FTP events, which include a threat.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module What to Do Next See the “CSC CPU” section on page 32-27. Resource Graphs The ASA lets you monitor CSC SSM status, including CPU resources and memory usage. This section includes the following topics: • CSC CPU, page 32-27 • CSC Memory, page 32-27 CSC CPU To view CPU usage by the CSC SSM in a graph, perform the following steps: Step 1 Choose Monitoring > Trend Micro Content Security > Resource Graphs > CSC CPU.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Note • Resetting the Password, page 32-29 • Reloading or Resetting the Module, page 32-30 • Shutting Down the Module, page 32-30 This section covers all ASA module types; follow the steps appropriate for your module. Installing an Image on the Module If the module suffers a failure, and the module application image cannot run, you can reinstall a new image on the module from a TFTP server.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Step 2 Command Purpose hw-module module 1 recover boot Transfers the image from the TFTP server to the module and restarts the module. Example: ciscoasa# hw-module module 1 recover boot Step 3 show module 1 details Example: ciscoasa# show module 1 details Checks the progress of the image transfer and module restart process. The Status field in the output indicates the operational status of the module.
Chapter 32 Configuring the ASA CSC Module Troubleshooting the CSC Module Reloading or Resetting the Module To reload or reset the module, enter one of the following commands at the ASA CLI. Detailed Steps Command Purpose hw-module module 1 reload Reloads the module software. Example: ciscoasa# hw-module module 1 reload hw-module module 1 reset Performs a reset, then reloads the module.
Chapter 32 Configuring the ASA CSC Module Additional References Additional References For additional information related to implementing the CSC SSM, see the following documents: Related Topic Document Title Cisco Content Security and Control SSM Administrator Guide Instructions on use of the CSC SSM GUI. Additional licensing requirements of specific windows available in the CSC SSM GUI.
Chapter 32 Configuring the ASA CSC Module Feature History for the CSC SSM Table 32-2 Feature History for the CSC SSM (continued) Feature Name Platform Releases Feature Information CSC syslog format 8.3(1) CSC syslog format is consistent with the ASA syslog format. Syslog message explanations have been added to the Cisco Content Security and Control SSM Administrator Guide. The source and destination IP information has been added to the ASDM Log Viewer GUI.
INDEX application inspection A about AAA 10-1 applying accounting 8-17 configuring authentication proxy limit 8-2 8-11 special actions network access performance 8-13 8-12 2-1 about 30-1 ASA feature compatibility 8-1 8-8 about port downloadable 8-14 global access rules implicit deny 30-5 30-18 troubleshooting 7-2 basic settings 7-3 cabling 7-3 30-9 outbound 7-3 failover overview 7-1 licensing 17-7 30-8 30-7 30-6 management access access rules 30-32 30-16 configura
Index attacks classifying traffic DNS HINFO request configuring 28-10 DNS request for all records DNS zone transfer DNS zone transfer from high port IP fragment 28-9 graylist 28-9 28-10 statd buffer overflow 28-11 TCP FIN only flags 26-11 26-11 26-8 26-3 information about searching 28-9 updates 28-10 26-8 26-16 graylist 28-10 description 26-2 dropping traffic 8-4 26-11 guidelines and limitations 8-3 network access information about 8-2 licensing 8-3 web clients 26-2 26
Index CSC Setup Wizard IP Configuration C CSC Setup Wizard Management Access Configuration 32-17 call agents MGCP application inspection CDUP command, denied request 12-15, 12-16 19-4 Cisco Unified Presence 20-4 CSC updates CSC Web 17-10 Cisco IP Phones, application inspection 15-2, 15-3, 16-2 certificate 19-4 32-6 monitoring 19-1 configuring configuring 15-2, 15-3, 16-2 20-8 NAT and PAT requirements configuring 20-2 32-11 CSC license 20-4 configuring Cisco UP.
Index password configuratrion reload 32-17 specifying traffic for CSC Scanning summary security policy 32-18 30-17 sending traffic to 32-19 traffic selection for CSC Scan shutdown 32-17 CSC software updates monitoring 30-24 traffic flow VPN 32-26 30-19 30-25 30-2 30-5 CSC SSM about 32-1 loading an image what to scan 30-26, 31-20, 31-22, 32-28 32-3 default policy CSC SSM feature history 32-31 transparent firewall configuring 32-20 DiffServ preservation CSC threats 32-24 23-5
Index E H EIGRP H.
Index signatures licenses 28-6 IP fragment attack Cisco Unified Communications Proxy features 28-7 IP fragment database, displaying IP fragment database, editing IP impossible packet attack 18-4, 19-6, 20-7, 21-8 28-2 licensing requirements 28-3 CSC SSM 28-7 IP overlapping fragments attack 32-5 LLQ 28-8 See low-latency queue IP phone phone proxy provisioning login 17-11 FTP IP phones addressing requirements for phone proxy supported for phone proxy 17-9 8-4 low-latency queue applyi
Index default policy feature directionality features flows network object NAT 1-7 1-3 1-1 twice NAT 5-24 implementation 3-15 interfaces 1-5 matching multiple policy maps 4-15 3-21 mapped address guidelines 1-5 See also class map 3-21 network object See also policy map comparison with twice NAT MPLS 3-15 network object NAT LDP router-id TDP about 7-7 configuring 7-7 7-7 multi-session PAT 3-16 4-19 N 4-1 dynamic NAT 4-4 dynamic PAT 4-9 examples 4-21 guidelines 4-2
Index about (8.2 and earlier) configuring (8.2 and earlier) network object NAT twice NAT monitoring 6-9 prerequisites 6-27 static NAT 4-12 about (8.2 and earlier) object NAT 3-4 See network object NAT 3-2 outbound access lists transparent mode 7-3 3-13 transparent mode (8.
Index policy map Quality of Service inspection See QoS 2-3 queue, QoS Layer 3/4 about latency, reducing 1-1 feature directionality flows limit 1-3 6-11 R ports phone proxy 17-7 RADIUS port translation downloadable access lists 3-4 prerequisites for use CSC SSM 32-5 16-15 network access authorization 8-13 23-3 RealPlayer hierarchical policy with traffic shaping IPSec anti-replay window size proxied RPC request attack 23-11 12-17 inbound connections 28-10 outside connections 1
Index maximum and minimum bypassing 28-4 shun static NAT duration about 27-10 signatures attack and informational 28-6 SIP inspection about 3-3 few-to-many mapping 3-7 many-to-few mapping 3-6, 3-7 network object NAT twice NAT 12-21 configuring about 12-22 SITE command, denied request SMTP inspection 11-24 5-18 3-4 static PAT See PAT 11-52 statistics, QoS SNMP application inspection viewing about 32-18 SSCs 31-6 management interface 31-14 31-23, 32-29 31-24, 32-30 shutdow
Index TCP Intercept transparent mode 22-5 TCP normalization unsupported features modes 24-1 drop types 27-2 enabling 27-2 scanning 27-10 overview 27-9 shunning attackers scanning statistics dynamic PAT 5-12 examples 5-30 guidelines 5-2 tx-ring-limit 27-6 5-24 5-29 5-2 5-18 23-2, 23-3 27-5 27-7 U shun 27-10 TIME_WAIT state 5-4 static NAT system performance duration dynamic NAT prerequisites 27-9 UDP 28-4 bomb attack TLS Proxy 28-10 chargen DoS attack applications su
Index virtual HTTP 8-3 virtual sensors 31-17 VoIP proxy servers 12-21 VPN client NAT rules 3-20 W web clients, secure authentication Websense filtering server 8-8 29-3 Cisco ASA Series Firewall ASDM Configuration Guide IN-12