Cisco FirePOWER ASA 5500 series Configuration Manual

Cisco FirePOWER ASA 5500 series Configuration Manual

Security appliance command line
Hide thumbs Also See for FirePOWER ASA 5500 series:
Table of Contents

Quick Links

Cisco Security Appliance Command Line
Configuration Guide
For the Cisco ASA 5500 Series and Cisco PIX 500 Series
Software Version 7.2(1)
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: N/A, Online only
Text Part Number: OL-10088-01
Table of Contents
loading

Summary of Contents for Cisco FirePOWER ASA 5500 series

  • Page 1 Cisco Security Appliance Command Line Configuration Guide For the Cisco ASA 5500 Series and Cisco PIX 500 Series Software Version 7.2(1) Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.;...
  • Page 3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module Applying QoS Policies Applying Connection Limits and TCP Normalization Firewall Mode Overview Stateful Inspection Overview VPN Functional Overview Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 4: Table Of Contents

    Invalid Classifier Criteria Classification Examples Cascading Security Contexts Management Access to Security Contexts System Administrator Access Context Administrator Access 3-10 Enabling or Disabling Multiple Context Mode 3-10 Backing Up the Single Mode Configuration 3-10 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 5 Contents Enabling Multiple Context Mode 3-10 Restoring Single Context Mode 3-11 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security C H A P T E R Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces...
  • Page 6 Defining Route Maps Configuring OSPF OSPF Overview Enabling OSPF Redistributing Routes Into OSPF Configuring OSPF Interface Parameters 9-10 Configuring OSPF Area Parameters 9-12 Configuring OSPF NSSA 9-13 Configuring Route Summarization Between OSPF Areas 9-14 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 7 Configuring a DHCP Server 10-1 Enabling the DHCP Server 10-2 Configuring DHCP Options 10-3 Using Cisco IP Phones with a DHCP Server 10-4 Configuring DHCP Relay Services 10-5 Configuring Dynamic DNS 10-6 Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7 Example 2: Client Updates Both A and PTR RRs;...
  • Page 8 Configuring IPv6 Default and Static Routes 12-5 Configuring IPv6 Access Lists 12-6 Configuring IPv6 Neighbor Discovery 12-7 Configuring Neighbor Solicitation Messages 12-7 Configuring Router Advertisement Messages 12-9 Configuring a Static IPv6 Neighbor 12-11 Cisco Security Appliance Command Line Configuration Guide viii OL-10088-01...
  • Page 9 Using Certificates and User Login Credentials 13-15 Using User Login Credentials 13-15 Using certificates 13-16 Supporting a Zone Labs Integrity Server 13-16 Overview of Integrity Server and Security Appliance Interaction 13-17 Configuring Integrity Server Support 13-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 10 Configuring Unit Health Monitoring 14-36 Configuring Failover Communication Authentication/Encryption 14-36 Verifying the Failover Configuration 14-37 Using the show failover Command 14-37 Viewing Monitored Interfaces 14-45 Displaying the Failover Commands in the Running Configuration 14-45 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 11 C H A P T E R Access List Overview 16-1 Access List Types 16-2 Access Control Entry Order 16-2 Access Control Implicit Deny 16-3 IP Addresses Used for Access Lists When You Use NAT 16-3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 12 17-3 NAT Types 17-5 Dynamic NAT 17-5 17-6 Static NAT 17-7 Static PAT 17-7 Bypassing NAT when NAT Control is Enabled 17-8 Policy NAT 17-9 NAT and Same Security Level Interfaces 17-12 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-7 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-11 Configuring Accounting for Network Access 19-12 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-13 Cisco Security Appliance Command Line Configuration Guide xiii OL-10088-01...
  • Page 14 21-8 Identifying Traffic in an Inspection Class Map 21-9 Defining Actions in an Inspection Policy Map 21-10 Defining Actions Using a Layer 3/4 Policy Map 21-13 Layer 3/4 Policy Map Overview 21-13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 15 Configuring IP Audit for Basic IPS Support 23-7 Applying QoS Policies 24-1 C H A P T E R Overview 24-1 QoS Concepts 24-2 Implementing QoS 24-2 Identifying Traffic for QoS 24-4 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 16 25-15 Using the Static Command for DNS Rewrite 25-15 Using the Alias Command for DNS Rewrite 25-16 Configuring DNS Rewrite with Two NAT Zones 25-16 DNS Rewrite with Three NAT Zones 25-17 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 17 ILS Inspection 25-51 MGCP Inspection 25-52 MGCP Inspection Overview 25-53 Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-54 Configuring MGCP Timeout Values 25-56 Verifying and Monitoring MGCP Inspection 25-56 Cisco Security Appliance Command Line Configuration Guide xvii OL-10088-01...
  • Page 18 C H A P T E R Configuring ARP Inspection 26-1 ARP Inspection Overview 26-1 Adding a Static ARP Entry 26-2 Enabling ARP Inspection 26-2 Customizing the MAC Address Table 26-3 Cisco Security Appliance Command Line Configuration Guide xviii OL-10088-01...
  • Page 19 Creating a Basic IPSec Configuration 27-22 Using Dynamic Crypto Maps 27-24 Providing Site-to-Site Redundancy 27-26 Viewing an IPSec Configuration 27-26 Clearing Security Associations 27-27 Clearing Crypto Map Configurations 27-27 Supporting the Nokia VPN Client 27-28 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 20 C H A P T E R Overview of Tunnel Groups, Group Policies, and Users 30-1 Tunnel Groups 30-2 General Tunnel-Group Connection Parameters 30-2 IPSec Tunnel-Group Connection Parameters 30-3 WebVPN Tunnel-Group Connection Parameters 30-4 Configuring Tunnel Groups 30-5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 21 30-41 Configuring Domain Attributes for Tunneling 30-42 Configuring Attributes for VPN Hardware Clients 30-44 Configuring Backup Server Attributes 30-47 Configuring Microsoft Internet Explorer Client Parameters 30-48 Configuring Network Admission Control Parameters 30-50 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 22 Specifying the Access Control Server Group 33-2 Enabling NAC 33-2 Configuring the Default ACL for NAC 33-3 Configuring Exemptions from NAC 33-4 Changing Advanced Settings 33-5 Changing Clientless Authentication Settings 33-5 Cisco Security Appliance Command Line Configuration Guide xxii OL-10088-01...
  • Page 23 Setting the Revalidation Timer 33-9 Configuring Easy VPN Services on the ASA 5505 34-1 C H A P T E R Specifying the Client/Server Role of the Cisco ASA 5505 34-2 Specifying the Primary and Secondary Servers 34-3 Specifying the Mode...
  • Page 24 Closing Application Access to Prevent hosts File Errors 37-17 Recovering from hosts File Errors When Using Application Access 37-18 Understanding the hosts File 37-18 Stopping Application Access Improperly 37-19 Reconfiguring a hosts File 37-19 Configuring File Access 37-21 Cisco Security Appliance Command Line Configuration Guide xxiv OL-10088-01...
  • Page 25 37-49 Creating a Capture File 37-50 Using a Browser to Display Capture Data 37-50 Configuring SSL VPN Client 38-1 C H A P T E R Installing SVC 38-1 Platform Requirements 38-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 26 Exporting a Trustpoint Configuration 39-15 Importing a Trustpoint Configuration 39-15 Configuring CA Certificate Map Rules 39-15 Managing System Access 40-1 C H A P T E R Allowing Telnet Access 40-1 Cisco Security Appliance Command Line Configuration Guide xxvi OL-10088-01...
  • Page 27 41-8 Backing Up a Context Configuration within a Context 41-9 Copying the Configuration from the Terminal Display 41-9 Configuring Auto Update Support 41-9 Configuring Communication with an Auto Update Server 41-9 Cisco Security Appliance Command Line Configuration Guide xxvii OL-10088-01...
  • Page 28 Changing the Severity Level of a System Log Message 42-21 Changing the Amount of Internal Flash Memory Available for Logs 42-22 Understanding System Log Messages 42-23 System Log Message Format 42-23 Severity Levels 42-23 Cisco Security Appliance Command Line Configuration Guide xxviii OL-10088-01...
  • Page 29 Example 1: Customer B Context Configuration Example 1: Customer C Context Configuration Example 2: Single Mode Firewall Using Same Security Level Example 3: Shared Resources for Multiple Contexts Example 3: System Configuration Cisco Security Appliance Command Line Configuration Guide xxix OL-10088-01...
  • Page 30 Example 14: ASA 5505 Base License B-34 Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-36 Example 15: Primary Unit Configuration B-36 Example 15: Secondary Unit Configuration B-38 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 31 Determining the Address to Use with the Subnet Mask IPv6 Addresses IPv6 Address Format IPv6 Address Types Unicast Addresses Multicast Address Anycast Address Required Addresses D-10 IPv6 Address Prefixes D-10 Protocols and Applications D-11 TCP and UDP Ports D-11 Cisco Security Appliance Command Line Configuration Guide xxxi OL-10088-01...
  • Page 32 Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22 Configuring an External RADIUS Server E-24 Reviewing the RADIUS Configuration Procedure E-24 Security Appliance RADIUS Authorization Attributes E-25 L O S S A R Y N D E X Cisco Security Appliance Command Line Configuration Guide xxxii OL-10088-01...
  • Page 33: About This Guide

    Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htm This guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550).
  • Page 34: Related Documentation

    Cisco ASDM Release Notes • Cisco PIX 515E Quick Start Guide • Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 • • Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference •...
  • Page 35 Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks. Chapter 25, “Configuring Describes how to use and configure application inspection. Application Layer Protocol Inspection” Cisco Security Appliance Command Line Configuration Guide xxxv OL-10088-01...
  • Page 36 Chapter 41, “Managing Describes how to enter license keys and download software and configurations files. Software, Licenses, and Configurations” Chapter 42, “Monitoring the Describes how to monitor the security appliance. Security Appliance” Cisco Security Appliance Command Line Configuration Guide xxxvi OL-10088-01...
  • Page 37: Document Conventions

    Variables for which you must supply a value are shown in font. • italic screen Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Security Appliance Command Line Configuration Guide xxxvii OL-10088-01...
  • Page 38: Documentation Feedback

    The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet.
  • Page 39 We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
  • Page 40 Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting Note a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 41 Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 42 Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
  • Page 43 A R T Getting Started and General Information...
  • Page 45 WebVPN support, and many more features. See Appendix A, “Feature Licenses and Specifications,” a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.
  • Page 46 Using AAA for Through Traffic You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 47 TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal. Firewall Mode Overview The security appliance runs in two different firewall modes: • Routed Transparent • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 48 The fast path is responsible for the following tasks: – IP checksum verification – Session lookup TCP sequence number check – NAT translations based on existing sessions – Layer 3 and Layer 4 header adjustments – Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 49: Intrusion Prevention Services Functional Overview

    The security appliance invokes various standard protocols to accomplish these functions. Intrusion Prevention Services Functional Overview The Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
  • Page 50: Security Context Overview

    You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one Note mode and others in another. Multiple context mode supports static routing only. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 51: Chapter 2 Getting Started

    Factory Default Configurations The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances.
  • Page 52: Restoring The Factory Default Configuration

    All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented • from accessing the inside. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 53: Asa 5510 And Higher Default Configuration

    The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives • an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 54: Pix 515/515E Default Configuration

    If you want to use ASDM to configure the security appliance instead of the command-line interface, you Note can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the “Factory Default Configurations” section on page 2-1.). On the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 55: Setting Transparent Or Routed Firewall Mode

    You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 56: Working With The Configuration

    Creating Text Configuration Files Offline, page 2-9 • Saving Configuration Changes This section describes how to save your configuration, and includes the following topics: Saving Configuration Changes in Single Context Mode, page 2-7 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 57: Saving Configuration Changes In Single Context Mode

    Sometimes, a context is not saved because of an error. See the following information for errors: For contexts that are not saved because of low memory, the following message appears: • The context 'context a' could not be saved due to Unavailability of resources Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 58: Copying The Startup Configuration To The Running Configuration

    Viewing the Configuration The following commands let you view the running and startup configurations. • To view the running configuration, enter the following command: hostname# show running-config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 59: Clearing And Removing Configuration Settings

    Alternatively, you can download a text file to the security appliance internal Flash memory. Chapter 41, “Managing Software, Licenses, and Configurations,” for information on downloading the configuration file to the security appliance. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 60 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Cisco Security Appliance Command Line Configuration Guide 2-10 OL-10088-01...
  • Page 61 You are a large enterprise or a college campus and want to keep departments completely separate. • • You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 62: Chapter 3 Enabling Multiple Context Mode

    Flash memory called admin.cfg. This context is named “admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 63: How The Security Appliance Classifies Packets

    IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context: Context A: • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 64: Invalid Classifier Criteria

    Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 65: Classification Examples

    MAC 000C.F142.4CDA MAC 000C.F142.4CDB MAC 000C.F142.4CDC Admin Context A Context B Context GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 209.165.202.129 209.165.200.225 209.165.201.1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 66 (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 67 Incoming Traffic from Inside Networks Internet GE 0/0.1 Admin Context A Context B Context Classifier GE 0/1.1 GE 0/1.2 GE 0/1.3 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 68: Cascading Security Contexts

    Cascading contexts requires that you configure unique MAC addresses for each context interface. Note Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 69: Management Access To Security Contexts

    To log in with a username, enter the login command. For example, you log in to the admin context with the Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 70: Context Administrator Access

    Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
  • Page 71: Restoring Single Context Mode

    To set the mode to single mode, enter the following command in the system execution space: Step 2 hostname(config)# mode single The security appliance reboots. Cisco Security Appliance Command Line Configuration Guide 3-11 OL-10088-01...
  • Page 72 Chapter 3 Enabling Multiple Context Mode Enabling or Disabling Multiple Context Mode Cisco Security Appliance Command Line Configuration Guide 3-12 OL-10088-01...
  • Page 73: Configuring Switch Ports And Vlan Interfaces For The Cisco Asa 5505 Adaptive Security Appliance

    C H A P T E R Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.
  • Page 74: Understanding Asa 5505 Ports And Interfaces

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that...
  • Page 75: Default Interface Configuration

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview Figure 4-1 ASA 5505 Adaptive Security Appliance with Base License Internet ASA 5505 Home with Base License Business With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 76: Vlan Mac Addresses

    “Configuring Switch Ports as Access Ports” section on page 4-9 for more information about shutting down a switch port. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command. Monitoring Traffic Using SPAN If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also known as switch port monitoring.
  • Page 77: Security Level Overview

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Security Level Overview Each VLAN interface must have a security level in the range 0 to 100 (from lowest to highest). For example, you should assign your most secure network, such as the inside business network, to level 100.
  • Page 78 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you are using failover, do not use this procedure to name interfaces that you are reserving for failover Note communications. See Chapter 14, “Configuring Failover,”...
  • Page 79 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP.
  • Page 80 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
  • Page 81: Configuring Switch Ports As Access Ports

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports as Access Ports hostname(config-if)# interface vlan 200 hostname(config-if)# nameif business hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 hostname(config-if)# no shutdown...
  • Page 82 The auto setting is the default. If you set the speed to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
  • Page 83: Configuring A Switch Port As A Trunk Port

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport access vlan 200 hostname(config-if)# no shutdown hostname(config-if)# interface ethernet 0/2...
  • Page 84 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring a Switch Port as a Trunk Port To make this switch port a trunk port, enter the following command: Step 3 hostname(config-if)# switchport mode trunk To restore this port to access mode, enter the switchport mode access command.
  • Page 85: Allowing Communication Between Vlan Interfaces On The Same Security Level

    Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level hostname(config-if)# interface ethernet 0/1 hostname(config-if)# switchport mode trunk hostname(config-if)# switchport trunk allowed vlan 200 300...
  • Page 86 Chapter 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Allowing Communication Between VLAN Interfaces on the Same Security Level Cisco Security Appliance Command Line Configuration Guide 4-14 OL-10088-01...
  • Page 87: Chapter 5 Configuring Ethernet Settings And Subinterfaces

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Configuring and Enabling RJ-45 Interfaces, page 5-1 •...
  • Page 88: Configuring And Enabling Fiber Interfaces

    By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it or through a subinterface. For multiple context mode, if you allocate a Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 89: Configuring And Enabling Subinterfaces

    This feature is particularly useful in multiple context mode so you can assign unique interfaces to each context. To determine how many subinterfaces are allowed for your platform, see Appendix A, “Feature Licenses and Specifications.” Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 90 To disable the interface, enter the shutdown command. If you shut down an interface in the system execution space, then that interface is shut down in all contexts that share it. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 91 The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics: • Resource Limits, page 6-2 Default Class, page 6-3 • Class Members, page 6-4 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 92: Chapter 6 Adding And Managing Security Contexts

    Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 93: Default Class

    By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context: Telnet sessions—5 sessions. • SSH sessions—5 sessions. • • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 94: Class Members

    To set the resource limits, see the following options: Step 2 To set all resource limits (shown in Table 6-1) to be unlimited, enter the following command: • hostname(config-resmgmt)# limit-resource all 0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 95 Table 6-1 lists the resource types and the limits. See also the show resource types command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 96 For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the following commands: hostname(config)# class default hostname(config-class)# limit-resource conns 10% All other resources remain at unlimited. To add a class called gold, enter the following commands: hostname(config)# class gold Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 97: Configuring A Security Context

    To allocate a physical interface, enter the following command: • hostname(config-ctx)# allocate-interface physical_interface [map_name] [visible | invisible] • To allocate one or more subinterfaces, enter the following command: hostname(config-ctx)# allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible] Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 98 The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8. hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1 hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2 hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 99 The server must be accessible from the admin context. The filename does not require a file extension, although we recommend using “.cfg”. If the configuration file is not available, you see the following message: WARNING: Could not fetch the URL http://url INFO: Creating context with default config Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 100 For example, to assign the context to the gold class, enter the following command: hostname(config-ctx)# member gold Step 6 To view context information, see the show context command in the Cisco Security Appliance Command Reference. The following example sets the admin context to be “administrator,” creates a context called “administrator”...
  • Page 101: Automatically Assigning Mac Addresses To Context Interfaces

    The running configuration that you edit in a configuration mode, or that is used in the copy or write commands, Cisco Security Appliance Command Line Configuration Guide 6-11 OL-10088-01...
  • Page 102: Managing Security Contexts

    To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. To remove all contexts (including the admin context), enter the following command in the system • execution space: Cisco Security Appliance Command Line Configuration Guide 6-12 OL-10088-01...
  • Page 103: Changing The Admin Context

    If you want to perform a merge, skip to Step 2. hostname# changeto context name hostname/name# configure terminal hostname/name(config)# clear configure all If required, change to the system execution space by entering the following command: Step 2 hostname/name(config)# changeto system Cisco Security Appliance Command Line Configuration Guide 6-13 OL-10088-01...
  • Page 104: Reloading A Security Context

    To reload the configuration, enter the following command: Step 4 hostname/name(config)# copy startup-config running-config The security appliance copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Cisco Security Appliance Command Line Configuration Guide 6-14 OL-10088-01...
  • Page 105: Reloading By Removing And Re-Adding The Context

    Lists all context names. The context name with the asterisk (*) is the admin context. Interfaces The interfaces assigned to the context. The URL from which the security appliance loads the context configuration. Cisco Security Appliance Command Line Configuration Guide 6-15 OL-10088-01...
  • Page 106: Viewing Resource Allocation

    Real Interfaces: Mapped Interfaces: Flags: 0x00000009, ID: 258 See the Cisco Security Appliance Command Reference for more information about the detail output. The following is sample output from the show context count command: hostname# show context count Total active contexts: 2...
  • Page 107 200000 200000 20.00% silver 100000 100000 10.00% bronze 50000 All Contexts: 300000 30.00% Hosts default unlimited gold unlimited silver 26214 26214 bronze 13107 All Contexts: 26214 default gold 5.00% Cisco Security Appliance Command Line Configuration Guide 6-17 OL-10088-01...
  • Page 108 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. If the resource does not have a system limit, then this column shows N/A. Cisco Security Appliance Command Line Configuration Guide 6-18 OL-10088-01...
  • Page 109: Viewing Resource Usage

    This sample shows the limits for 6 contexts. hostname# show resource usage summary Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 0 Summary Conns 280000(S) 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-19 OL-10088-01...
  • Page 110: Monitoring Syn Attacks In Contexts

    The following is sample output from the show perfmon command that shows the rate of TCP intercepts for a context called admin. hostname/admin# show perfmon Context:admin PERFMON STATS: Current Average Xlates Cisco Security Appliance Command Line Configuration Guide 6-20 OL-10088-01...
  • Page 111 0 system chunk:channels unlimited 0 system chunk:dbgtrace unlimited 0 system chunk:fixup unlimited 0 system chunk:ip-users unlimited 0 system chunk:list-elem 1014 1014 unlimited 0 system chunk:list-hdr unlimited 0 system chunk:route unlimited 0 system Cisco Security Appliance Command Line Configuration Guide 6-21 OL-10088-01...
  • Page 112 0 Summary tcp-intercept-rate 341306 811579 unlimited 0 Summary globals unlimited 0 Summary np-statics unlimited 0 Summary statics 0 Summary nats 0 Summary ace-rules 0 Summary console-access-rul 0 Summary fixup-rules 0 Summary Cisco Security Appliance Command Line Configuration Guide 6-22 OL-10088-01...
  • Page 113: Chapter 7 Configuring Interface Parameters

    To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 4, “Configuring Note Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance.” This chapter includes the following sections: Security Level Overview, page 7-1 •...
  • Page 114: Configuring The Interface

    If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 115 Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 116 “Automatically Assigning MAC Addresses to Context Interfaces” section on page 6-11 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 117 The following example configures parameters in multiple context mode for the context configuration: hostname/contextA(config)# interface gigabitethernet0/1.1 hostname/contextA(config-if)# nameif inside hostname/contextA(config-if)# security-level 100 hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0 hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDE hostname/contextA(config-if)# no shutdown Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 118: Allowing Communication Between Interfaces On The Same Security Level

    To enable interfaces on the same security level so that they can communicate with each other, enter the following command: hostname(config)# same-security-traffic permit inter-interface To disable this setting, use the no form of this command. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 119: Changing The Login Password

    Setting the Management IP Address for a Transparent Firewall, page 8-5 • Changing the Login Password The login password is used for Telnet and SSH connections. By default, the login password is “cisco.” To change the password, enter the following command: hostname(config)# {passwd | password} password You can enter passwd or password.
  • Page 120: Setting The Hostname

    Time derived from an NTP server overrides any time set manually. This section also describes how to set the time zone and daylight saving time date range. In multiple context mode, set the time in the system configuration only. Note Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 121: Setting The Time Zone And Daylight Saving Time Date Range

    The week value specifies the week of the month as an integer between 1 and 4 or as the words first or last. For example, if the day might fall in the partial fifth week, then specify last. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 122: Setting The Date And Time Using An Ntp Server

    3 that is preferred. You can identify multiple servers; the security appliance uses the most accurate server. Setting the Date and Time Manually To set the date time manually, enter the following command: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 123: Setting The Management Ip Address For A Transparent Firewall

    (255.255.255.255). This address must be IPv4; the transparent firewall does not support IPv6. The standby keyword and address is used for failover. See Chapter 14, “Configuring Failover,” for more information. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 124 Chapter 8 Configuring Basic Settings Setting the Management IP Address for a Transparent Firewall Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 125: Chapter 9 Configuring Ip Routing

    If you have servers that cannot all be reached through a single default route, then you must configure static routes. The security appliance supports up to three equal cost routes on the same interface for load balancing. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 126: Configuring A Static Route

    The security appliance distributes the traffic among the specified gateways. hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2 hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 127: Configuring A Default Route

    This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 128 The track_id is a tracking number you assign with this command. The sla_id is the ID number of the SLA process you defined in Step Define the static route to be installed in the routing table while the tracked object is reachable using one Step 3 of the following options: Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 129 To use a default route obtained through PPPoE, enter the following commands: hostname(config)# interface phy_if hostname(config-if)# pppoe client route track track_id hostname(config-if)# pppoe client route distance admin_distance hostname(config-if)# ip addresss pppoe setroute hostname(config-if)# exit Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 130: Defining Route Maps

    If you specify more than one ACL, then the route can match any of the ACLs. To match the route type, enter the following command: • hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]} Enter one or more set commands. Step 3 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 131: Configuring Ospf

    Configuring Route Calculation Timers, page 9-16 • Logging Neighbors Going Up or Down, page 9-17 • • Displaying OSPF Update Packet Pacing, page 9-17 • Monitoring OSPF, page 9-18 Restarting the OSPF Process, page 9-18 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 132: Ospf Overview

    IDs associated with that range of IP addresses. To enable OSPF, perform the following steps: To create an OSPF routing process, enter the following command: Step 1 hostname(config)# router ospf process_id Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 133: Redistributing Routes Into Ospf

    LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1. hostname(config)# route-map 1-to-2 permit hostname(config-route-map)# match metric 1 hostname(config-route-map)# set metric 5 hostname(config-route-map)# set metric-type type-1 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 134: Configuring Ospf Interface Parameters

    To set the number of seconds that a device must wait before it declares a neighbor OSPF router down • because it has not received a hello packet, enter the following command: hostname(config-interface)# ospf dead-interval seconds The value must be the same for all nodes on the network. Cisco Security Appliance Command Line Configuration Guide 9-10 OL-10088-01...
  • Page 135 10 hostname(config-interface)# ospf dead-interval 40 hostname(config-interface)# ospf authentication-key cisco hostname(config-interface)# ospf message-digest-key 1 md5 cisco hostname(config-interface)# ospf authentication message-digest The following is sample output from the show ospf command: Cisco Security Appliance Command Line Configuration Guide 9-11 OL-10088-01...
  • Page 136: Configuring Ospf Area Parameters

    To enable MD5 authentication for an OSPF area, enter the following command: • hostname(config-router)# area area-id authentication message-digest To define an area to be a stub area, enter the following command: • hostname(config-router)# area area-id stub [no-summary] Cisco Security Appliance Command Line Configuration Guide 9-12 OL-10088-01...
  • Page 137: Configuring Ospf Nssa

    This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Cisco Security Appliance Command Line Configuration Guide 9-13 OL-10088-01...
  • Page 138: Configuring Route Summarization Between Ospf Areas

    LSA. However, you can configure the security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database. Cisco Security Appliance Command Line Configuration Guide 9-14 OL-10088-01...
  • Page 139: Defining Static Ospf Neighbors

    The addr argument is the IP address of the OSPF neighbor. The if_name is the interface used to communicate with the neighbor. If the OSPF neighbor is not on the same network as any of the directly-connected interfaces, you must specify the interface. Cisco Security Appliance Command Line Configuration Guide 9-15 OL-10088-01...
  • Page 140: Generating A Default Route

    SPF calculations can be done, one immediately after the other. The following example shows how to configure route calculation timers: hostname(config)# router ospf 1 hostname(config-router)# timers spf 10 120 Cisco Security Appliance Command Line Configuration Guide 9-16 OL-10088-01...
  • Page 141: Logging Neighbors Going Up Or Down

    There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command: hostname# show ospf flood-list if_name Cisco Security Appliance Command Line Configuration Guide 9-17 OL-10088-01...
  • Page 142: Monitoring Ospf

    [process-id] virtual-links Restarting the OSPF Process To restart an OSPF process, clear redistribution, or counters, enter the following command: hostname(config)# clear ospf pid {process | redistribution | counters [neighbor [neighbor-interface] [neighbor-id]]} Cisco Security Appliance Command Line Configuration Guide 9-18 OL-10088-01...
  • Page 143: Configuring Rip

    (Optional) To generate a default route into RIP, enter the following command: Step 4 hostname(config-router): default-information originate Step 5 (Optional) To specify an interface to operate in passive mode, enter the following command: hostname(config-router): passive-interface [default | if_name] Cisco Security Appliance Command Line Configuration Guide 9-19 OL-10088-01...
  • Page 144: Redistributing Routes Into The Rip Routing Process

    To redistribute connected routes into the RIP routing process, enter the following command: • hostname(config-router): redistribute connected [metric {metric_value | transparent}] [route-map map_name] To redistribute static routes into the RIP routing process, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 9-20 OL-10088-01...
  • Page 145: Configuring Rip Send/Receive Version On An Interface

    The security appliance supports RIP message authentication for RIP Version 2 messages. To enable RIP message authentication, perform the following steps: Enter interface configuration mode for the interface you are configuring by entering the following Step 1 command: hostname(config)# interface phy_if Cisco Security Appliance Command Line Configuration Guide 9-21 OL-10088-01...
  • Page 146: Monitoring Rip

    Use the following debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Debugging output is assigned high priority in the CPU process and can render the system unusable. It is best to use debug commands during periods of lower network traffic and fewer users.
  • Page 147: How The Routing Table Is Populated

    Because the routing protocols have metrics based on algorithms that are different from the other protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Cisco Security Appliance Command Line Configuration Guide 9-23 OL-10088-01...
  • Page 148: Backup Routes

    If the destination does not match an entry in the routing table, the packet is forwarded through the • interface specified for the default route. If a default route has not been configured, the packet is discarded. Cisco Security Appliance Command Line Configuration Guide 9-24 OL-10088-01...
  • Page 149 192.168.32.0/24 network. It also falls within the other route in the routing table, but the 192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes are always preferred over shorter ones when forwarding a packet. Cisco Security Appliance Command Line Configuration Guide 9-25 OL-10088-01...
  • Page 150 Chapter 9 Configuring IP Routing The Routing Table Cisco Security Appliance Command Line Configuration Guide 9-26 OL-10088-01...
  • Page 151: Configuring A Dhcp Server

    This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics: • Enabling the DHCP Server, page 10-2 Configuring DHCP Options, page 10-3 • • Using Cisco IP Phones with a DHCP Server, page 10-4 Cisco Security Appliance Command Line Configuration Guide 10-1 OL-10088-01...
  • Page 152: Enabling The Dhcp Server

    To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets. Cisco Security Appliance Command Line Configuration Guide 10-2...
  • Page 153: Configuring Dhcp Options

    46 ascii hello command and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132. Cisco Security Appliance Command Line Configuration Guide 10-3 OL-10088-01...
  • Page 154: Using Cisco Ip Phones With A Dhcp Server

    Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.
  • Page 155: Configuring Dhcp Relay Services

    To enable DHCP relay on the interface connected to the clients, enter the following command: Step 2 hostname(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: Cisco Security Appliance Command Line Configuration Guide 10-5 OL-10088-01...
  • Page 156: Configuring Dynamic Dns

    Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration, page 10-7 • Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs., page 10-8 Cisco Security Appliance Command Line Configuration Guide 10-6 OL-10088-01...
  • Page 157 Ethernet0 hostname(if-config)# ddns update ddns-2 hostname(if-config)# ddns update hostname asa.example.com hostname(if-config)# ip address dhcp Step 4 To configure the DHCP server, enter the following command: hostname(if-config)# dhcpd update dns Cisco Security Appliance Command Line Configuration Guide 10-7 OL-10088-01...
  • Page 158: Client And Updates Both Rrs

    Ethernet0 hostname(config-if)# dhcp client update dns both hostname(config-if)# ddns update hostname asa To configure the DHCP server, enter the following commands: Step 2 hostname(config-if)# dhcpd update dns hostname(config-if)# dhcpd domain example.com Cisco Security Appliance Command Line Configuration Guide 10-8 OL-10088-01...
  • Page 159: Example 5: Client Updates A Rr; Server Updates Ptr Rr

    Enabling WCCP Redirection, page 10-10 • WCCP Feature Support The following WCCPv2 features are supported with the security appliance: Redirection of multiple TCP/UDP port-destined traffic. • Authentication for cache engines in a service group. • Cisco Security Appliance Command Line Configuration Guide 10-9 OL-10088-01...
  • Page 160: Wccp Interaction With Other Features

    To configure WCCP redirection, perform the following steps: To enable a WCCP service group, enter the following command: Step 1 hostname(config)# wccp {web-cache | service_number} [redirect-list access_list] [group-list access_list] [password password] Cisco Security Appliance Command Line Configuration Guide 10-10 OL-10088-01...
  • Page 161 For example, to enable the standard web-cache service and redirect HTTP traffic that enters the inside interface to a web cache, enter the following commands: hostname(config)# wccp web-cache hostname(config)# wccp interface inside web-cache redirect in Cisco Security Appliance Command Line Configuration Guide 10-11 OL-10088-01...
  • Page 162 Chapter 10 Configuring DHCP, DDNS, and WCCP Services Configuring Web Cache Services Using WCCP Cisco Security Appliance Command Line Configuration Guide 10-12 OL-10088-01...
  • Page 163: Configuring Multicast Routing

    The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as Note the RP address. Cisco Security Appliance Command Line Configuration Guide 11-13 OL-10088-01...
  • Page 164: Enabling Multicast Routing

    Limiting the Number of IGMP States on an Interface, page 11-16 • Modifying the Query Interval and Query Timeout, page 11-16 Changing the Query Response Time, page 11-17 • Changing the IGMP Version, page 11-17 • Cisco Security Appliance Command Line Configuration Guide 11-14 OL-10088-01...
  • Page 165: Disabling Igmp On An Interface

    Create an access list for the multicast traffic. You can create more than one entry for a single access list. Step 1 You can use extended or standard access lists. To create a standard access list, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 11-15 OL-10088-01...
  • Page 166: Limiting The Number Of Igmp States On An Interface

    (by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command: hostname(config-if)# igmp query-timeout seconds Cisco Security Appliance Command Line Configuration Guide 11-16 OL-10088-01...
  • Page 167: Changing The Query Response Time

    In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another. Static multicast routes are not advertised or redistributed. Cisco Security Appliance Command Line Configuration Guide 11-17 OL-10088-01...
  • Page 168: Disabling Pim On An Interface

    You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: hostname(config-if)# no pim To reenable PIM on an interface, enter the following command: hostname(config-if)# pim Only the no pim command appears in the interface configuration. Note Cisco Security Appliance Command Line Configuration Guide 11-18 OL-10088-01...
  • Page 169: Configuring A Static Rendezvous Point Address

    Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. You can change this value by entering the following command: Cisco Security Appliance Command Line Configuration Guide 11-19 OL-10088-01...
  • Page 170: Configuring A Multicast Boundary

    For example the following access list, when used with the pim neighbor-filter command, prevents the 10.1.1.1 router from becoming a PIM neighbor: hostname(config)# access-list pim_nbr deny 10.1.1.1 255.255.255.255 Use the pim neighbor-filter command on an interface to filter the neighbor routers. Step 2 Cisco Security Appliance Command Line Configuration Guide 11-20 OL-10088-01...
  • Page 171: Supporting Mixed Bidirctional/Sparse-Mode Pim Networks

    For More Information about Multicast Routing The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature: • RFC 2236 IGMPv2 Cisco Security Appliance Command Line Configuration Guide 11-21 OL-10088-01...
  • Page 172 Chapter 11 Configuring Multicast Routing For More Information about Multicast Routing RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Cisco Security Appliance Command Line Configuration Guide 11-22 OL-10088-01...
  • Page 173: Chapter 12 Configuring Ipv6

    • configure • copy • http • name • object-group • • ping show conn • • show local-host show tcpstat • • telnet • tftp-server • • write • Cisco Security Appliance Command Line Configuration Guide 12-1 OL-10088-01...
  • Page 174 Configuring IPv6 Default and Static Routes, page 12-5 • Configuring IPv6 Access Lists, page 12-6 • Configuring IPv6 Neighbor Discovery, page 12-7 • Configuring a Static IPv6 Neighbor, page 12-11 • Cisco Security Appliance Command Line Configuration Guide 12-2 OL-10088-01...
  • Page 175: Configuring Ipv6 On An Interface

    Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address. hostname(config-if)# ipv6 address ipv6-address [eui-64] Cisco Security Appliance Command Line Configuration Guide 12-3 OL-10088-01...
  • Page 176: Configuring A Dual Ip Stack On An Interface

    When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface. Cisco Security Appliance Command Line Configuration Guide 12-4 OL-10088-01...
  • Page 177: Configuring Ipv6 Default And Static Routes

    %PIX|ASA-6-110001: No route to dest_address from source_address You can add a default route and static routes using the ipv6 route command. To configure an IPv6 default route and static routes, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 12-5 OL-10088-01...
  • Page 178: Configuring Ipv6 Access Lists

    • can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. Cisco Security Appliance Command Line Configuration Guide 12-6 OL-10088-01...
  • Page 179: Configuring Ipv6 Neighbor Discovery

    After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 12-1 shows the neighbor solicitation and response process. Cisco Security Appliance Command Line Configuration Guide 12-7 OL-10088-01...
  • Page 180 IPv6 operation. To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Cisco Security Appliance Command Line Configuration Guide 12-8 OL-10088-01...
  • Page 181: Configuring Router Advertisement Messages

    When a router advertisement is sent in response to a router solicitation, the destination address in the router advertisement message is the unicast address of the source of the router solicitation message. Cisco Security Appliance Command Line Configuration Guide 12-9...
  • Page 182 To configure which IPv6 prefixes are included in IPv6 router advertisements, enter the following command: hostname(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. Cisco Security Appliance Command Line Configuration Guide 12-10 OL-10088-01...
  • Page 183: Configuring A Static Ipv6 Neighbor

    Excluding the name from the command displays the setting for all interfaces that have IPv6 enabled on them. The output for the command shows the following: The name and status of the interface. • The link-local and global unicast addresses. • Cisco Security Appliance Command Line Configuration Guide 12-11 OL-10088-01...
  • Page 184: The Show Ipv6 Route Command

    O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Cisco Security Appliance Command Line Configuration Guide 12-12 OL-10088-01...
  • Page 185: Configuring Aaa Servers And The Local Database

    About Accounting, page 13-2 • About Authentication Authentication controls access by requiring valid user credentials, which are typically a username and password. You can configure the security appliance to authenticate the following items: Cisco Security Appliance Command Line Configuration Guide 13-1 OL-10088-01...
  • Page 186: About Authorization

    The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database. This section contains the following topics: Summary of Support, page 13-3 • Cisco Security Appliance Command Line Configuration Guide 13-2 OL-10088-01...
  • Page 187: Summary Of Support

    RADIUS authentication response. 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only. RADIUS Server Support The security appliance supports RADIUS servers. Cisco Security Appliance Command Line Configuration Guide 13-3 OL-10088-01...
  • Page 188: Authentication Methods

    Accounting attributes defined in RFC 2139. • RADIUS attributes for tunneled protocol support, defined in RFC 2868. • Cisco IOS VSAs, identified by RADIUS vendor ID 9. • • Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076. Microsoft VSAs, defined in RFC 2548.
  • Page 189: Sdi Version Support

    The security appliance does not support changing user passwords during tunnel negotiation. To avoid Note this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the security appliance. For a simple Kerberos server configuration example, see Example 13-2. Cisco Security Appliance Command Line Configuration Guide 13-5 OL-10088-01...
  • Page 190: Ldap Server Support

    If you do not configure SASL, we strongly recommend that you secure LDAP communications with Note SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference. When user LDAP authentication has succeeded, the LDAP server returns the attributes for the authenticated user.
  • Page 191: Authorization With Ldap For Vpn

    LDAP. This example then creates an IPSec remote access tunnel group named remote-1, and assigns that new tunnel group to the previously created ldap_dir_1 AAA server for authorization. hostname(config)# tunnel-group remote-1 type ipsec-ra hostname(config)# tunnel-group remote-1 general-attributes hostname(config-general)# authorization-server-group ldap_dir_1 hostname(config-general)# Cisco Security Appliance Command Line Configuration Guide 13-7 OL-10088-01...
  • Page 192: Ldap Attribute Mapping

    You must create LDAP attribute maps that map your existing user-defined attribute names and values to Cisco attribute names and values that are compatible with the security appliance. You can then bind these attribute maps to LDAP servers or remove them as needed.
  • Page 193: Sso Support For Webvpn With Http Forms

    Appendix E, “Configuring an External Server for Authorization and Authentication”. Alternatively, you can enter “?” within ldap-attribute-map mode to display the complete list of Cisco LDAP attribute names, as shown in the following example: hostname(config)# ldap attribute-map att_map_1 hostname(config-ldap-attribute-map)# map-name att_map_1 ?
  • Page 194: User Profiles

    If you add to the local database users who can gain access to the CLI but who should not be allowed to Caution enter privileged mode, enable command authorization. (See the “Configuring Local Command Authorization” section on page 40-7.) Without command authorization, users can access privileged Cisco Security Appliance Command Line Configuration Guide 13-10 OL-10088-01...
  • Page 195 When you enter a username attributes command, you enter username mode. The commands available in this mode are as follows: group-lock • password-storage • vpn-access-hours • vpn-filter • vpn-framed-ip-address • • vpn-group-policy vpn-idle-timeout • vpn-session-timeout • vpn-simultaneous-logins • vpn-tunnel-protocol • Cisco Security Appliance Command Line Configuration Guide 13-11 OL-10088-01...
  • Page 196: Identifying Aaa Server Groups And Servers

    • Use these commands as needed to configure the user profile. For more information about these commands, see the Cisco Security Appliance Command Reference. When you have finished configuring the user profiles, enter exit to return to config mode. For example, the following command assigns a privilege level of 15 to the admin user account:...
  • Page 197 Where a command is applicable to the server type you specified and no default value is provided (indicated by “—”), use the command to specify the value. For more information about these commands, see the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide...
  • Page 198 Example 13-1 Multiple AAA Server Groups and Servers hostname(config)# aaa-server AuthInbound protocol tacacs+ hostname(config-aaa-server-group)# max-failed-attempts 2 hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20 hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1 hostname(config-aaa-server-host)# key TACPlusUauthKey Cisco Security Appliance Command Line Configuration Guide 13-14 OL-10088-01...
  • Page 199: Using Certificates And User Login Credentials

    Enabled by authentication server group setting – Uses the username and password as credentials – Authorization • Enabled by authorization server group setting – – Uses the username as a credential Cisco Security Appliance Command Line Configuration Guide 13-15 OL-10088-01...
  • Page 200: Using Certificates

    Server, it will not be granted access to the private network protected by the Integrity Server and security appliance. This section includes the following topics: Overview of Integrity Server and Security Appliance Interaction, page 13-17 • • Configuring Integrity Server Support, page 13-17 Cisco Security Appliance Command Line Configuration Guide 13-16 OL-10088-01...
  • Page 201: Overview Of Integrity Server And Security Appliance Interaction

    The following commands ensure that the security appliance waits 12 seconds for a response from either the active or standby Integrity servers before declaring an the Integrity server as failed and closing the VPN client connections: hostname(config)# zonelabs-integrity fail-timeout 12 hostname(config)# zonelabs-integrity fail-close hostname(config)# Cisco Security Appliance Command Line Configuration Guide 13-17 OL-10088-01...
  • Page 202 “Configuring Firewall Policies” section on page 30-54. The command arguments that specify firewall policies are not used when the firewall type is zonelabs-integrity because the Integrity server determines the policies. Cisco Security Appliance Command Line Configuration Guide 13-18 OL-10088-01...
  • Page 203: Understanding Failover

    VPN failover is not supported on units running in multiple context mode. VPN failover available for Note Active/Standby failover configurations only. This section includes the following topics: Failover System Requirements, page 14-2 • Cisco Security Appliance Command Line Configuration Guide 14-1 OL-10088-01...
  • Page 204: Chapter 14 Configuring Failover

    24 hours until the unit is returned to failover duty. A unit with an FO or FO_AA license operates in standalone mode if it is booted without being connected to a failover peer Cisco Security Appliance Command Line Configuration Guide 14-2...
  • Page 205: The Failover And Stateful Failover Links

    Failover cable. On the ASA 5500 series adaptive security appliance, the failover link can only be a LAN-based connection. This section includes the following topics: LAN-Based Failover Link, page 14-4 • Serial Cable Failover Link (PIX Security Appliance Only), page 14-4 • Cisco Security Appliance Command Line Configuration Guide 14-3 OL-10088-01...
  • Page 206 The cable determines which unit is primary and which is secondary, eliminating the need to • manually enter that information in the unit configurations. The disadvantages include: Distance limitation—the units cannot be separated by more than 6 feet. • Slower configuration replication. • Cisco Security Appliance Command Line Configuration Guide 14-4 OL-10088-01...
  • Page 207: Stateful Failover Link

    Note Enable the PortFast option on Cisco switch ports that connect directly to the security appliance. If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
  • Page 208: Active/Active And Active/Standby Failover

    MAC addresses over the failover link. In this case, the secondary unit MAC addresses are used. Cisco Security Appliance Command Line Configuration Guide 14-6 OL-10088-01...
  • Page 209 You do not have to save the active configuration to Flash memory to replicate the commands. Cisco Security Appliance Command Line Configuration Guide 14-7 OL-10088-01...
  • Page 210 For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active unit, the action taken by the standby unit, and any special notes about the failover condition and actions. Cisco Security Appliance Command Line Configuration Guide 14-8 OL-10088-01...
  • Page 211: Active/Active Failover

    Failover Actions, page 14-13 • Active/Active Failover Overview Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic. Cisco Security Appliance Command Line Configuration Guide 14-9 OL-10088-01...
  • Page 212 When a unit boots while the peer unit is active (with both failover groups in the active state), the failover groups remain in the active state on the active unit regardless of the primary or secondary preference of the failover group until one of the following: Cisco Security Appliance Command Line Configuration Guide 14-10 OL-10088-01...
  • Page 213 Commands entered in the system execution space are replicated from the unit on which failover • group 1 is in the active state to the unit on which failover group 1 is in the standby state. Cisco Security Appliance Command Line Configuration Guide 14-11 OL-10088-01...
  • Page 214 See the “Failover Health Monitoring” section on page 14-15 for more information about interface and unit monitoring. Cisco Security Appliance Command Line Configuration Guide 14-12 OL-10088-01...
  • Page 215 Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down. Cisco Security Appliance Command Line Configuration Guide 14-13 OL-10088-01...
  • Page 216: Determining Which Type Of Failover To Use

    Supported end-user applications are not required to reconnect to keep the same communication session. The state information passed to the standby unit includes the following: NAT translation table. • TCP connection states. • Cisco Security Appliance Command Line Configuration Guide 14-14 OL-10088-01...
  • Page 217: Failover Health Monitoring

    • Note If failover occurs during an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
  • Page 218: Interface Monitoring

    If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again. Cisco Security Appliance Command Line Configuration Guide 14-16...
  • Page 219: Failover Feature/Platform Matrix

    Active unit interface up, but connection problem 5 seconds 25 seconds 75 seconds causes interface testing. Configuring Failover This section describes how to configure failover and includes the following topics: Failover Configuration Limitations, page 14-18 • Cisco Security Appliance Command Line Configuration Guide 14-17 OL-10088-01...
  • Page 220: Failover Configuration Limitations

    The primary unit is the unit that has the end of the cable labeled “Primary” plugged into it. For devices in multiple context mode, the commands are entered in the system execution space unless otherwise noted. Cisco Security Appliance Command Line Configuration Guide 14-18 OL-10088-01...
  • Page 221 IP addresses for the interface. The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby IP address subnet mask. Cisco Security Appliance Command Line Configuration Guide 14-19 OL-10088-01...
  • Page 222: Configuring Lan-Based Active/Standby Failover

    (routed mode), for the management IP address (transparent mode), or for the management-only interface. The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address. Cisco Security Appliance Command Line Configuration Guide 14-20 OL-10088-01...
  • Page 223 (Optional) To enable Stateful Failover, configure the Stateful Failover link. Stateful Failover is not available on the ASA 5505 series adaptive security appliance. Note Specify the interface to be used as Stateful Failover link: hostname(config)# failover link if_name phy_if Cisco Security Appliance Command Line Configuration Guide 14-21 OL-10088-01...
  • Page 224 For multiple context mode, all steps are performed in the system execution space unless noted otherwise. To configure the secondary unit, perform the following steps: (PIX security appliance only) Enable LAN-based failover: Step 1 hostname(config)# failover lan enable Cisco Security Appliance Command Line Configuration Guide 14-22 OL-10088-01...
  • Page 225: Configuring Optional Active/Standby Failover Settings

    Enabling HTTP Replication with Stateful Failover, page 14-24 • Disabling and Enabling Interface Monitoring, page 14-24 • Configuring Interface Health Monitoring, page 14-24 • Configuring Failover Criteria, page 14-25 • Configuring Virtual MAC Addresses, page 14-25 • Cisco Security Appliance Command Line Configuration Guide 14-23 OL-10088-01...
  • Page 226 To change the interface poll time, enter the following command in global configuration mode: hostname(config)# failover polltime interface [msec] time [holdtime time] Cisco Security Appliance Command Line Configuration Guide 14-24 OL-10088-01...
  • Page 227 MAC address is assigned to an interface: The mac-address command (in interface configuration mode) address. The failover mac address command address. The mac-address auto command generated address. Cisco Security Appliance Command Line Configuration Guide 14-25 OL-10088-01...
  • Page 228: Configuring Active/Active Failover

    The command prompt changes to , where context is the name of the current context. You must enter a hostname/context(config-if)# management IP address for each context in transparent firewall multiple context mode. Cisco Security Appliance Command Line Configuration Guide 14-26 OL-10088-01...
  • Page 229 Any unassigned contexts are automatically assigned to failover group 1. The admin context is always a member of failover group 1. Enter the following commands to assign each context to a failover group: Cisco Security Appliance Command Line Configuration Guide 14-27 OL-10088-01...
  • Page 230: Configuring Lan-Based Active/Active Failover

    The command prompt changes to , where context is the name of the current context. In transparent hostname/context(config-if)# firewall mode, you must enter a management IP address for each context. Cisco Security Appliance Command Line Configuration Guide 14-28 OL-10088-01...
  • Page 231 If the Stateful Failover link uses the failover link or a regular data interface, skip this step. Note You have already defined the active and standby IP addresses for the interface. Cisco Security Appliance Command Line Configuration Guide 14-29 OL-10088-01...
  • Page 232 This allows the secondary unit to communicate with and receive the running configuration from the primary unit. To bootstrap the secondary unit in an Active/Active failover configuration, perform the following steps: Step 1 (PIX security appliance only) Enable LAN-based failover: Cisco Security Appliance Command Line Configuration Guide 14-30 OL-10088-01...
  • Page 233 To force a failover group to become active on the secondary unit, enter the following command in the system execution space on the primary unit: hostname# no failover active group group_id The group_id argument specifies the group you want to become active on the secondary unit. Cisco Security Appliance Command Line Configuration Guide 14-31 OL-10088-01...
  • Page 234: Configuring Optional Active/Active Failover Settings

    To enable HTTP state replication for both failover groups, you must enter this command in each group. This command should be entered in the system execution space. hostname(config)# failover group {1 | 2} hostname(config-fover-group)# replication http Cisco Security Appliance Command Line Configuration Guide 14-32 OL-10088-01...
  • Page 235 Active/Active failover uses virtual MAC addresses on all interfaces. If you do not specify the virtual MAC addresses, then they are computed as follows: • Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. • Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02. Cisco Security Appliance Command Line Configuration Guide 14-33 OL-10088-01...
  • Page 236 2 header is rewritten and the packet is re-injected into the stream. Using the asr-group command to configure asymmetric routing support is more secure than using the Note static command with the nailed option. Cisco Security Appliance Command Line Configuration Guide 14-34 OL-10088-01...
  • Page 237 A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Cisco Security Appliance Command Line Configuration Guide 14-35 OL-10088-01...
  • Page 238: Configuring Unit Health Monitoring

    1 to 63 characters. The characters can be any combination of numbers, letters, or punctuation. The hex key argument specifies a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). Cisco Security Appliance Command Line Configuration Guide 14-36 OL-10088-01...
  • Page 239: Verifying The Failover Configuration

    This host: Primary - Active Active time: 13434 (sec) Interface inside (10.130.9.3): Normal Interface outside (10.132.9.3): Normal Other host: Secondary - Standby Ready Active time: 0 (sec) Interface inside (10.130.9.4): Normal Interface outside (10.132.9.4): Normal Cisco Security Appliance Command Line Configuration Guide 14-37 OL-10088-01...
  • Page 240 Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rerr RPC services TCP conn UDP conn ARP tbl Xlate_Timeout GTP PDP GTP PDPMCB Cisco Security Appliance Command Line Configuration Guide 14-38 OL-10088-01...
  • Page 241 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, also shows a value. slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-39 OL-10088-01...
  • Page 242 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-40 OL-10088-01...
  • Page 243 Interface inside (10.130.8.5): Normal admin Interface fourth (10.130.9.5): Normal ctx1 Interface outside (10.1.1.1): Normal ctx1 Interface inside (10.2.2.1): Normal ctx2 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Cisco Security Appliance Command Line Configuration Guide 14-41 OL-10088-01...
  • Page 244 Interface inside (192.168.0.1): Normal Other host: Primary State: Standby Active time: 0 (sec) admin Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. Cisco Security Appliance Command Line Configuration Guide 14-42 OL-10088-01...
  • Page 245 Active Time in seconds • Group 1 State Active or Standby Ready • Group 2 State Active Time in seconds • slot x Information about the module in the slot or empty. Cisco Security Appliance Command Line Configuration Guide 14-43 OL-10088-01...
  • Page 246 Dynamic UDP connection information. ARP tbl Dynamic ARP table information. L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Cisco Security Appliance Command Line Configuration Guide 14-44 OL-10088-01...
  • Page 247: Viewing Monitored Interfaces

    All of the failover commands are displayed. On units running multiple context mode, enter this command in the system execution space. Entering show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. Cisco Security Appliance Command Line Configuration Guide 14-45 OL-10088-01...
  • Page 248: Testing The Failover Functionality

    To force the standby unit or failover group to become active, enter one of the following commands: For Active/Standby failover: • Enter the following command on the standby unit: hostname# failover active Or, enter the following command on the active unit: Cisco Security Appliance Command Line Configuration Guide 14-46 OL-10088-01...
  • Page 249: Disabling Failover

    Monitoring Failover When a failover occurs, both security appliances send out system messages. This section includes the following topics: Failover System Messages, page 14-48 • Cisco Security Appliance Command Line Configuration Guide 14-47 OL-10088-01...
  • Page 250: Failover System Messages

    411002 messages. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Cisco Security Appliance Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
  • Page 251 A R T Configuring the Firewall...
  • Page 253: Routed Mode Overview

    By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command). Cisco Security Appliance Command Line Configuration Guide 15-1 OL-10088-01...
  • Page 254: Chapter 15 Firewall Mode Overview

    An Inside User Visits a Web Server, page 15-3 • An Outside User Visits a Web Server on the DMZ, page 15-4 • An Inside User Visits a Web Server on the DMZ, page 15-5 • Cisco Security Appliance Command Line Configuration Guide 15-2 OL-10088-01...
  • Page 255: An Inside User Visits A Web Server

    The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet. Cisco Security Appliance Command Line Configuration Guide 15-3 OL-10088-01...
  • Page 256: An Outside User Visits A Web Server On The Dmz

    In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation. Cisco Security Appliance Command Line Configuration Guide 15-4...
  • Page 257: An Inside User Visits A Web Server On The Dmz

    The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-5 OL-10088-01...
  • Page 258: An Outside User Attempts To Access An Inside Host

    The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). Cisco Security Appliance Command Line Configuration Guide 15-6 OL-10088-01...
  • Page 259: A Dmz User Attempts To Access An Inside Host

    “stealth firewall,” and is not seen as a router hop to connected devices. This section describes transparent firewall mode, and includes the following topics: Transparent Firewall Network, page 15-8 • Allowing Layer 3 Traffic, page 15-8 • Cisco Security Appliance Command Line Configuration Guide 15-7 OL-10088-01...
  • Page 260: Transparent Firewall Network

    For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Cisco Security Appliance Command Line Configuration Guide 15-8 OL-10088-01...
  • Page 261: Mac Address Lookups

    IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. Cisco Security Appliance Command Line Configuration Guide 15-9 OL-10088-01...
  • Page 262: Unsupported Features In Transparent Mode

    You also cannot allow IPv6 using an EtherType access list. Multicast You can allow multicast traffic through the security appliance by allowing it in an extended access list. NAT is performed on the upstream router. Cisco Security Appliance Command Line Configuration Guide 15-10 OL-10088-01...
  • Page 263: How Data Moves Through The Transparent Firewall

    Another access list lets the outside users access only the web server on the inside network. Figure 15-8 Typical Transparent Firewall Data Path www.example.com Internet 209.165.201.2 Management IP 209.165.201.6 209.165.200.230 Host 209.165.201.3 Web Server 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 15-11 OL-10088-01...
  • Page 264: An Inside User Visits A Web Server

    If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Cisco Security Appliance Command Line Configuration Guide 15-12...
  • Page 265: An Outside User Visits A Web Server On The Inside Network

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The security appliance records that a session is established. Cisco Security Appliance Command Line Configuration Guide 15-13 OL-10088-01...
  • Page 266: An Outside User Attempts To Access An Inside Host

    (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface. The packet is denied, and the security appliance drops the packet. Cisco Security Appliance Command Line Configuration Guide 15-14 OL-10088-01...
  • Page 267 Transparent Mode Overview If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session. Cisco Security Appliance Command Line Configuration Guide 15-15 OL-10088-01...
  • Page 268 Chapter 15 Firewall Mode Overview Transparent Mode Overview Cisco Security Appliance Command Line Configuration Guide 15-16 OL-10088-01...
  • Page 269: Access List Overview

    Access List Types, page 16-2 • • Access Control Entry Order, page 16-2 Access Control Implicit Deny, page 16-3 • • IP Addresses Used for Access Lists When You Use NAT, page 16-3 Cisco Security Appliance Command Line Configuration Guide 16-1 OL-10088-01...
  • Page 270: Access List Types

    After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by specifying the keyword inactive in the access-list command. Cisco Security Appliance Command Line Configuration Guide 16-2 OL-10088-01...
  • Page 271: C H A P T E R 16 Identifying Traffic With Access Lists

    Inbound ACL Permit from 10.1.1.0/24 209.165.200.225 10.1.1.0/24 10.1.1.0/24 209.165.201.4:port See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Cisco Security Appliance Command Line Configuration Guide 16-3 OL-10088-01...
  • Page 272 209.165.200.225 209.165.201.5 Outside Inside 10.1.1.34 209.165.201.5 Static NAT See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Cisco Security Appliance Command Line Configuration Guide 16-4 OL-10088-01...
  • Page 273: Adding An Extended Access List

    For information about logging options that you can add to the end of the ACE, see the “Logging Access List Activity” section on page 16-18. For information about time range options, see “Scheduling Extended Access List Activation” section on page 16-17. Cisco Security Appliance Command Line Configuration Guide 16-5 OL-10088-01...
  • Page 274: Allowing Special Ip Traffic Through The Transparent Firewall

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] Cisco Security Appliance Command Line Configuration Guide 16-6 OL-10088-01...
  • Page 275 ICMP types. When you specify a network mask, the method is different from the Cisco IOS software access-list command. The security appliance uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 276: Adding An Ethertype Access List

    TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the security appliance.
  • Page 277: Adding A Standard Access List

    To add an ACE, enter the following command: hostname(config)# access-list access_list_name standard {deny | permit} {any | ip_address mask} The following sample access list identifies routes to 192.168.1.0/24: hostname(config)# access-list OSPF standard permit 192.168.1.0 255.255.255.0 Cisco Security Appliance Command Line Configuration Guide 16-9 OL-10088-01...
  • Page 278: Adding A Webtype Access List

    After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Cisco Security Appliance Command Line Configuration Guide 16-10 OL-10088-01...
  • Page 279: Adding Object Groups

    “Protocols and Applications” section on page D-11. For example, to create a protocol group for TCP, UDP, and ICMP, enter the following commands: hostname(config)# object-group protocol tcp_udp_icmp hostname(config-protocol)# protocol-object tcp hostname(config-protocol)# protocol-object udp hostname(config-protocol)# protocol-object icmp Cisco Security Appliance Command Line Configuration Guide 16-11 OL-10088-01...
  • Page 280: Adding A Network Object Group

    To add a service group, enter the following command: Step 1 hostname(config)# object-group service grp_id {tcp | udp | tcp-udp} The grp_id is a text string up to 64 characters in length. Cisco Security Appliance Command Line Configuration Guide 16-12 OL-10088-01...
  • Page 281: Adding An Icmp Type Object Group

    The description can be up to 200 characters. To define the ICMP types in the group, enter the following command for each type: Step 3 hostname(config-icmp-type)# icmp-object icmp_type Cisco Security Appliance Command Line Configuration Guide 16-13 OL-10088-01...
  • Page 282: Nesting Object Groups

    You only need to specify the admin object group in your ACE as follows: hostname(config)# access-list ACL_IN extended permit ip object-group admin host 209.165.201.29 Cisco Security Appliance Command Line Configuration Guide 16-14 OL-10088-01...
  • Page 283: Using Object Groups With An Access List

    209.165.201.16 hostname(config-network)# network-object host 209.165.201.78 hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Cisco Security Appliance Command Line Configuration Guide 16-15 OL-10088-01...
  • Page 284: Displaying Object Groups

    Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. hostname(config)# access-list OUT remark - this is the inside admin address hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any Cisco Security Appliance Command Line Configuration Guide 16-16 OL-10088-01...
  • Page 285: Scheduling Extended Access List Activation

    8:00 1 january 2006 The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays.: hostname(config)# time-range workinghours Cisco Security Appliance Command Line Configuration Guide 16-17 OL-10088-01...
  • Page 286: Applying The Time Range To An Ace

    Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list Note does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as follows. Cisco Security Appliance Command Line Configuration Guide 16-18 OL-10088-01...
  • Page 287: Configuring Logging For An Access Control Entry

    For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Cisco Security Appliance Logging Configuration and System Log Messages for detailed information about this system message.
  • Page 288: Managing Deny Flows

    The number is between 1 and 4096. 4096 is the default. To set the amount of time between system messages (number 106101) that identify that the • maximum number of deny flows was reached, enter the following command: Cisco Security Appliance Command Line Configuration Guide 16-20 OL-10088-01...
  • Page 289 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity hostname(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Cisco Security Appliance Command Line Configuration Guide 16-21 OL-10088-01...
  • Page 290 Chapter 16 Identifying Traffic with Access Lists Logging Access List Activity Cisco Security Appliance Command Line Configuration Guide 16-22 OL-10088-01...
  • Page 291: Nat Overview

    NAT and Same Security Level Interfaces, page 17-12 Order of NAT Commands Used to Match Real Addresses, page 17-13 • • Mapped Address Guidelines, page 17-13 DNS and NAT, page 17-14 • Cisco Security Appliance Command Line Configuration Guide 17-1 OL-10088-01...
  • Page 292: Introduction To Nat

    209.165.201.10, and the security appliance receives the packet. The security appliance then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. Cisco Security Appliance Command Line Configuration Guide 17-2 OL-10088-01...
  • Page 293: Chapter 17 Applying Nat

    NAT to translate the inside host address (see Figure 17-2). Figure 17-2 NAT Control and Outbound Traffic Security Appliance 10.1.1.1 209.165.201.1 No NAT 10.1.2.1 Inside Outside Cisco Security Appliance Command Line Configuration Guide 17-3 OL-10088-01...
  • Page 294 MAC addresses for shared interfaces. See the “How the Security Appliance Classifies Packets” section on page 3-3 for more information about the relationship between the classifier and NAT. Cisco Security Appliance Command Line Configuration Guide 17-4 OL-10088-01...
  • Page 295: Nat Types

    IP address after the translation times out (see the timeout xlate command in the Cisco Security Appliance Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly.
  • Page 296 Note access list allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Cisco Security Appliance Command Line Configuration Guide 17-6 OL-10088-01...
  • Page 297: Static Nat

    (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Cisco Security Appliance Command Line Configuration Guide 17-7 OL-10088-01...
  • Page 298 8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Cisco Security Appliance Command Line Configuration Guide 17-8...
  • Page 299: Bypassing Nat When Nat Control Is Enabled

    NAT in that the ports are not considered. See the “Bypassing NAT” section on page 17-28 for other differences. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT. Cisco Security Appliance Command Line Configuration Guide 17-9 OL-10088-01...
  • Page 300 NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 hostname(config)# nat (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-10 OL-10088-01...
  • Page 301 NAT access list specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Cisco Security Appliance Command Line Configuration Guide 17-11 OL-10088-01...
  • Page 302: Nat And Same Security Level Interfaces

    (even when NAT control is not enabled). Traffic identified for static NAT is not affected. See the “Allowing Communication Between Interfaces on the Same Security Level” section on page 7-6 to enable same security communication. Cisco Security Appliance Command Line Configuration Guide 17-12 OL-10088-01...
  • Page 303: Order Of Nat Commands Used To Match Real Addresses

    If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the security appliance. Cisco Security Appliance Command Line Configuration Guide 17-13 OL-10088-01...
  • Page 304 DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The security appliance refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
  • Page 305: Configuring Nat Control

    DNS server on the outside. The security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply...
  • Page 306: Using Dynamic Nat And Pat

    Outside Global 1: 209.165.201.3- 209.165.201.10 Translation 10.1.2.27 209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-16 OL-10088-01...
  • Page 307 209.165.201.3 10.1.1.15 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Cisco Security Appliance Command Line Configuration Guide 17-17 OL-10088-01...
  • Page 308 17-16). If you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Cisco Security Appliance Command Line Configuration Guide 17-18 OL-10088-01...
  • Page 309 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports (see Figure 17-17). Cisco Security Appliance Command Line Configuration Guide 17-19 OL-10088-01...
  • Page 310 17-18). Note that for outside NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Cisco Security Appliance Command Line Configuration Guide 17-20 OL-10088-01...
  • Page 311 If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Cisco Security Appliance Command Line Configuration Guide 17-21 OL-10088-01...
  • Page 312: Configuring Dynamic Nat Or Pat

    However, clearing the translation table disconnects all current connections that use translations. To configure dynamic NAT or PAT, perform the following steps: To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Cisco Security Appliance Command Line Configuration Guide 17-22 OL-10088-01...
  • Page 313 You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across subnet boundaries if desired. For example, you can specify the following “supernet”: Cisco Security Appliance Command Line Configuration Guide 17-23...
  • Page 314 TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23 hostname(config)# nat (inside) 1 access-list WEB hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list TELNET hostname(config)# global (outside) 2 209.165.202.130 Cisco Security Appliance Command Line Configuration Guide 17-24 OL-10088-01...
  • Page 315: Using Static Nat

    See the “Configuring Dynamic NAT or PAT” section on page 17-22 for information about the other options. • To configure regular static NAT, enter the following command: Cisco Security Appliance Command Line Configuration Guide 17-25 OL-10088-01...
  • Page 316: Using Static Pat

    Figure 17-22 Static PAT Security Appliance 10.1.1.1:23 209.165.201.1:23 10.1.1.2:8080 209.165.201.2:80 Inside Outside For applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports. Cisco Security Appliance Command Line Configuration Guide 17-26 OL-10088-01...
  • Page 317 (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering: hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0 255.255.255.0 eq http hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP Cisco Security Appliance Command Line Configuration Guide 17-27 OL-10088-01...
  • Page 318: Bypassing Nat

    Configuring NAT Exemption, page 17-31 • Configuring Identity NAT Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations, and responding traffic is allowed back. Cisco Security Appliance Command Line Configuration Guide 17-28 OL-10088-01...
  • Page 319: Configuring Static Identity Nat

    NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 17-9 for more Cisco Security Appliance Command Line Configuration Guide 17-29 OL-10088-01...
  • Page 320 For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-30 OL-10088-01...
  • Page 321: Configuring Nat Exemption

    NAT exemption does not consider the ports. NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. Cisco Security Appliance Command Line Configuration Guide 17-31 OL-10088-01...
  • Page 322: Nat Examples

    (inside) 0 access-list NET1 NAT Examples This section describes typical scenarios that use NAT solutions, and includes the following topics: Overlapping Networks, page 17-33 • Redirecting Ports, page 17-34 • Cisco Security Appliance Command Line Configuration Guide 17-32 OL-10088-01...
  • Page 323: Overlapping Networks

    Configure the following static routes so that traffic to the dmz network can be routed correctly by the Step 3 security appliance: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Cisco Security Appliance Command Line Configuration Guide 17-33 OL-10088-01...
  • Page 324: Redirecting Ports

    HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5. • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. • To implement this scenario, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 17-34 OL-10088-01...
  • Page 325 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Cisco Security Appliance Command Line Configuration Guide 17-35 OL-10088-01...
  • Page 326 Chapter 17 Applying NAT NAT Examples Cisco Security Appliance Command Line Configuration Guide 17-36 OL-10088-01...
  • Page 327 These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound. Cisco Security Appliance Command Line Configuration Guide 18-1 OL-10088-01...
  • Page 328: C H A P T E R 18 Permitting Or Denying Network Access

    INSIDE in interface inside hostname(config)# access-list HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Cisco Security Appliance Command Line Configuration Guide 18-2 OL-10088-01...
  • Page 329 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Cisco Security Appliance Command Line Configuration Guide 18-3 OL-10088-01...
  • Page 330 The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside Cisco Security Appliance Command Line Configuration Guide 18-4 OL-10088-01...
  • Page 331: Applying An Access List To An Interface

    Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside Cisco Security Appliance Command Line Configuration Guide 18-5 OL-10088-01...
  • Page 332 Chapter 18 Permitting or Denying Network Access Applying an Access List to an Interface Cisco Security Appliance Command Line Configuration Guide 18-6 OL-10088-01...
  • Page 333: Aaa Performance

    Configuring Authentication for Network Access This section includes the following topics: Authentication Overview, page 19-2 • • Enabling Network Access Authentication, page 19-3 Enabling Secure Authentication of Web Clients, page 19-5 • Cisco Security Appliance Command Line Configuration Guide 19-1 OL-10088-01...
  • Page 334: Chapter 19 Applying Aaa For Network Acces

    A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Cisco Security Appliance Command Reference for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP.
  • Page 335: Static Pat And Http

    Alternatively, you can configure virtual Telnet. With virtual Telnet, the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt. For more information about the virtual telnet command, see the Cisco Security Appliance Command Reference.
  • Page 336 Step You can alternatively use the aaa authentication include command (which identifies traffic within the Note command). However, you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. Step 4 (Optional) If you are using the local database for network access authentication and you want to limit...
  • Page 337: Enabling Secure Authentication Of Web Clients

    You can configure the security appliance to perform network access authorization with TACACS+. You identify the traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you can identify the traffic directly in authorization rules themselves. Cisco Security Appliance Command Line Configuration Guide 19-5 OL-10088-01...
  • Page 338 Alternatively, you can use the aaa authorization include command (which identifies traffic Note within the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
  • Page 339: Configuring Radius Authorization

    Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-11 Configuring a RADIUS Server to Send Downloadable Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: About the Downloadable Access List Feature and Cisco Secure ACS, page 19-8 •...
  • Page 340 Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list.
  • Page 341 Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions, available at http://www.ietf.org. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds with an access-accept message containing the access list. The largest access list that can fit in a single access-accept message is slightly less than 4 KB because some of the message must be other required attributes.
  • Page 342 If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
  • Page 343: Configuring A Radius Server To Download Per-User Access Control List Names

    RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows: filter-id=acl_name In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, Note omitting filter-id= and entering only acl_name.
  • Page 344: Configuring Accounting For Network Access

    Alternatively, you can use the aaa accounting include command (which identifies traffic within Note the command) but you cannot use both methods in the same configuration. See the Cisco Security Appliance Command Reference for more information. The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires...
  • Page 345: Using Mac Addresses To Exempt Traffic From Authentication And Authorization

    The following example bypasses authentication for a single MAC address: hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# aaa mac-exempt match abc The following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3: hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000...
  • Page 346 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Cisco Security Appliance Command Line Configuration Guide 19-14 OL-10088-01...
  • Page 347: Filtering Overview

    This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: ActiveX Filtering Overview, page 20-2 • • Enabling ActiveX Filtering, page 20-2 Cisco Security Appliance Command Line Configuration Guide 20-1 OL-10088-01...
  • Page 348: C H A P T E R 20 Applying Filtering Services

    To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-2 OL-10088-01...
  • Page 349: Filtering Java Applets

    This section describes how to filter URLs and FTP requests with an external server. This section includes the following topics: URL Filtering Overview, page 20-4 • Identifying the Filtering Server, page 20-4 • Buffering the Content Server Response, page 20-5 • • Caching Server Addresses, page 20-6 Cisco Security Appliance Command Line Configuration Guide 20-3 OL-10088-01...
  • Page 350: Url Filtering Overview

    (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version [1|4] [connections num_conns] ] For Secure Computing SmartFilter (formerly N2H2): hostname(config)# url-server (if_name) vendor {secure-computing | n2h2} host [port ] [timeout ] [protocol {TCP [connections ]} | UDP] Cisco Security Appliance Command Line Configuration Guide 20-4 OL-10088-01...
  • Page 351: Buffering The Content Server Response

    To enable buffering of responses for HTTP or FTP requests that are pending a response from the filtering server, enter the following command: hostname(config)# url-block block block-buffer-limit Replace block-buffer with the maximum number of HTTP responses that can be buffered while awaiting responses from the url-server. Cisco Security Appliance Command Line Configuration Guide 20-5 OL-10088-01...
  • Page 352: Caching Server Addresses

    • Truncating Long HTTP URLs, page 20-7 • Exempting Traffic from Filtering, page 20-7 • Configuring HTTP Filtering You must identify and enable the URL filtering server before enabling HTTP filtering. Cisco Security Appliance Command Line Configuration Guide 20-6 OL-10088-01...
  • Page 353: Enabling Filtering Of Long Http Urls

    For example, the following commands cause all HTTP requests to be forwarded to the filtering server except for those from 10.0.2.54. hostname(config)# filter url http 0 0 0 0 Cisco Security Appliance Command Line Configuration Guide 20-7 OL-10088-01...
  • Page 354: Filtering Https Urls

    CWD command successful.” If the filtering server denies the request, alters the FTP return code to show that the connection was denied. For example, the security appliance changes code 250 to “550 Requested file is prohibited by URL filtering policy.” Cisco Security Appliance Command Line Configuration Guide 20-8 OL-10088-01...
  • Page 355: Viewing Filtering Statistics And Configuration

    Global Statistics: -------------------- URLs total/allowed/denied 13/3/10 URLs allowed by cache/server URLs denied by cache/server 0/10 HTTPSs total/allowed/denied 138/137/1 HTTPSs allowed by cache/server 0/137 HTTPSs denied by cache/server Cisco Security Appliance Command Line Configuration Guide 20-9 OL-10088-01...
  • Page 356: Viewing Buffer Configuration And Statistics

    Current number of packets held (global): Packets dropped due to exceeding url-block buffer limit: 7546 HTTP server retransmission: Number of packets released back to client: This shows the URL block statistics. Cisco Security Appliance Command Line Configuration Guide 20-10 OL-10088-01...
  • Page 357: Viewing Caching Statistics

    URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Cisco Security Appliance Command Line Configuration Guide 20-11 OL-10088-01...
  • Page 358 Chapter 20 Applying Filtering Services Viewing Filtering Statistics and Configuration Cisco Security Appliance Command Line Configuration Guide 20-12 OL-10088-01...
  • Page 359: Modular Policy Framework Overview

    Using a Layer 3/4 Class Map” section on page 21-2. (Application inspection only) Define special actions for application inspection traffic. See the “Configuring Special Actions for Application Inspections” section on page 21-5. Cisco Security Appliance Command Line Configuration Guide 21-1 OL-10088-01...
  • Page 360: Chapter 21 Using Modular Policy Framework

    You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map. You can create the following types of class maps: Creating a Layer 3/4 Class Map for Through Traffic, page 21-3 • • Creating a Layer 3/4 Class Map for Management Traffic, page 21-5 Cisco Security Appliance Command Line Configuration Guide 21-2 OL-10088-01...
  • Page 361: Creating A Layer 3/4 Class Map For Through Traffic

    Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. Cisco Security Appliance Command Line Configuration Guide 21-3 OL-10088-01...
  • Page 362 "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo Cisco Security Appliance Command Line Configuration Guide 21-4 OL-10088-01...
  • Page 363: Creating A Layer 3/4 Class Map For Management Traffic

    Some applications do not support an inspection class map. Parameters—Parameters affect the behavior of the inspection engine. • Cisco Security Appliance Command Line Configuration Guide 21-5 OL-10088-01...
  • Page 364: Creating A Regular Expression

    Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Cisco Security Appliance Command Reference for performance impact information when matching a regular expression to packets.
  • Page 365 When character is not a metacharacter, matches the literal character. Carriage return Matches a carriage return 0x0d. Newline Matches a new line 0x0a. Matches a tab 0x09. Formfeed Matches a form feed 0x0c. Cisco Security Appliance Command Line Configuration Guide 21-7 OL-10088-01...
  • Page 366: Creating A Regular Expression Class Map

    URL strings inside HTTP packets. To create a regular expression class map, perform the following steps: Create one or more regular expressions according to the “Creating a Regular Expression” section. Step 1 Cisco Security Appliance Command Line Configuration Guide 21-8 OL-10088-01...
  • Page 367: Identifying Traffic In An Inspection Class Map

    Where the application is the application you want to inspect. For supported applications, see Chapter 25, “Configuring Application Layer Protocol Inspection.” The class_map_name argument is the name of the class map up to 40 characters in length. Cisco Security Appliance Command Line Configuration Guide 21-9 OL-10088-01...
  • Page 368: Defining Actions In An Inspection Policy Map

    Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Cisco Security Appliance Command Line Configuration Guide 21-10 OL-10088-01...
  • Page 369 (higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the Cisco Security Appliance Command Line Configuration Guide 21-11...
  • Page 370 (a Layer 3/4 class map not shown) hostname(config-pmap)# class test hostname(config-pmap-c)# inspect http http-map1 hostname(config-pmap-c)# service-policy test interface outside Cisco Security Appliance Command Line Configuration Guide 21-12 OL-10088-01...
  • Page 371: Defining Actions Using A Layer 3/4 Policy Map

    Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. Cisco Security Appliance Command Line Configuration Guide 21-13 OL-10088-01...
  • Page 372: Default Layer 3/4 Policy Map

    The default policy map configuration includes the following commands: policy-map global_policy class inspection_default Cisco Security Appliance Command Line Configuration Guide 21-14 OL-10088-01...
  • Page 373: Adding A Layer 3/4 Policy Map

    If there is no match default_inspection_traffic command in a class map, then at most one Note inspect command is allowed to be configured under the class. Repeat Step 3 Step 4 for each class map you want to include in this policy map. Step 5 Cisco Security Appliance Command Line Configuration Guide 21-15 OL-10088-01...
  • Page 374 For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the security appliance does not make this match because they previously matched other classes. Cisco Security Appliance Command Line Configuration Guide 21-16 OL-10088-01...
  • Page 375: Applying A Layer 3/4 Policy To An Interface Using A Service Policy

    Applying Inspection to HTTP Traffic Globally, page 21-18 • Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 21-19 • Applying Inspection to HTTP Traffic with NAT, page 21-20 • Cisco Security Appliance Command Line Configuration Guide 21-17 OL-10088-01...
  • Page 376: Applying Inspection And Qos Policing To Http Traffic

    Global HTTP Inspection Security appliance port 80 insp. port 80 insp. inside outside Host B Host A See the following commands for this example: hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 Cisco Security Appliance Command Line Configuration Guide 21-18 OL-10088-01...
  • Page 377: Applying Inspection And Connection Limits To Http Traffic To Specific Servers

    100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside Cisco Security Appliance Command Line Configuration Guide 21-19 OL-10088-01...
  • Page 378: Applying Inspection To Http Traffic With Nat

    192.168.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Cisco Security Appliance Command Line Configuration Guide 21-20 OL-10088-01...
  • Page 379: Managing The Aip Ssm

    C H A P T E R Managing AIP SSM and CSC SSM The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM, including how to send traffic to these SSMs.
  • Page 380: Chapter 22 Managing Aip Ssm And Csc Ssm

    SSM is very robust and beyond the scope of this document, detailed configuration information is available in the following separate documentation: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference •...
  • Page 381 The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason: hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class Cisco Security Appliance Command Line Configuration Guide 22-3 OL-10088-01...
  • Page 382: Sessioning To The Aip Ssm And Running Setup

    1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Enter the username and password. The default username and password are both cisco. Step 2 Note The first time you log in to the AIP SSM you are prompted to change the default password.
  • Page 383: Managing The Csc Ssm

    You are now ready to configure the AIP SSM for intrusion prevention. See the following two guides for AIP SSM configuration information: Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Cisco Intrusion Prevention System Command Reference •...
  • Page 384 CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. Use of the CSC SSM GUI is explained in the Trend Micro InterScan for Cisco CSC SSM Administrator Guide.
  • Page 385: Getting Started With The Csc Ssm

    SSM. This procedure provides an overview of those steps. To configure the adaptive security appliance and the CSC SSM, follow these steps: If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, Step 1 install it and connect a network cable to the management port of the SSM.
  • Page 386 In a web browser, access ASDM for the adaptive security appliance that the CSC SSM is in. Step 4 If you are accessing ASDM for the first time, see the Cisco ASA 5500 Series Adaptive Security Note Appliance Getting Started Guide for assistance with the Startup Wizard.
  • Page 387: Determining What Traffic To Scan

    FTP connections from clients inside the adaptive security appliance to servers outside the adaptive • security appliance. • POP3 connections from clients inside the security appliance to servers outside the adaptive security appliance. Cisco Security Appliance Command Line Configuration Guide 22-9 OL-10088-01...
  • Page 388 192.168.10.0 255.255.255.0 209.165.201.7 255.255.255.255 eq 80 The second policy in this example, applied to the outside interface, could use the following access list: access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25 Cisco Security Appliance Command Line Configuration Guide 22-10 OL-10088-01...
  • Page 389: Limiting Connections Through The Csc Ssm

    “Determining What Traffic to Scan” section on page 22-9. Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map Step 2 command to do so, as follows. Cisco Security Appliance Command Line Configuration Guide 22-11 OL-10088-01...
  • Page 390 Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. The adaptive security appliance begins diverting traffic to the CSC SSM as specified. Cisco Security Appliance Command Line Configuration Guide 22-12 OL-10088-01...
  • Page 391: Checking Ssm Status

    While the adaptive security appliance transfers an application image to the SSM, the Status field in the output reads “Recover”. For more information about possible statuses, see the entry for the show module command in the Cisco Security Appliance Command Reference.
  • Page 392: Transferring An Image Onto An Ssm

    If you do not back up the configuration of the SSM application, it is lost when you transfer an image onto the SSM. For more information about how your SSM supports backups, see the documentation for your SSM. Cisco Security Appliance Command Line Configuration Guide 22-14 OL-10088-01...
  • Page 393 Complete the prompts as applicable. If you are modifying a configuration, you can keep the previously configured value by pressing Enter. The following example shows the prompts. For more information about them, see the entry for the hw-module module recover command in the Cisco Security Appliance Command Reference.
  • Page 394 If your SSM supports configuration backups and you want to restore the configuration of the application Note running on the SSM, see the documentation for your SSM for details. Cisco Security Appliance Command Line Configuration Guide 22-16 OL-10088-01...
  • Page 395: Configuring Tcp Normalization

    Step 2 Configure the TCP map criteria by entering commands for one or more of the following options: Prevent inconsistent TCP retransmissions: • hostname(config-tcp-map)# check-retransmission Verify the checksum: • hostname(config-tcp-map)# checksum-verification Cisco Security Appliance Command Line Configuration Guide 23-1 OL-10088-01...
  • Page 396: Chapter 23 Preventing Network Attack

    It is at this point that the attacker can send a malicious packet with a long TTL that appears to the security Cisco Security Appliance Command Line Configuration Guide 23-2...
  • Page 397 Cisco Security Appliance Command Line Configuration Guide 23-3 OL-10088-01...
  • Page 398: Configuring Connection Limits And Timeouts

    | per-client-max number | random-sequence-number {enable | disable}}. . . where number is an integer between 0 and 65535. The default is 0, which means no limit on connections. Cisco Security Appliance Command Line Configuration Guide 23-4 OL-10088-01...
  • Page 399: Preventing Ip Spoofing

    Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface. Cisco Security Appliance Command Line Configuration Guide 23-5 OL-10088-01...
  • Page 400: Configuring The Fragment Size

    To shun connections from the source IP address, enter the following command: Step 2 hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id] If you enter only the source IP address, then all future connections are shunned; existing connections remain active. Cisco Security Appliance Command Line Configuration Guide 23-6 OL-10088-01...
  • Page 401: Configuring Ip Audit For Basic Ips Support

    Step 3 ip audit interface interface_name policy_name To disable signatures, or for more information about signatures, see the ip audit signature command in Step 4 the Cisco Security Appliance Command Reference. Cisco Security Appliance Command Line Configuration Guide 23-7 OL-10088-01...
  • Page 402 Chapter 23 Preventing Network Attacks Configuring IP Audit for Basic IPS Support Cisco Security Appliance Command Line Configuration Guide 23-8 OL-10088-01...
  • Page 403: Overview

    A flow can be defined in a number of ways. In the security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port number, and the TOS byte of the IP header. Cisco Security Appliance Command Line Configuration Guide 24-1 OL-10088-01...
  • Page 404: Chapter 24 Applying Qo Policie

    Associating actions with each traffic class to formulate policies. Activating the policies. The specification of a classification policy—that is, the definition of traffic classes—is separate from the specification of the policies that act on the results of the classification. Cisco Security Appliance Command Line Configuration Guide 24-2 OL-10088-01...
  • Page 405 (priority-queue command) on each named, physical interface transmitting prioritized traffic. The following example enables a default priority-queue with the default queue-limit and tx-ring-limit: priority-queue name-interface The following sections explain each of these uses in more detail. Cisco Security Appliance Command Line Configuration Guide 24-3 OL-10088-01...
  • Page 406: Identifying Traffic For Qos

    By creating a class-map (named “host-specific”), you can then police the “host-specific” class before the LAN-to-LAN connection polices the tunnel. In this example, the “host-specific” traffic is rate-limited before the tunnel, then the tunnel is rate-limited: Cisco Security Appliance Command Line Configuration Guide 24-4 OL-10088-01...
  • Page 407: Defining A Qos Policy Map

    The following table summarizes the match command criteria available and relevant to QoS. For the full list of all match commands and their syntax, see Cisco Security Appliance Command Reference: Command Description match access-list Matches, by name or number, access list traffic within a class map.
  • Page 408: Applying Rate Limiting

    LAN-to-LAN VPN flow if there is no police command defined for tunnel-group of LAN-to-LAN VPN. In other words, the policing values of class-default are never applied to the individual flow of a LAN-to-LAN VPN that exists before encryption. Cisco Security Appliance Command Line Configuration Guide 24-6 OL-10088-01...
  • Page 409: Activating The Service Policy

    Using the policy-map example in the previous section, the following service-policy command activates the policy-map “qos,” defined in the previous section, for traffic on the outside interface: hostname(config)# service-policy qos interface outside Cisco Security Appliance Command Line Configuration Guide 24-7 OL-10088-01...
  • Page 410: Applying Low Latency Queueing

    The queue-limit command specifies a maximum number of packets that can be queued to a priority queue before it drops data. This limit must be in the range of 0 through 2048 packets. Cisco Security Appliance Command Line Configuration Guide 24-8...
  • Page 411: Reducing Queue Latency

    Create a class map or modify an existing class map to identify traffic that you want to police or to identify Step 2 as priority traffic. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# Cisco Security Appliance Command Line Configuration Guide 24-9 OL-10088-01...
  • Page 412 If you want the traffic selected by the class map to be marked as priority traffic, enter the priority command. hostname(config-pmap-c)# priority Priority queuing does not occur automatically to traffic marked as priority. To enable priority Note queuing, you must complete Step 8 also, which enables the priority queues. Cisco Security Appliance Command Line Configuration Guide 24-10 OL-10088-01...
  • Page 413 For details about priority queuing, see the “Applying Low Latency Queueing” section on page 24-8 and the priority command page in the Cisco Security Appliance Command Reference. If you want the security appliance to police the traffic selected by the class map, enter the police •...
  • Page 414: Viewing Qos Configuration

    Class-map: browse police Interface outside: cir 56000 bps, bc 10500 bytes conformed 10065 packets, 12621510 bytes; actions: transmit exceeded 499 packets, 625146 bytes; actions: drop conformed 5600 bps, exceed 5016 bps Cisco Security Appliance Command Line Configuration Guide 24-12 OL-10088-01...
  • Page 415: Viewing Qos Policy Map Configuration

    To display the priority-queue configuration for an interface, enter the show running-config priority-queue command in global configuration mode. The following example shows the priority-queue configuration for the interface named “test”: hostname(config)# show running-config priority-queue test priority-queue test queue-limit 2048 tx-ring-limit 256 hostname(config)# Cisco Security Appliance Command Line Configuration Guide 24-13 OL-10088-01...
  • Page 416: Viewing Qos Statistics

    EXEC mode: hostname# show service-policy priority Note This is the same command you use to view configuration of policies that include the priority keyword. Cisco Security Appliance Command Line Configuration Guide 24-14 OL-10088-01...
  • Page 417: Viewing Qos Priority Queue Statistics

    “Packets Enqueued” denotes the overall number of packets that have been queued in this queue. • “Current Q Length” denotes the current depth of this queue. • “Max Q Length” denotes the maximum depth that ever occurred in this queue. • Cisco Security Appliance Command Line Configuration Guide 24-15 OL-10088-01...
  • Page 418 Chapter 24 Applying QoS Policies Viewing QoS Statistics Cisco Security Appliance Command Line Configuration Guide 24-16 OL-10088-01...
  • Page 419 ICMP Inspection, page 25-51 • ICMP Error Inspection, page 25-51 • ILS Inspection, page 25-51 • MGCP Inspection, page 25-52 • NetBIOS Inspection, page 25-56 • PPTP Inspection, page 25-58 • Cisco Security Appliance Command Line Configuration Guide 25-1 OL-10088-01...
  • Page 420: C H A P T E R 25 Configuring Application Layer Protocol Inspection

    Inspection Limitations See the following limitations for application protocol inspection: Cisco Security Appliance Command Line Configuration Guide 25-2 OL-10088-01...
  • Page 421: Default Inspection Policy

    NetBIOS is supported by performing Server over IP 138 (Source NAT of the packets for NBNS UDP port ports) 137 and NBDS UDP port 138. PPTP TCP/1723 — RFC 2637 — Cisco Security Appliance Command Line Configuration Guide 25-3 OL-10088-01...
  • Page 422 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny Cisco Security Appliance Command Line Configuration Guide 25-4 OL-10088-01...
  • Page 423: Configuring Application Inspection

    10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 hostname(config)# class-map inspection_default hostname(config-cmap)# match access-list inspect View the entire class map using the following command: hostname(config-cmap)# show running-config class-map inspection_default class-map inspection_default match default-inspection-traffic Cisco Security Appliance Command Line Configuration Guide 25-5 OL-10088-01...
  • Page 424 25-3. If you want to modify the default policy (for example, to add or delete an inspection, or to identify an additional class map for your actions), then enter global_policy as the name. Cisco Security Appliance Command Line Configuration Guide 25-6 OL-10088-01...
  • Page 425 If you added a GTP inspection policy map according to the “Configuring a GTP Inspection Policy Map for Additional Inspection Control” section on page 25-32, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-7 OL-10088-01...
  • Page 426 If you added a SIP inspection policy map according to “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section on page 25-63, identify the map name in this command. Cisco Security Appliance Command Line Configuration Guide 25-8 OL-10088-01...
  • Page 427: Ctiqbe Inspection

    SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the security appliance. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.
  • Page 428: Limitations And Restrictions

    Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
  • Page 429: Dcerpc Inspection

    Configuring a DCERPC Inspection Policy Map for Additional Inspection Control, page 25-12 DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. Cisco Security Appliance Command Line Configuration Guide 25-11 OL-10088-01...
  • Page 430: Configuring A Dcerpc Inspection Policy Map For Additional Inspection Control

    The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed. The lookup-operation keyword enables the lookup operation of the endpoint mapper service. Cisco Security Appliance Command Line Configuration Guide 25-12 OL-10088-01...
  • Page 431: Dns Inspection

    If you enter the inspect dns command without the maximum-length option, DNS packet size Note is not checked Enforces a domain-name length of 255 bytes and a label length of 63 bytes. • Cisco Security Appliance Command Line Configuration Guide 25-13 OL-10088-01...
  • Page 432: How Dns Rewrite Works

    DNS reply. As a result, the web client on the inside network gets the correct address for connecting to the web server on the inside network. For configuration instructions for scenarios similar to this one, see “Configuring DNS Rewrite with Two NAT Zones” section on page 25-16. Cisco Security Appliance Command Line Configuration Guide 25-14 OL-10088-01...
  • Page 433: Configuring Dns Rewrite

    • For detailed syntax and additional functions for the alias, nat, and static command, see the appropriate command page in the Cisco Security Appliance Command Reference. Using the Static Command for DNS Rewrite The static command causes addresses on an IP network residing on a specific interface to be translated into addresses on another IP network on a different interface.
  • Page 434: Using The Alias Command For Dns Rewrite

    TCP port that the web server listens to for HTTP requests. Apply the access list created in Step 2 to the mapped interface. To do so, use the access-group command, Step 3 as follows: hostname(config)# access-group acl-name in interface mapped_ifc Cisco Security Appliance Command Line Configuration Guide 25-16 OL-10088-01...
  • Page 435: Dns Rewrite With Three Nat Zones

    “Configuring DNS Rewrite with Three NAT Zones” section on page 25-19. Figure 25-2 DNS Rewrite with Three NAT Zones DNS server erver.example.com IN A 209.165.200.5 Outside Security Web server appliance 192.168.100.10 192.168.100.1 99.99.99.2 Inside 10.10.10.1 Web client 10.10.10.25 Cisco Security Appliance Command Line Configuration Guide 25-17 OL-10088-01...
  • Page 436 If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns option were not specified, the A-record rewrite in step would be reverted and other processing for the packet continues. Cisco Security Appliance Command Line Configuration Guide 25-18 OL-10088-01...
  • Page 437: Configuring Dns Rewrite With Three Nat Zones

    (dmz,outside) 209.165.200.225 192.168.100.10 dns hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www hostname(config)# access-group 101 in interface outside This configuration requires the following A-record on the DNS server: server.example.com. IN A 209.165.200.225 Cisco Security Appliance Command Line Configuration Guide 25-19 OL-10088-01...
  • Page 438: Verifying And Monitoring Dns Inspection

    (Optional) Add one or more regular expressions for use in traffic matching commands according to the Step 1 “Creating a Regular Expression” section on page 21-6. See the types of text you can match in the match commands described in Step Cisco Security Appliance Command Line Configuration Guide 25-20 OL-10088-01...
  • Page 439 DNS class field. The range keyword specifies a range and the eq keyword specifies an exact match. (Optional) To match a DNS question or resource record, enter the following command: hostname(config-cmap)# match {question | {resource-record answer | authority | any}} Cisco Security Appliance Command Line Configuration Guide 25-21 OL-10088-01...
  • Page 440 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 441 RD hostname(config-pmap-c)# mask log hostname(config)# class-map dns_serv_map hostname(config-cmap)# match default-inspection-traffic hostname(config)# policy-map pub_policy hostname(config-pmap)# class dns_serv_map hostname(config-pmap-c)# inspect dns serv_prot hostname(config)# service-policy pub_policy interface dmz Cisco Security Appliance Command Line Configuration Guide 25-23 OL-10088-01...
  • Page 442: Esmtp Inspection

    {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 443: Ftp Inspection

    FTP Inspection This section describes the FTP inspection engine. This section includes the following topics: • FTP Inspection Overview, page 25-26 Using the strict Option, page 25-26 • Cisco Security Appliance Command Line Configuration Guide 25-25 OL-10088-01...
  • Page 444: Ftp Inspection Overview

    If it is not five, then the PORT command is assumed to be truncated and the TCP connection is closed. Incorrect command—Checks the FTP command to see if it ends with characters, as • required by the RFC. If it does not, the connection is closed. Cisco Security Appliance Command Line Configuration Guide 25-26 OL-10088-01...
  • Page 445: Configuring An Ftp Inspection Policy Map For Additional Inspection Control

    To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. Cisco Security Appliance Command Line Configuration Guide 25-27 OL-10088-01...
  • Page 446 Disallows the client command for sending a file to the server. Disallows the command that deletes a directory on the server. rnfr Disallows the command that specifies rename-from filename. rnto Disallows the command that specifies rename-to filename. Cisco Security Appliance Command Line Configuration Guide 25-28 OL-10088-01...
  • Page 447 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 448: Verifying And Monitoring Ftp Inspection

    The username is obtained by looking up a table providing the IP address. • • The username, source IP address, destination IP address, NAT address, and the file operation are logged. Cisco Security Appliance Command Line Configuration Guide 25-30 OL-10088-01...
  • Page 449: Gtp Inspection

    UTRAN is the networking protocol used for implementing wireless networks in this system. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. Cisco Security Appliance Command Line Configuration Guide 25-31 OL-10088-01...
  • Page 450: Configuring A Gtp Inspection Policy Map For Additional Inspection Control

    1. The class regex_class_name is the regular expression class map you created in Step To match a message ID, enter the following command: Step 4 hostname(config-pmap)# match [not] message id [message_id | range lower_range upper_range] Cisco Security Appliance Command Line Configuration Guide 25-32 OL-10088-01...
  • Page 451 To create an object to represent the pool of load-balancing GSNs, perform the following steps: Use the object-group command to define a new network object group representing the pool of load-balancing GSNs. hostname(config)# object-group network GSN-pool-name hostname(config-network)# Cisco Security Appliance Command Line Configuration Guide 25-33 OL-10088-01...
  • Page 452 IP addresses, one per network-object command, instead of identifying whole networks. The example then modifies a GTP map to permit responses from the GSN pool to the SGSN. hostname(config)# object-group network gsnpool32 hostname(config-network)# network-object 192.168.100.0 255.255.255.0 hostname(config)# object-group network sgsn32 Cisco Security Appliance Command Line Configuration Guide 25-34 OL-10088-01...
  • Page 453 The following example shows how to limit the number of tunnels in the network: hostname(config)# policy-map type inspect gtp gmap hostname(config-pmap)# parameters hostname(config-pmap-p)# tunnel-limit 3000 hostname(config)# policy-map global_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect gtp gmap hostname(config)# service-policy global_policy global Cisco Security Appliance Command Line Configuration Guide 25-35 OL-10088-01...
  • Page 454: Verifying And Monitoring Gtp Inspection

    Verifying and Monitoring GTP Inspection To display GTP configuration, enter the show service-policy inspect gtp command in privileged EXEC mode. For the detailed syntax for this command, see the command page in the Cisco Security Appliance Command Reference. Use the show service-policy inspect gtp statistics command to show the statistics for GTP inspection.
  • Page 455: H.323 Inspection

    • H.323 Inspection Overview H.323 inspection provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
  • Page 456: Limitations And Restrictions

    To specify actions when a message violates a parameter, create an H.323 inspection policy map. You can then apply the inspection policy map when you enable H.323 inspection according to the “Configuring Application Inspection” section on page 25-5. Cisco Security Appliance Command Line Configuration Guide 25-38 OL-10088-01...
  • Page 457 Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. (Optional) To add a description to the policy map, enter the following command: Step 5 hostname(config-pmap)# description string Cisco Security Appliance Command Line Configuration Guide 25-39 OL-10088-01...
  • Page 458 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 459: Configuring H.323 And H.225 Timeout Values

    The show h225 command displays information for H.225 sessions established across the security appliance. Along with the debug h323 h225 event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues. Cisco Security Appliance Command Line Configuration Guide 25-41 OL-10088-01...
  • Page 460: Monitoring H.245 Sessions

    The media negotiated between these endpoints have an LCN of 258 with the foreign RTP IP address/port pair of 172.30.254.203/49608 and an RTCP IP address/port of 172.30.254.203/49609 with a local RTP IP address/port pair of 10.130.56.3/49608 and an RTCP port of 49609. Cisco Security Appliance Command Line Configuration Guide 25-42 OL-10088-01...
  • Page 461: Monitoring H.323 Ras Sessions

    Control”), can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages: Conformance to RFC 2616 • Use of RFC-defined methods only. • Compliance with the additional criteria. • Cisco Security Appliance Command Line Configuration Guide 25-43 OL-10088-01...
  • Page 462: Configuring An Http Inspection Policy Map For Additional Inspection Control

    HTTP request message, enter the following command: hostname(config-cmap)# match [not] req-resp content-type mismatch (Optional) To match text found in the HTTP request message arguments, enter the following command: Cisco Security Appliance Command Line Configuration Guide 25-44 OL-10088-01...
  • Page 463 (Optional) To match text found in the HTTP response message header, or to restrict the count or length of the header, enter the following command: hostname(config-cmap)# match [not] response header {[field] [regex [regex_name | class regex_class_name]] | [length gt max_length_bytes | count gt max_count]} Cisco Security Appliance Command Line Configuration Guide 25-45 OL-10088-01...
  • Page 464 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 465: Instant Messaging Inspection

    This section describes the IM inspection engine. This section includes the following topics: IM Inspection Overview, page 25-48 • Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control, page • 25-48 Cisco Security Appliance Command Line Configuration Guide 25-47 OL-10088-01...
  • Page 466: Im Inspection Overview

    Where the string is the description of the class map (up to 200 characters). (Optional) To match traffic of a specific IM protocol, such as Yahoo or MSN, enter the following command: hostname(config-cmap)# match [not] protocol {im-yahoo | im-msn} Cisco Security Appliance Command Line Configuration Guide 25-48 OL-10088-01...
  • Page 467 Specify the traffic on which you want to perform actions using one of the following methods: Step 6 • Specify the IM class map that you created in Step 3 by entering the following command: Cisco Security Appliance Command Line Configuration Guide 25-49 OL-10088-01...
  • Page 468 Cisco Security Appliance Command Line Configuration Guide 25-50 OL-10088-01...
  • Page 469: Icmp Inspection

    The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database. Cisco Security Appliance Command Line Configuration Guide 25-51 OL-10088-01...
  • Page 470: Mgcp Inspection

    This section describes MGCP application inspection. This section includes the following topics: MGCP Inspection Overview, page 25-53 • Configuring an MGCP Inspection Policy Map for Additional Inspection Control, page 25-54 • Configuring MGCP Timeout Values, page 25-56 • Cisco Security Appliance Command Line Configuration Guide 25-52 OL-10088-01...
  • Page 471: Mgcp Inspection Overview

    209.165.200.231 Gateway is told to send its media MGCP SCCP 209.165.200.231 RTP to 10.0.0.76 (public address from 209.165.200.231 of the IP Phone) 209.165.200.231 RTP to 209.165.201.1 from 209.165.200.231 10.0.0.76 Branch offices Cisco Security Appliance Command Line Configuration Guide 25-53 OL-10088-01...
  • Page 472: Configuring An Mgcp Inspection Policy Map For Additional Inspection Control

    To create an MGCP inspection policy map, enter the following command: Step 1 hostname(config)# policy-map type inspect mgcp map_name hostname(config-pmap)# Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. Cisco Security Appliance Command Line Configuration Guide 25-54 OL-10088-01...
  • Page 473 10.10.11.5 101 hostname(config-pmap-p)# call-agent 10.10.11.6 101 hostname(config-pmap-p)# call-agent 10.10.11.7 102 hostname(config-pmap-p)# call-agent 10.10.11.8 102 hostname(config-pmap-p)# gateway 10.10.10.115 101 hostname(config-pmap-p)# gateway 10.10.10.116 102 hostname(config-pmap-p)# gateway 10.10.10.117 102 hostname(config-pmap-p)# command-queue 150 Cisco Security Appliance Command Line Configuration Guide 25-55 OL-10088-01...
  • Page 474: Configuring Mgcp Timeout Values

    The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
  • Page 475: Configuring A Netbios Inspection Policy Map For Additional Inspection Control

    {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 476: Pptp Inspection

    PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server). When used this way, the PAC is the remote client and the PNS is the server. Cisco Security Appliance Command Line Configuration Guide 25-58 OL-10088-01...
  • Page 477: Radius Accounting Inspection

    10.1.1.1 inside key 123456789 send response enable gprs validate-attribute 22 Configure the service policy and control-plane keywords. Step 3 policy-map type management global_policy class c1 inspect radius-accounting radius_accounting_map service-policy global_policy control-plane abc global Cisco Security Appliance Command Line Configuration Guide 25-59 OL-10088-01...
  • Page 478: Rsh Inspection

    The RTSP inspection engine lets the security appliance pass RTSP packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. For Cisco IP/TV, use RTSP TCP port 554 and TCP 8554. Note RTSP applications use the well-known port 554 with TCP (rarely UDP) as a control channel. The security appliance only supports TCP, in conformity with RFC 2326.
  • Page 479: Restrictions And Limitations

    SDP files as part of HTTP or RTSP messages. Packets could be fragmented and security appliance cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translates the security appliance performs on the SDP part of the •...
  • Page 480: Sip Instant Messaging

    SDP media information fields and the media type. There can be multiple media addresses and ports for a session. The security appliance opens RTP/RTCP connections between the two endpoints using these media addresses/ports. Cisco Security Appliance Command Line Configuration Guide 25-62 OL-10088-01...
  • Page 481: Configuring A Sip Inspection Policy Map For Additional Inspection Control

    The CLI enters class-map configuration mode, where you can enter one or more match commands. Cisco Security Appliance Command Line Configuration Guide 25-63...
  • Page 482 (Optional) To match an URI in the SIP headers, enter the following command: hostname(config-cmap)# match [not] uri {sip | tel} length gt length Where length is the number of bytes the URI is greater than. 0 to 65536. Cisco Security Appliance Command Line Configuration Guide 25-64 OL-10088-01...
  • Page 483 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 484: Configuring Sip Timeout Values

    To configure the timeout for the SIP control connection, enter the following command: hostname(config)# timeout sip hh:mm:ss Cisco Security Appliance Command Line Configuration Guide 25-66 OL-10088-01...
  • Page 485: Verifying And Monitoring Sip Inspection

    This section describes SCCP application inspection. This section includes the following topics: SCCP Inspection Overview, page 25-68 • Supporting Cisco IP Phones, page 25-68 • • Restrictions and Limitations, page 25-68 Verifying and Monitoring SCCP Inspection, page 25-69 • Cisco Security Appliance Command Line Configuration Guide 25-67 OL-10088-01...
  • Page 486: Sccp Inspection Overview

    The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
  • Page 487: Verifying And Monitoring Sccp Inspection

    MEDIA 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
  • Page 488 {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available.
  • Page 489: Smtp And Extended Smtp Inspection

    SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. Cisco Security Appliance Command Line Configuration Guide 25-71...
  • Page 490: Snmp Inspection

    To specify the versions of SNMP to deny, enter the following command for each version: hostname(config-snmp-map)# deny version version hostname(config-snmp-map)# where version is 1, 2, 2c, or 3. The following example denies SNMP Versions 1 and 2: hostname(config)# snmp-map sample_map hostname(config-snmp-map)# deny version 1 Cisco Security Appliance Command Line Configuration Guide 25-72 OL-10088-01...
  • Page 491: Sql*Net Inspection

    This section describes Sun RPC application inspection. This section includes the following topics: Sun RPC Inspection Overview, page 25-74 • Managing Sun RPC Services, page 25-74 • Verifying and Monitoring Sun RPC Inspection, page 25-75 • Cisco Security Appliance Command Line Configuration Guide 25-73 OL-10088-01...
  • Page 492: Sun Rpc Inspection Overview

    To clear the active Sun RPC services, enter the following command: hostname(config)# clear sunrpc-server active This clears the pinholes that are opened by Sun RPC application inspection for specific services, such as NFS or NIS. Cisco Security Appliance Command Line Configuration Guide 25-74 OL-10088-01...
  • Page 493: Verifying And Monitoring Sun Rpc Inspection

    100003 3 tcp 2049 nfs 100021 1 udp 32771 nlockmgr 100021 3 udp 32771 nlockmgr 100021 4 udp 32771 nlockmgr 100021 1 tcp 32852 nlockmgr 100021 3 tcp 32852 nlockmgr 100021 4 tcp 32852 nlockmgr Cisco Security Appliance Command Line Configuration Guide 25-75 OL-10088-01...
  • Page 494: Tftp Inspection

    When XDMCP is used, the display is negotiated using IP addresses, which the security appliance can NAT if needed. XDCMP inspection does not support PAT. Cisco Security Appliance Command Line Configuration Guide 25-76 OL-10088-01...
  • Page 495: Configuring Arp Inspection

    If the ARP packet does not match any entries in the static ARP table, then you can set the security • appliance to either forward the packet out all interfaces (flood), or to drop the packet. Cisco Security Appliance Command Line Configuration Guide 26-1 OL-10088-01...
  • Page 496: C H A P T E R 26 Configuring Arp Inspection And Bridging Parameters

    Where flood forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets. The default setting is to flood non-matching packets. To restrict ARP through the security appliance to Note only static entries, then set this command to no-flood. Cisco Security Appliance Command Line Configuration Guide 26-2 OL-10088-01...
  • Page 497: Customizing The Mac Address Table

    One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, Cisco Security Appliance Command Line Configuration Guide 26-3...
  • Page 498: Setting The Mac Address Timeout

    The following is sample output from the show mac-address-table command that shows the table for the inside interface: hostname# show mac-address-table inside interface mac address type Time Left ----------------------------------------------------------------------- inside 0010.7cbe.6101 static Cisco Security Appliance Command Line Configuration Guide 26-4 OL-10088-01...
  • Page 499 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table inside 0009.7cbe.5101 dynamic Cisco Security Appliance Command Line Configuration Guide 26-5 OL-10088-01...
  • Page 500 Chapter 26 Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Cisco Security Appliance Command Line Configuration Guide 26-6 OL-10088-01...
  • Page 501 A R T Configuring VPN...
  • Page 503: Tunneling Overview

    It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network. Cisco Security Appliance Command Line Configuration Guide 27-1...
  • Page 504: Chapter 27 Configuring Ipsec And Isakmp

    A remote access VPN lets remote users securely access centralized network resources. The Cisco VPN client complies with the IPSec protocol and is specifically designed to work with the security appliance. However, the security appliance can establish IPSec connections with many protocol-compliant clients.
  • Page 505 MD5 (HMAC variant) The default is SHA-1. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. A successful (but extremely difficult) attack against MD5 has occurred; however, the HMAC variant IKE uses prevents this attack. Cisco Security Appliance Command Line Configuration Guide 27-3 OL-10088-01...
  • Page 506 The higher the Diffie-Hellman group no., the greater the security. Cisco VPN Client Version 3.x or higher requires a minimum of Group 2. (If you configure DH Group 1, the Cisco VPN Client cannot connect.) AES support is available on security appliances licensed for VPN-3DES only.
  • Page 507: Configuring Isakmp Policies

    Specify the SA lifetime. This examples sets a lifetime of 4 hours (14400 seconds). The default is 86400 seconds (24 hours). crypto isakmp policy priority lifetime seconds For example: hostname(config)# crypto isakmp policy 2 lifetime 14400 Cisco Security Appliance Command Line Configuration Guide 27-5 OL-10088-01...
  • Page 508: Enabling Isakmp On The Outside Interface

    If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command. For example: hostname(config)# no crypto isakmp am-disable Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to Note establish tunnels to the security appliance. However, they may use certificate-based authentication (that is, ASA or RSA) to establish tunnels.
  • Page 509: Enabling Ipsec Over Nat-T

    NAT devices, and only encapsulates IPSec traffic when necessary. This feature is disabled by default. With the exception of the home zone on the Cisco ASA 5505, the security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-T, and IPSec over UDP, depending on the client with which it is exchanging data.
  • Page 510: Enabling Ipsec Over Tcp

    NAT devices that do support IP fragmentation. Enabling IPSec over TCP IPSec over TCP enables a Cisco VPN client to operate in an environment in which standard ESP or ISAKMP cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the ISAKMP and IPSec protocols within a TCP-like packet, and enables secure tunneling through both NAT and PAT devices and firewalls.
  • Page 511: Waiting For Active Sessions To Terminate Before Rebooting

    The security appliance can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients and VPN 3002 hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up pane.
  • Page 512: Creating A Certificate Group Matching Rule And Policy

    Requiring only one criterion to match is equivalent to a logical OR operation. The following example enables mapping of certificate-based ISAKMP sessions to a tunnel group based on the content of the phase1 ISAKMP ID: hostname(config)# tunnel-group-map enable ike-id hostname(config)# Cisco Security Appliance Command Line Configuration Guide 27-10 OL-10088-01...
  • Page 513: Using The Tunnel-Group-Map Default-Group Command

    IPSec SAs control the actual transmission of user traffic. SAs are unidirectional, but are generally established in pairs (inbound and outbound). The peers negotiate the settings to use for each SA. Each SA consists of the following: Cisco Security Appliance Command Line Configuration Guide 27-11 OL-10088-01...
  • Page 514: Understanding Transform Sets

    The ACL assigned to a crypto map consists of all of the ACEs that have the same access-list-name, as shown in the following command syntax: access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask Cisco Security Appliance Command Line Configuration Guide 27-12 OL-10088-01...
  • Page 515 Each ACE contains a permit or deny statement. Table 27-2 explains the special meanings of permit and deny ACEs in ACLs applied to crypto maps. Cisco Security Appliance Command Line Configuration Guide 27-13 OL-10088-01...
  • Page 516 Phase 2 SA. To route inbound, unencrypted traffic as clear text, insert deny ACEs before permit ACEs. Note Figure 27-1 shows an example LAN-to-LAN network of security appliances. Cisco Security Appliance Command Line Configuration Guide 27-14 OL-10088-01...
  • Page 517 The sequence number assigned to the crypto ACL determines its position in the evaluation sequence within the crypto map set. Cisco Security Appliance Command Line Configuration Guide 27-15 OL-10088-01...
  • Page 518 Redirection to the next crypto map in the crypto map set. Response when a packet either matches an ACE or fails to match all of the permit ACEs in a crypto map set. Cisco Security Appliance Command Line Configuration Guide 27-16 OL-10088-01...
  • Page 519 When it matches the packet to the permit ACE in that crypto map, it applies the associated IPSec security (strong encryption and frequent rekeying). Cisco Security Appliance Command Line Configuration Guide 27-17 OL-10088-01...
  • Page 520 A B permit A C permit B C permit C B permit A.3 B permit A.3 C Figure 27-3 maps the conceptual addresses shown in Figure 27-1 to real IP addresses. Cisco Security Appliance Command Line Configuration Guide 27-18 OL-10088-01...
  • Page 521 192.168.201.0 255.255.255.224 192.168.12.0 255.255.255.248 You can apply the same reasoning shown in the example network to use cascading ACLs to assign different security settings to different hosts or subnets protected by a Cisco security appliance. Cisco Security Appliance Command Line Configuration Guide...
  • Page 522: Applying Crypto Maps To Interfaces

    Regardless of whether the traffic is inbound or outbound, the security appliance evaluates traffic against the access lists assigned to an interface. You assign IPSec to an interface as follows: Step 1 Create the access lists to be used for IPSec. Cisco Security Appliance Command Line Configuration Guide 27-20 OL-10088-01...
  • Page 523 “mirror image” crypto access list at the remote peer. The crypto maps should also support common transforms and refer to the other system as a peer. This ensures correct processing of IPSec by both peers. Cisco Security Appliance Command Line Configuration Guide 27-21 OL-10088-01...
  • Page 524: Changing Ipsec Sa Lifetimes

    To create a basic IPSec configuration using a static crypto map, perform the following steps: Step 1 To create an access list to define the traffic to protect, enter the following command: access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask For example: Cisco Security Appliance Command Line Configuration Guide 27-22 OL-10088-01...
  • Page 525 10 set security-association lifetime seconds 2700 This example shortens the timed lifetime for the crypto map “mymap 10” to 2700 seconds (45 minutes). The traffic volume lifetime is not changed. Cisco Security Appliance Command Line Configuration Guide 27-23 OL-10088-01...
  • Page 526: Using Dynamic Crypto Maps

    VPN clients typically do not have static IP addresses; they require a dynamic crypto map to allow IPSec negotiation to occur. For example, the headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses to negotiate IPSec SAs.
  • Page 527 Specify which transform sets are allowed for this dynamic crypto map. List multiple transform sets in Step 2 order of priority (highest priority first). crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1, [transform-set-name2, …transform-set-name9] For example: crypto dynamic-map dyn 10 set transform-set myset1 myset2 Cisco Security Appliance Command Line Configuration Guide 27-25 OL-10088-01...
  • Page 528: Providing Site-To-Site Redundancy

    Viewing an IPSec Configuration Table 27-5 lists commands you can enter to view information about your IPSec configuration. Cisco Security Appliance Command Line Configuration Guide 27-26 OL-10088-01...
  • Page 529: Clearing Security Associations

    The clear configure crypto command includes arguments that let you remove elements of the crypto configuration, including IPSec, crypto maps, dynamic crypto maps, CA trustpoints, all certificates, certificate map configurations, and ISAKMP. Cisco Security Appliance Command Line Configuration Guide 27-27 OL-10088-01...
  • Page 530: Supporting The Nokia Vpn Client

    Be aware that if you enter the clear configure crypto command without arguments, you remove the entire crypto configuration, including all certificates. For more information, see the clear configure crypto command in the Cisco Security Appliance Command Reference. Supporting the Nokia VPN Client The security appliance supports connections from Nokia VPN Clients on Nokia 92xx Communicator series phones using the Challenge/Response for Authenticated Cryptographic Keys (CRACK) protocol.
  • Page 531 CN, OU, O, C, St, L. To learn more about the Nokia services required to support the CRACK protocol on Nokia clients, and to ensure they are installed and configured properly, contact your local Nokia representative. Cisco Security Appliance Command Line Configuration Guide 27-29 OL-10088-01...
  • Page 532 Chapter 27 Configuring IPSec and ISAKMP Supporting the Nokia VPN Client Cisco Security Appliance Command Line Configuration Guide 27-30 OL-10088-01...
  • Page 533: L2Tp Overview

    L2TP with IPSec on the security appliance allows the LNS to interoperate with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on security appliance.
  • Page 534: Ipsec Transport And Tunnel Modes

    IPSec in Tunnel and Transport Modes IP HDR Data Tunnel mode Encrypted New IP HDR IPSec HDR IP HDR Data IP HDR Data Transport mode IP HDR IPSec HDR Data Encrypted Cisco Security Appliance Command Line Configuration Guide 28-2 OL-10088-01...
  • Page 535: Chapter 28 Configuring L2Tp Over Ipsec

    The security appliance does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco Note VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click Start>Programs>Administrative...
  • Page 536 If the user is an L2TP client using Microsoft CHAP, Version 1 or Version 2, and the security appliance is configured to authenticate against the local database, you must include the mschap keyword. For Example: hostname(config)# username t_wmith password eu5d93h mschap Cisco Security Appliance Command Line Configuration Guide 28-4 OL-10088-01...
  • Page 537: Tunnel Group Switching

    : 70.208.1.212 Protocol : L2TPOverIPSec Encryption : 3DES Hashing : SHA1 Bytes Tx : 418464 Bytes Rx : 424440 Client Type Client Ver Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup Cisco Security Appliance Command Line Configuration Guide 28-5 OL-10088-01...
  • Page 538 Group Policy : DfltGrpPolicy Tunnel Group : l2tpcert Login Time : 14:35:15 UTC Thu Mar 30 2006 Duration : 0h:00m:07s Filter Name NAC Result : N/A Posture Token: IKE Sessions: 1 Cisco Security Appliance Command Line Configuration Guide 28-6 OL-10088-01...
  • Page 539: Using L2Tp Debug Commands

    The following example enables L2TP debug messages for connection events. The show debug command reveals that L2TP debug messages are enabled. hostname# debug l2tp event 1 hostname# show debug debug l2tp event enabled at level 1 hostname# Cisco Security Appliance Command Line Configuration Guide 28-7 OL-10088-01...
  • Page 540: Enabling Ipsec Debug

    “%windir%\debug\oakley.log”. Getting Additional Information Additional information on various topics can be found at www.microsoft.com: http://support.microsoft.com/support/kb/articles/Q240/2/62.ASP How to Configure an L2TP/IPSec Connection Using Pre-Shared Keys Authentication: http://support.microsoft.com/support/kb/articles/Q253/4/98.ASP Cisco Security Appliance Command Line Configuration Guide 28-8 OL-10088-01...
  • Page 541 How to use a Windows 2000 Machine Certificate for L2TP over IPSec VPN Connections: http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp#heading3 How to Create a Custom MMC Console and Enabling Audit Policy for Your Computer: http://support.microsoft.com/support/kb/articles/Q259/3/35.ASP Cisco Security Appliance Command Line Configuration Guide 28-9 OL-10088-01...
  • Page 542 Chapter 28 Configuring L2TP over IPSec Viewing L2TP over IPSec Connection Information Cisco Security Appliance Command Line Configuration Guide 28-10 OL-10088-01...
  • Page 543: Configuring Vpns In Single, Routed Mode

    Using an ACL is more secure because you can specify the exact traffic you want to allow through the security appliance. The syntax is sysopt connection permit-ipsec. The command has no keywords or arguments. The following example enables IPSec traffic through the security appliance without checking ACLs: Cisco Security Appliance Command Line Configuration Guide 29-1 OL-10088-01...
  • Page 544: C H A P T E R 29 Setting General Ipsec Vpn Parameters

    For more information, see the “Configuring Interface Parameters” chapter of this guide. To use hairpinning, you must apply the proper NAT rules to the security appliance interface, as discussed in the following section. Cisco Security Appliance Command Line Configuration Guide 29-2 OL-10088-01...
  • Page 545: Nat Considerations For Intra-Interface Traffic

    For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. This command applies only to the IPSec remote-access tunnel-group type. Cisco Security Appliance Command Line Configuration Guide 29-3 OL-10088-01...
  • Page 546 “salesgrp”. It designates the revision number, 4.7 and uses the TFTP protocol for retrieving the updated software from the site with the IP address 192.168.1.1: hostname(config)# tunnel-group salesgrp type ipsec-ra hostname(config)# tunnel-group salesgrp ipsec-attributes hostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 29-4 OL-10088-01...
  • Page 547: Understanding Load Balancing

    The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not Cisco Security Appliance Command Line Configuration Guide 29-5...
  • Page 548: Implementing Load Balancing

    In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources. All clients other than the Cisco VPN Client or the Cisco 3002 Hardware Client should connect directly Note to the security appliance as usual;...
  • Page 549: Eligible Platforms

    • Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client. • Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.
  • Page 550: Some Typical Mixed Cluster Scenarios

    If the cluster master fails, another peer assumes the role of master. The new master might be any of the eligible peers. Because of the innately unpredictability of the results, we recommend that you avoid configuring this type of cluster. Cisco Security Appliance Command Line Configuration Guide 29-8 OL-10088-01...
  • Page 551: Configuring Load Balancing

    If you want to apply network address translation for this device, enter the nat command with the NAT Step 4 assigned address for the device: hostname(config-load-balancing)# nat ip_address hostname(config-load-balancing)# For example, to assign this device a NAT address of 192.168.30.3, enter the following command: hostname(config-load-balancing)# nat 192.168.30.3 hostname(config-load-balancing)# Cisco Security Appliance Command Line Configuration Guide 29-9 OL-10088-01...
  • Page 552: Configuring The Load Balancing Cluster Attributes

    Load Balancing Cluster check box), and encryption is not enabled for the cluster. To use cluster encryption, you musts enable isakmp on the inside interface, using the crypto isakmp enable command with the inside interface specified. Cisco Security Appliance Command Line Configuration Guide 29-10 OL-10088-01...
  • Page 553: Configuring Vpn Session Limits

    The following example shows the command and the licensing information excerpted from the output of this command: hostname(config)# show version Cisco Adaptive Security Appliance Software Version 7.1(0)182 Device Manager Version 5.1(0)128 Licensed features for this platform:...
  • Page 554 To remove the session limit, use the no version of this command.: hostname(config)# no vpn-sessiondb max-webvpn-session-limit hostname(config)# For a complete description of the features available with each license, see Appendix A, Feature Licenses and Specifications. Cisco Security Appliance Command Line Configuration Guide 29-12 OL-10088-01...
  • Page 555: Overview Of Tunnel Groups, Group Policies, And Users

    In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely. Cisco Security Appliance Command Line Configuration Guide 30-1 OL-10088-01...
  • Page 556: C H A P T E R 30 Configuring Tunnel Groups, Group Policies, And Users

    Authenticating users – Obtaining information about services users are authorized to access – Storing accounting records – A server group can consist of one or more servers. Cisco Security Appliance Command Line Configuration Guide 30-2 OL-10088-01...
  • Page 557: Ipsec Tunnel-Group Connection Parameters

    There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers: Cisco VPN client (Release 3.0 and above) –...
  • Page 558: Webvpn Tunnel-Group Connection Parameters

    Cisco Secure PIX Firewall – Non-Cisco VPN clients do not support IKE keepalives. If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.
  • Page 559: Configuring Tunnel Groups

    CN OU tunnel-group DefaultRAGroup ipsec-attributes no pre-shared-key peer-id-validate req no chain no trust-point isakmp keepalive threshold 100 retry 2 isakmp ikev1-user-authentication xauth Cisco Security Appliance Command Line Configuration Guide 30-5 OL-10088-01...
  • Page 560: Configuring Ipsec Tunnel-Group General Attributes

    WebVPN tunnels share most of the same general attributes. IPSec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPSec remote-access tunnel groups, IPSec LAN-to-LAN tunnel groups, and WebVPN tunnel groups.
  • Page 561 [...server10] hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 [...address_pool6] hostname(config-tunnel-general)# The interface name must be enclosed in parentheses. Note You configure address pools with the ip local pool command in global configuration mode. Cisco Security Appliance Command Line Configuration Guide 30-7 OL-10088-01...
  • Page 562 The following example inherits the authentication server group from the default remote access group. hostname(config-group-policy)# no nac-authentication-server-group hostname(config-group-policy) NAC requires a Cisco Trust Agent on the remote host. Note Specify whether to strip the group or the realm from the username before passing it on to the AAA server.
  • Page 563 This attribute specifies what part of the subject DN field to use as the username for authorization: hostname(config-tunnel-ipsec)# authorization-dn-attributes {primary-attribute [secondary-attribute] | use-entire-name} For example, the following command specifies the use of the CN attribute as the username for authorization: hostname(config-tunnel-ipsec)# hostname(config-ipsec)# authorization-dn-attributes CN hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 30-9 OL-10088-01...
  • Page 564: Configuring Ipsec Remote-Access Tunnel Group Ipsec Attributes

    Specify whether to Step 4 Specify whether to enable sending of a certificate chain. The following command includes the root Step 5 certificate and any subordinate CA certificates in the transmission: Cisco Security Appliance Command Line Configuration Guide 30-10 OL-10088-01...
  • Page 565 When there are two isakmp ikev1-user-authentication commands specified for a tunnel group, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface. Cisco Security Appliance Command Line Configuration Guide 30-11 OL-10088-01...
  • Page 566: Configuring Ipsec Remote-Access Tunnel Group Ppp Attributes

    For example, the following command enables the use of the PAP protocol for a PPP connection. hostname(config-tunnel-ppp)# authentication pap hostname(config-tunnel-ppp)# The following command enables the use of the MS-CHAP, version 2 protocol for a PPP connection: Cisco Security Appliance Command Line Configuration Guide 30-12 OL-10088-01...
  • Page 567: Configuring Lan-To-Lan Tunnel Groups

    For a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example, to create the LAN-to-LAN tunnel group named docs, enter the following command: hostname(config)# tunnel-group docs type ipsec-l2l hostname(config)# Cisco Security Appliance Command Line Configuration Guide 30-13 OL-10088-01...
  • Page 568: Configuring Lan-To-Lan Tunnel Group General Attributes

    The prompt changes to indicate that you are now in tunnel-group ipsec-attributes configuration mode. Specify the preshared key to support IKE connections based on preshared keys. Step 2 hostname(config-tunnel-ipsec)# pre-shared-key key hostname(config-tunnel-ipsec)# Cisco Security Appliance Command Line Configuration Guide 30-14 OL-10088-01...
  • Page 569 To specify that the central site (“head end”) should never initiate ISAKMP monitoring, enter the following command: hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite hostname(config-tunnel-ipsec)# Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH. Step 7 Cisco Security Appliance Command Line Configuration Guide 30-15 OL-10088-01...
  • Page 570: Configuring Webvpn Tunnel Groups

    For an IPSec remote-access tunnel, the type is webvpn hostname(config)# tunnel-group tunnel_group_name type webvpn hostname(config)# For example, to create a WebVPN tunnel-group named TunnelGroup3, enter the following command: hostname(config)# tunnel-group TunnelGroup3 type webvpn hostname(config)# Cisco Security Appliance Command Line Configuration Guide 30-16 OL-10088-01...
  • Page 571: Configuring Webvpn Tunnel-Group General Attributes

    For example, the following command specifies the use of the authorization-server group FinGroup: hostname(config-tunnel-general)# authorization-server-group FinGroup hostname(config-tunnel-general)# Specify whether to require a successful authorization before allowing a user to connect. The default is Step 4 not to require authorization. Cisco Security Appliance Command Line Configuration Guide 30-17 OL-10088-01...
  • Page 572 Chapter 31, “Configuring IP Addresses for VPNs” for information about configuring address pools. Optionally, if your server is a RADIUS, RADIUS with NT, or LDAP server, you can enable password Step 9 management. Cisco Security Appliance Command Line Configuration Guide 30-18 OL-10088-01...
  • Page 573 AAA server, by entering the override-account-disable command: hostname(config-tunnel-general)# override-account-disable hostname(config-tunnel-general)# Cisco Security Appliance Command Line Configuration Guide 30-19 OL-10088-01...
  • Page 574: Configuring Webvpn Tunnel-Group Webvpn Attributes

    “123” that defines a password prompt. The example then defines a WebVPN tunnel-group named “test” and uses the customization command to specifies the use of the WebVPN customization named “123”: hostname(config)# webvpn hostname(config-webvpn)# customization 123 hostname(config-webvpn-custom)# password-prompt Enter password hostname(config-webvpn)# exit Cisco Security Appliance Command Line Configuration Guide 30-20 OL-10088-01...
  • Page 575 [enable | disable] hostname(config-tunnel-webvpn)# For example, to enable the aliases QA and Devtest for a tunnel-group named QA, enter the following commands: hostname(config-tunnel-webvpn)# group-alias QA enable hostname(config-tunnel-webvpn)# group-alias Devtest enable hostname(config-tunnel-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-21 OL-10088-01...
  • Page 576 10.10.10.1 server1 hostname(config-tunnel-webvpn)# dns-group server1 hostname(config-tunnel-webvpn)# (Optional) To specify a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Step 7 Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match,”...
  • Page 577: Customizing Login Windows For Webvpn Users

    Clients that match a CSD location entry set to “Use Success Group-Policy, if criteria match,” and • then fail to match the configured Group-Based Policy criteria. For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
  • Page 578: Configuring Microsoft Active Directory Settings For Password Management

    To force a user to change the user password at the next logon, specify the password-management command in tunnel-group general-attributes configuration mode on the security appliance and do the following steps under Active Directory: Cisco Security Appliance Command Line Configuration Guide 30-24 OL-10088-01...
  • Page 579 30-1). Figure 30-1 Active Directory—Administrative Tools Menu Right-click Username > Properties > Account. Step 2 Check the check box for User must change password at next logon (Figure 30-2). Step 3 Cisco Security Appliance Command Line Configuration Guide 30-25 OL-10088-01...
  • Page 580: Using Active Directory To Specify Maximum Password Age

    Double-click Maximum password age. This opens the Security Policy Setting dialog box. Step 2 Check the Define this policy setting check box and specify the maximum password age, in days, that you Step 3 want to allow. Cisco Security Appliance Command Line Configuration Guide 30-26 OL-10088-01...
  • Page 581: Using Active Directory To Override An Account Disabled Aaa Indicator

    Note Step 1 Select Start > Programs > Administrative Tools > Active Directory Users and Computers. Right-click Username > Properties > Account and select Disable Account from the menu. Step 2 Cisco Security Appliance Command Line Configuration Guide 30-27 OL-10088-01...
  • Page 582: Using Active Directory To Enforce Minimum Password Length

    Double-click Minimum Password Length. This opens the Security Policy Setting dialog box. Step 3 Check the Define this policy setting check box and specify the minimum number of characters that the Step 4 password must contain. Cisco Security Appliance Command Line Configuration Guide 30-28 OL-10088-01...
  • Page 583: Using Active Directory To Enforce Password Complexity

    Security Settings > Account Policies > Password Policy. Step 2 Double-click Password must meet complexity requirements to open the Security Policy Setting dialog box. Step 3 Check the Define this policy setting check box and select Enable. Cisco Security Appliance Command Line Configuration Guide 30-29 OL-10088-01...
  • Page 584: Group Policies

    You can configure internal and external group policies. Internal groups are configured on the security appliance’s internal database. External groups are configured on an external authentication server, such as RADIUS. Group policies include the following attributes: • Identity Server definitions • Cisco Security Appliance Command Line Configuration Guide 30-30 OL-10088-01...
  • Page 585: Default Group Policy

    The default group policy, DfltGrpPolicy, that the security appliance provides is as follows: group-policy DfltGrpPolicy internal group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 2000 vpn-idle-timeout none vpn-session-timeout none vpn-filter none Cisco Security Appliance Command Line Configuration Guide 30-31 OL-10088-01...
  • Page 586 You can modify the default group policy, and you can also create one or more group policies specific to your environment. Cisco Security Appliance Command Line Configuration Guide 30-32 OL-10088-01...
  • Page 587: Configuring Group Policies

    Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the security appliance—for example, OU=Finance. Cisco Security Appliance Command Line Configuration Guide 30-33 OL-10088-01...
  • Page 588: Configuring An Internal Group Policy

    WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command. The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup: Cisco Security Appliance Command Line Configuration Guide 30-34 OL-10088-01...
  • Page 589: Configuring Vpn-Specific Attributes

    A group policy can inherit a time-range value from a default or specified group policy. To prevent this inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword sets VPN access hours to a null value, which allows no time-range policy. Cisco Security Appliance Command Line Configuration Guide 30-35 OL-10088-01...
  • Page 590 Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout. Cisco Security Appliance Command Line Configuration Guide 30-36 OL-10088-01...
  • Page 591 VPN tunnel. The following example shows how to configure the IPSec tunneling mode for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# vpn-tunnel-protocol IPSec hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-37 OL-10088-01...
  • Page 592: Configuring Security Attributes

    Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security. Cisco Security Appliance Command Line Configuration Guide 30-38 OL-10088-01...
  • Page 593 To disable perfect forward secrecy, enter the pfs command with the disable keyword. To remove the perfect forward secrecy attribute from the running configuration and prevent inheriting a value, enter the no form of this command. hostname(config-group-policy)# no pfs hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-39 OL-10088-01...
  • Page 594: Configuring The Banner Message

    This enables inheritance of a value for IPSec over UDP from another group policy. The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.
  • Page 595: Configuring Split-Tunneling Attributes

    The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.
  • Page 596: Configuring Domain Attributes For Tunneling

    The no form allows inheriting a domain name. The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup: Cisco Security Appliance Command Line Configuration Guide 30-42 OL-10088-01...
  • Page 597 {enable | disable} hostname(config-group-policy)# The netmask variable provides the subnet mask for the tunnel IP address. The no version of the command removes the DHCP intercept from the configuration. Cisco Security Appliance Command Line Configuration Guide 30-43 OL-10088-01...
  • Page 598: Configuring Attributes For Vpn Hardware Clients

    The commands in this section enable or disable secure unit authentication and user authentication, and set a user authentication timeout value for VPN hardware clients. They also let you allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect.
  • Page 599 45 Configuring IP Phone Bypass You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable IP Phone Bypass, enter the ip-phone-bypass command with the enable keyword in group-policy configuration mode. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes.
  • Page 600 When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication.
  • Page 601: Configuring Backup Server Attributes

    IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries. The following example shows how to configure backup servers with IP addresses 10.10.10.1 and 192.168.10.14, for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# backup-servers 10.10.10.1 192.168.10.14 Cisco Security Appliance Command Line Configuration Guide 30-47 OL-10088-01...
  • Page 602: Configuring Microsoft Internet Explorer Client Parameters

    The following example shows how to configure auto-detect as the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# msie-proxy method auto-detect hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-48 OL-10088-01...
  • Page 603 By default, msie-proxy local-bypass is disabled. The following example shows how to enable Microsoft Internet Explorer proxy local-bypass for the group policy named FirstGroup: hostname(config)# group-policy FirstGroup attributes hostname(config-group-policy)# msie-proxy local-bypass enable hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-49 OL-10088-01...
  • Page 604: Configuring Network Admission Control Parameters

    86400. The default setting is 36000. To specify the interval between each successful posture validation in a Network Admission Control session, use the nac-reval-period command in group-policy configuration mode: hostname(config-group-policy)# nac-reval-period seconds hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-50 OL-10088-01...
  • Page 605 Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the Step 4 filter attribute is none. Enter the vpn-nac-exempt once for each operating system (and ACL) to be matched to exempt remote hosts from posture validation. Cisco Security Appliance Command Line Configuration Guide 30-51 OL-10088-01...
  • Page 606 "Windows 98" filter acl-1 disable hostname(config-group-policy) The following example removes the same entry from the exemption list, regardless of whether it is disabled: hostname(config-group-policy)# no vpn-nac-exempt os "Windows 98" filter acl-1 hostname(config-group-policy) Cisco Security Appliance Command Line Configuration Guide 30-52 OL-10088-01...
  • Page 607: Configuring Address Pools

    [...address_pool6] hostname(config-group-policy)# The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy: hostname(config-group-policy)# address-pools none hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 30-53 OL-10088-01...
  • Page 608: Configuring Firewall Policies

    VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by Cisco Security Appliance Command Line Configuration Guide 30-54...
  • Page 609 Table 30-1, following this set of commands, explains the syntax elements of these commands: Cisco Integrated Firewall hostname(config-group-policy)# client-firewall {opt | req} cisco-integrated acl-in ACL acl-out ACL Cisco Security Agent hostname(config-group-policy)# client-firewall {opt | req} cisco-security-agent No Firewall...
  • Page 610 Specifies Zone Labs Zone Alarm Pro firewall type. The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup: Cisco Security Appliance Command Line Configuration Guide...
  • Page 611: Configuring Client Access Rules

    To delete a rule, enter the no form of this command. This command is equivalent to the following command: hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version To delete all rules, enter the no client-access-rule command without arguments. This deletes all configured rules, including a null rule if you created one by issuing the client-access-rule command with the none keyword.
  • Page 612: Configuring Group-Policy Webvpn Attributes

    * character as a wildcard. The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT clients:...
  • Page 613 WebVPN. They also identify ACLs and types of traffic to filter. WebVPN is disabled by default. See the description of WebVPN in Cisco Security Appliance Command Line Configuration Guide and Cisco Security Appliance Command Reference for more information about configuring the WebVPN attributes.
  • Page 614 For example, to use the customization named blueborder, enter the following command: hostname(config-group-webvpn)# customization blueborder Cisco Security Appliance Command Line Configuration Guide 30-60 OL-10088-01...
  • Page 615 Specify whether to filter Java, ActiveX, images, scripts, and cookies for WebVPN sessions for this group policy by using the html-content-filter command in webvpn mode. HTML filtering is disabled by default. Cisco Security Appliance Command Line Configuration Guide 30-61 OL-10088-01...
  • Page 616 The url-string variable following the keyword value provides a URL for the home page. The string must begin with either http:// or https://. url-string hostname(config-group-webvpn)# homepage {value | none} hostname(config-group-webvpn)# no homepage hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-62 OL-10088-01...
  • Page 617 The none keyword indicates that there is no webvpntype access list. It sets a null value, thereby disallowing an access list and prevents inheriting an access list from another group policy. The ACLname string following the keyword value provides the name of the previously configured access list. Cisco Security Appliance Command Line Configuration Guide 30-63 OL-10088-01...
  • Page 618 WebVPN connection. Enter the port-forward command in global configuration mode to define this list. Cisco Security Appliance Command Line Configuration Guide 30-64...
  • Page 619 To specify the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore, use the keep-alive-ignore command in group-policy attributes webvpn configuration mode: hostname(config-group-webvpn)# keep-alive-ignore size hostname(config-group-webvpn)# The no form of the command removes this specification from the configuration: hostname(config-group-webvpn)# no keep-alive-ignore hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-65 OL-10088-01...
  • Page 620 The following example creates the group policy “my-sso-grp-pol” and assigns it to the SSO server named “example”: hostname(config)# group-policy my-sso-grp-pol internal hostname(config)# group-policy my-sso-grp-pol attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# sso-server value example hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-66 OL-10088-01...
  • Page 621 {deflate | none} hostname(config-group-webvpn)# The following example disables SVC compression for the group policy named sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc compression none hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-67 OL-10088-01...
  • Page 622 To remove the command from the configuration, use the no form of this command: hostname(config-group-webvpn)# svc keep-installer {installed | none} hostname(config-group-webvpn)# no svc keep-installer {installed | none} hostname(config-group-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-68 OL-10088-01...
  • Page 623: Configuring User Attributes

    For example, you can specify a group policy giving all users access during business hours, but give a specific user 24-hour access. Cisco Security Appliance Command Line Configuration Guide 30-69 OL-10088-01...
  • Page 624: Viewing The Username Configuration

    Table 30-6 username Command Keywords and Variables Keyword/Variable Meaning encrypted Indicates that the password is encrypted. name Provides the name of the user. nopassword Indicates that this user needs no password. Cisco Security Appliance Command Line Configuration Guide 30-70 OL-10088-01...
  • Page 625: Configuring User Attributes

    FirstGroup hostname(config-username)# Configuring Access Hours Associate the hours that this user is allowed to access the system by specifying the name of a configured time-range policy: Cisco Security Appliance Command Line Configuration Guide 30-71 OL-10088-01...
  • Page 626 The following example shows how to set a VPN idle timeout of 15 minutes for the user named anyuser: hostname(config)# username anyuser attributes hostname(config-username)# vpn-idle-timeout 30 hostname(config-username)# Cisco Security Appliance Command Line Configuration Guide 30-72 OL-10088-01...
  • Page 627 Specify the IP address and netmask to assign to a particular user. To remove the IP address, enter the no form of this command. hostname(config-username)# vpn-framed-ip-address {ip_address} hostname(config-username)# no vpn-framed-ip-address hostname(config-username) The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser: Cisco Security Appliance Command Line Configuration Guide 30-73 OL-10088-01...
  • Page 628 This option allows inheritance of a value from the group policy. To disable group-lock, and to prevent inheriting a group-lock value from a default or specified group policy, enter the group-lock command with the none keyword. Cisco Security Appliance Command Line Configuration Guide 30-74 OL-10088-01...
  • Page 629: Configuring Webvpn For Specific Users

    Notice that the prompt changes, indicating that you are now in username webvpn configuration mode. hostname(config-username)# webvpn hostname(config-username-webvpn)# To remove all commands entered in username webvpn configuration mode, use the no form of this command: hostname(config-username)# no webvpn hostname(config-username)# Cisco Security Appliance Command Line Configuration Guide 30-75 OL-10088-01...
  • Page 630 [auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | mapi | none | port-forward | url-entry] Table 30-7 describes the meaning of the keywords used in this command. Cisco Security Appliance Command Line Configuration Guide 30-76 OL-10088-01...
  • Page 631 It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer. mapi—Enables or disables Microsoft Outlook/Exchange port forwarding. • Cisco Security Appliance Command Line Configuration Guide 30-77 OL-10088-01...
  • Page 632 The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the user named anyuser: hostname(config)# username anyuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# html-content-filter java cookies images hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-78 OL-10088-01...
  • Page 633 WebVPN customization named 123: hostname(config)# webvpn hostname(config-webvpn)# customization 123 hostname(config-webvpn-custom)# password-prompt Enter password hostname(config-webvpn)# exit hostname(config)# username testuser nopassword hostname(config)# username testuser attributes hostname(config-username-webvpn)# webvpn hostname(config-username-webvpn)# customization value 123 hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-79 OL-10088-01...
  • Page 634 The ACLname string following the keyword value provides the name of the previously configured access list. WebVPN does not use ACLs defined in the vpn-filter command. Note Cisco Security Appliance Command Line Configuration Guide 30-80 OL-10088-01...
  • Page 635 The listname string following the keyword value identifies the list of applications WebVPN users can access. Enter the port-forward command in configuration mode to define the list. Cisco Security Appliance Command Line Configuration Guide 30-81 OL-10088-01...
  • Page 636 To automatically submit the WebVPN login credentials of a particular WebVPN user to internal servers using NTLM, basic HTTP authentication or both, use the auto-signon command in username webvpn configuration mode. Cisco Security Appliance Command Line Configuration Guide 30-82 OL-10088-01...
  • Page 637 In the following example, compression is disabled for the username testuser: hostname(config)# username testuser internal hostname(config)# username testuser attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# http-comp none hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-83 OL-10088-01...
  • Page 638 SVC features for a specific user. This feature is disabled by default. If you enable or require SVC, you can then enable a succession of svc commands, described in this section. To enable SVC and its related svc commands, do the following steps in username webvpn configuration mode: Cisco Security Appliance Command Line Configuration Guide 30-84 OL-10088-01...
  • Page 639 (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds for the existing user named sales: hostname(config)# username sales attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# svc dpd-interval gateway 3000 hostname(config-username-webvpn)# svc dpd-interval client 1000 hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-85 OL-10088-01...
  • Page 640 1 through 10080 (1 week). For the no form of the command, only the minimum is necessary. The following example is correct: hostname(config-username-webvpn)# no svc rekey method hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-86 OL-10088-01...
  • Page 641 In the following example, the user configures the SVC to renegotiate with SSL during rekey and configures the rekey to occur 30 minutes after the session begins: hostname(config-username-webvpn)# svc rekey method ssl hostname(config-username-webvpn)# svc rekey time 30 hostname(config-username-webvpn)# Cisco Security Appliance Command Line Configuration Guide 30-87 OL-10088-01...
  • Page 642 Chapter 30 Configuring Tunnel Groups, Group Policies, and Users Configuring User Attributes Cisco Security Appliance Command Line Configuration Guide 30-88 OL-10088-01...
  • Page 643: Configuring An Ip Address Assignment Method

    IP addresses to use. To specify a method for assigning IP addresses to remote access clients, enter the vpn-addr-assign command in global configuration mode. The syntax is vpn-addr-assign {aaa | dhcp | local}. Cisco Security Appliance Command Line Configuration Guide 31-1 OL-10088-01...
  • Page 644: Chapter 31 Configuring Ip Addresse For Vpn

    Configuring AAA Addressing To use a AAA server to assign addresses for VPN remote access clients, you must first configure a AAA server or server group. See the aaa-server protocol command in the Cisco Security Appliance Command Reference and “Identifying AAA Server Groups and Servers,”...
  • Page 645: Configuring Dhcp Addressing

    RAD2 hostname(config-general)# This command has more arguments that this example includes. For more information, see the Cisco Security Appliance Command Reference. Configuring DHCP Addressing To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use.
  • Page 646 (Optional) To specify the range of IP addresses the DHCP server should use to assign addresses to users of the group policy called remotegroup, enter the dhcp-network-scope command. The following example configures at network scope of 192.86.0.0. hostname(config-group-policy)# dhcp-network-scope 192.86.0.0 hostname(config-group-policy)# Cisco Security Appliance Command Line Configuration Guide 31-4 OL-10088-01...
  • Page 647: Summary Of The Configuration

    FirstSet esp-3des esp-md5-hmac hostname(config)# tunnel-group testgroup type ipsec-ra hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool hostname(config)# tunnel-group testgroup ipsec-attributes hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet Cisco Security Appliance Command Line Configuration Guide 32-1 OL-10088-01...
  • Page 648: C H A P T E R 32 Configuring Remote Access Ipsec Vpns

    To save your changes, enter the write memory command. Step 5 hostname(config-if)# write memory hostname(config-if)# To configure a second interface, use the same procedure. Step 6 Cisco Security Appliance Command Line Configuration Guide 32-2 OL-10088-01...
  • Page 649: Configuring Isakmp Policy And Enabling Isakmp On The Outside Interface

    Set the encryption key lifetime. The following example configures 43,200 seconds (12 hours). Step 5 hostname(config)# isakmp policy 1 lifetime 43200 hostname(config)# Step 6 Enable ISAKMP on the interface named outside. hostname(config)# isakmp enable outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 32-3 OL-10088-01...
  • Page 650: Configuring An Address Pool

    For more overview information, including a table that lists valid encryption and authentication methods, see Creating a Transform Set Chapter 36, “Configuring LAN-to-LAN IPSec VPNs” of this guide. Cisco Security Appliance Command Line Configuration Guide 32-4 OL-10088-01...
  • Page 651: Defining A Tunnel Group

    In the following example the name of the group is testgroup and the name of the address pool is testpool. hostname(config)# tunnel-group testgroup general-attributes hostname(config-general)# address-pool testpool Cisco Security Appliance Command Line Configuration Guide 32-5 OL-10088-01...
  • Page 652: Creating A Dynamic Crypto Map

    You need to use the same preshared key on both the security appliance and the client. The preshared key must be no larger than that used by the VPN client. If a Cisco VPN Client with a Note different preshared key size tries to connect to a security appliance, the client logs an error message indicating it failed to authenticate the peer.
  • Page 653: Creating A Crypto Map Entry To Use The Dynamic Crypto Map

    To apply the crypto map to the outside interface, enter the crypto map interface command. Step 2 The syntax is crypto map map-name interface interface-name hostname(config)# crypto map mymap interface outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 32-7 OL-10088-01...
  • Page 654 Chapter 32 Configuring Remote Access IPSec VPNs Creating a Crypto Map Entry to Use the Dynamic Crypto Map Cisco Security Appliance Command Line Configuration Guide 32-8 OL-10088-01...
  • Page 655: Uses, Requirements, And Limitations

    PCs. When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access Note Control Server, requiring that you install a minimum of one Access Control Server on the network to provide NAC authentication services.
  • Page 656: C H A P T E R 33 Configuring Network Admission Control

    Specifying the Access Control Server Group You must configure at least one Cisco Access Control Server to support NAC. Then use the aaa-server host command to name the Access Control Server group even if the group contains only one server. Then...
  • Page 657: Configuring The Default Acl For Nac

    You also have the option of disinheriting the ACL from the default group policy and specifying no NAC default ACL. To do so, enter the following command: nac-default-acl none For example: hostname(config-group-policy)# nac-default-acl none hostname(config-group-policy) Cisco Security Appliance Command Line Configuration Guide 33-3 OL-10088-01...
  • Page 658: Configuring Exemptions From Nac

    To remove an entry from the exemption list, enter the following command, naming the operating system (and ACL) in the exemption to be removed. no vpn-nac-exempt [os "os name"] [filter acl-name] Cisco Security Appliance Command Line Configuration Guide 33-4 OL-10088-01...
  • Page 659: Changing Advanced Settings

    NAC support for clientless authentication is configurable. It applies to hosts that do not have a posture agent, such as the Cisco Trust Agent. The security appliance applies the default access policy, sends the EAP over UDP request for posture validation, and the request times out. If the security appliance is not configured to request a policy for clientless hosts from the Access Control Server, it retains the default access policy already in use for the clientless host.
  • Page 660: Changing The Login Credentials Used For Clientless Authentication

    For example: hostname(config)# no eou clientless username hostname(config)# To change the password to its default value, enter the following command: no eou clientless password For example: hostname(config)# no eou clientless password hostname(config)# Cisco Security Appliance Command Line Configuration Guide 33-6 OL-10088-01...
  • Page 661: Configuring Nac Session Attributes

    To change the retransmission retry timer to its default value, use the no form of this command, as follows: no eou timeout retransmit For example: hostname(config)# no eou timeout retransmit hostname(config)# Cisco Security Appliance Command Line Configuration Guide 33-7 OL-10088-01...
  • Page 662 To change the session reinitialization to its default value, use the no form of this command, as follows: no eou timeout hold-period For example: hostname(config)# no eou timeout hold-period hostname(config)# Cisco Security Appliance Command Line Configuration Guide 33-8 OL-10088-01...
  • Page 663: Setting The Query-For-Posture-Changes Timer

    To inherit the value of the revalidation timer from the default group policy, access the alternative group policy from which to inherit it, then enter the following command. no nac-reval-period For example: Cisco Security Appliance Command Line Configuration Guide 33-9 OL-10088-01...
  • Page 664 Chapter 33 Configuring Network Admission Control Changing Advanced Settings hostname(config-group-policy)# no nac-reval-period hostname(config-group-policy) Cisco Security Appliance Command Line Configuration Guide 33-10 OL-10088-01...
  • Page 665 VLAN interfaces of the ASA 5505 (see Chapter 4, “Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance”). The Easy VPN hardware client configuration specifies the IP address of its primary and secondary Note (backup) Easy VPN servers.
  • Page 666: Specifying The Client/Server Role Of The Cisco Asa 5505

    Specifying the Client/Server Role of the Cisco ASA 5505 The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client (also called “Easy VPN Remote”) or as a server (also called a “headend”), but not both at the same time. It does not have a default role.
  • Page 667: Specifying The Primary And Secondary Servers

    DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode supports automatic tunnel initiation. The configuration must store the group name, user name, and password.
  • Page 668: Configuring Automatic Xauth Authentication

    If you configure an ASA 5505 to use TCP-encapsulated IPSec, enter the following command to let it send large packets over the outside interface: hostname(config)# crypto ipsec df-bit clear-df outside hostname(config)# Cisco Security Appliance Command Line Configuration Guide 34-4 OL-10088-01...
  • Page 669: Comparing Tunneling Options

    Comparing Tunneling Options The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a combination of the following factors: Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to •...
  • Page 670: Specifying The Tunnel Group Or Trustpoint

    Specifying the Tunnel Group or Trustpoint When configuring the Cisco ASA 5505 as an Easy VPN hardware client, you can specify a tunnel group or trustpoint configured on the Easy VPN server, depending on the Easy VPN server configuration. See...
  • Page 671: Specifying The Trustpoint

    To remove the attribute from the running configuration, enter the following command: no vpnclient trustpoint For example: hostname(config)# no vpnclient trustpoint hostname(config)# Cisco Security Appliance Command Line Configuration Guide 34-7 OL-10088-01...
  • Page 672: Configuring Split Tunneling

    Only the first six characters of the specific MAC address are required if you use the MAC mask ffff.ff00.0000 to specify all devices by the same manufacturer. For example, Cisco IP phones have the Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP phones, you might add in the future: hostname(config)# vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000...
  • Page 673: Configuring Remote Management

    The Cisco ASA 5505, operating as an Easy VPN hardware client, supports management access using SSH or HTTPS, with or without a second layer of additional encryption. You can configure the Cisco ASA 5505 to require IPSec encryption within the SSH or HTTPS encryption.
  • Page 674: Group Policy And User Attributes Pushed To The Client

    Table 34-2 as a guide for determining which commands to enter to modify the group policy or user attributes. Table 34-2 Group Policy and User Attributes Pushed to the Cisco ASA 5505 Configured as an EasyVPN Hardware Client Command Description...
  • Page 675 Specifies the IP address of the primary and secondary WINS servers, or prohibits the use of WINS servers. IPSec NAT-T connections are the only IPSec connection types supported on the home VLAN of a Cisco Note ASA 5505. IPSec over TCP and native IPSec connections are not supported.
  • Page 676: Authentication Options

    IUA. See Configuring User Authentication, page 30-44. Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device Caution is operating between the server and the Easy VPN hardware client. Use the user-authentication-idle-timeout command to set or remove the idle timeout period after which the Easy VPN Server terminates the client’s access.
  • Page 677: Pppoe Client Overview

    Once the session is established, a PPP link is set up, which includes authentication using Password Authentication protocol (PAP). Once the PPP session is established, each packet is encapsulated in the PPPoE and PPP headers. Cisco Security Appliance Command Line Configuration Guide 35-1 OL-10088-01...
  • Page 678: Chapter 35 Configuring The Pppoe Client

    If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator. Cisco Security Appliance Command Line Configuration Guide 35-2 OL-10088-01...
  • Page 679: Enabling Pppoe

    Using PPPoE with a Fixed IP Address You can also enable PPPoE by manually entering the IP address, using the ip address command from interface configuration mode in the following format: hostname(config-if)# ip address ipaddress mask pppoe Cisco Security Appliance Command Line Configuration Guide 35-3 OL-10088-01...
  • Page 680: Monitoring And Debugging The Pppoe Client

    6 packets sent, 6 received, 84 bytes sent, 0 received hostname# hostname# show vpdn tunnel PPPoE Tunnel Information (Total tunnels=1 sessions=1) Tunnel id 0, 1 active sessions time since change 65901 secs Remote Internet Address 10.0.0.1 Cisco Security Appliance Command Line Configuration Guide 35-4 OL-10088-01...
  • Page 681: Clearing The Configuration

    RFC 1877. The client_ifx_name parameter identifies the interface supported by the DHCP auto_config option. At this time, this keyword is not required because the PPPoE client is only supported on a single outside interface. Cisco Security Appliance Command Line Configuration Guide 35-5 OL-10088-01...
  • Page 682 Chapter 35 Configuring the PPPoE Client Using Related Commands Cisco Security Appliance Command Line Configuration Guide 35-6 OL-10088-01...
  • Page 683: Summary Of The Configuration

    1 match address l2l_list hostname(config)# crypto map abcmap 1 set peer 10.10.4.108 hostname(config)# crypto map abcmap 1 set transform-set FirstSet hostname(config)# crypto map abcmap interface outside hostname(config)# write memory Cisco Security Appliance Command Line Configuration Guide 36-1 OL-10088-01...
  • Page 684: C H A P T E R 36 Configuring Lan-To-Lan Ipsec Vpns

    Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection. To set the terms of the ISAKMP negotiations, you create an ISAKMP policy, which includes the following: Cisco Security Appliance Command Line Configuration Guide 36-2 OL-10088-01...
  • Page 685 1 lifetime 43200 hostname(config)# Enable ISAKMP on the interface named outside. Step 6 hostname(config)# isakmp enable outside hostname(config)# To save your changes, enter the write memory command. Step 7 hostname(config)# write memory hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-3 OL-10088-01...
  • Page 686: Creating A Transform Set

    The ACLs that you configure for this LAN-to-LAN VPN control connections are based on the source and destination IP addresses. Configure ACLs that mirror each other on both sides of the connection. To configure an ACL, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 36-4 OL-10088-01...
  • Page 687: Defining A Tunnel Group

    You need to use the same preshared key on both security appliances for this LAN-to-LAN connection. The key is an alphanumeric string of 1-128 characters. In the following example the preshared key is 44kkaol59636jnfx. hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes Cisco Security Appliance Command Line Configuration Guide 36-5 OL-10088-01...
  • Page 688: Creating A Crypto Map And Applying It To An Interface

    The syntax is crypto map map-name seq-num match address aclname. In the following example the map name is abcmap, the sequence number is 1, and the access list name is l2l_list hostname(config)# crypto map abcmap 1 match address l2l_list hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-6 OL-10088-01...
  • Page 689: Applying Crypto Maps To Interfaces

    To apply the configured crypto map to the outside interface, enter the crypto map interface command. Step 1 The syntax is crypto map map-name interface interface-name. hostname(config)# crypto map abcmap interface outside hostname(config)# Step 2 Save your changes. hostname(config)# write memory hostname(config)# Cisco Security Appliance Command Line Configuration Guide 36-7 OL-10088-01...
  • Page 690 Chapter 36 Configuring LAN-to-LAN IPSec VPNs Creating a Crypto Map and Applying It To an Interface Cisco Security Appliance Command Line Configuration Guide 36-8 OL-10088-01...
  • Page 691: Getting Started With Webvpn

    NT/Active Directory file shares • • E-mail proxies, including POP3S, IMAP4S, and SMTPS MS Outlook Web Access • • MAPI Application Access (that is, port forwarding for access to other TCP-based applications) • Cisco Security Appliance Command Line Configuration Guide 37-1 OL-10088-01...
  • Page 692: Chapter 37 Configuring Webvpn

    The security appliance does not support the following features for WebVPN connections: Inspection features under the Modular Policy Framework, inspecting configuration control. • Functionality the filter configuration commands provide, including the vpn-filter command. • Cisco Security Appliance Command Line Configuration Guide 37-2 OL-10088-01...
  • Page 693: Using Ssl To Access The Central Site

    The security appliance can support both WebVPN and an ASDM administrative session simultaneously on the same interface. To do so, you must assign different port numbers to these functions. An alternative is to configure WebVPN and access to ASDM on different interfaces. Cisco Security Appliance Command Line Configuration Guide 37-3 OL-10088-01...
  • Page 694: Setting Webvpn Http/Https Proxy

    MS Outlook, MS Outlook Express, and Eudora lack the ability to access the certificate store. For more information on authentication and authorization using digital certificates, see “Using Certificates and User Login Credentials” in the “Configuring AAA Servers and the Local Database” chapter. Cisco Security Appliance Command Line Configuration Guide 37-4 OL-10088-01...
  • Page 695: Enabling Cookies On Browsers For Webvpn

    This section describes the three SSO authentication methods supported by WebVPN: HTTP Basic and NTLMv1 (NT LAN Manager) authentication, the Computer Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder), and the HTTP Form protocol. This section includes: Cisco Security Appliance Command Line Configuration Guide 37-5 OL-10088-01...
  • Page 696: Configuring Sso With Http Basic Or Ntlm Authentication

    Specific User, IP Address Range, HTTP Basic To configure auto-signon for a user named Anyuser to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255 using HTTP Basic authentication, for example, enter the following commands: Cisco Security Appliance Command Line Configuration Guide 37-6 OL-10088-01...
  • Page 697: Configuring Sso Authentication Using Siteminder

    This key is similar to a password: you create it, save it, and enter it on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme. In addition to these required tasks, you can optionally do the following configuration tasks: •...
  • Page 698 Adding the Cisco Authentication Scheme to SiteMinder Besides configuring the security appliance for SSO with SiteMinder, you must also configure your CA SiteMinder Policy Server with the Cisco authentication scheme, provided as a Java plug-in. Note • Configuring the SiteMinder Policy Server requires experience with SiteMinder.
  • Page 699: Configuring Sso With The Http Form Protocol

    Refer to the CA SiteMinder documentation for the complete procedure for adding a custom • authentication scheme. To configure the Cisco authentication scheme on your SiteMinder Policy Server, perform these following tasks: With the Siteminder Administration utility, create a custom authentication scheme being sure to use the...
  • Page 700 Enter the username and password to log in to the web server, and press Enter. This action generates the Step 3 authentication POST request that you examine using the HTTP header analyzer. Cisco Security Appliance Command Line Configuration Guide 37-10 OL-10088-01...
  • Page 701 If you successfully log in to the web server, examine the server response with the HTTP header analyzer Step 6 to locate the name of the session cookie set by the server in your browser. This is the auth-cookie-name parameter. Cisco Security Appliance Command Line Configuration Guide 37-11 OL-10088-01...
  • Page 702 This section presents an overview of configuring SSO with the HTTP Form protocol.To enable SSO using HTTP Forms, perform the following tasks: Configure the uniform resource identifier on the authenticating web server to receive and process • the form data (action-uri). Cisco Security Appliance Command Line Configuration Guide 37-12 OL-10088-01...
  • Page 703 To configure a username parameter for the HTTP POST request, enter the user-parameter command in Step 3 aaa-server-host configuration mode. For example, the following command configures the username parameter userid: hostname(config-aaa-server-host)# user-parameter userid Cisco Security Appliance Command Line Configuration Guide 37-13 OL-10088-01...
  • Page 704: Authenticating With Digital Certificates

    “Configuring AAA Servers and the Local Database” chapter. Creating and Applying WebVPN Policies Creating and applying WebVPN policies that govern access to resources at the central site includes the following tasks: Cisco Security Appliance Command Line Configuration Guide 37-14 OL-10088-01...
  • Page 705: Creating Port Forwarding, Url, And Access Lists In Global Configuration Mode

    Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group Step 1 policy. Set the class attribute to the group policy name in the format OU=group_name Step 2 Cisco Security Appliance Command Line Configuration Guide 37-15 OL-10088-01...
  • Page 706: Configuring Webvpn Tunnel Group Attributes

    Identifies the DNS server group that specifies the DNS server name, domain name, name server, number of retries, and timeout values hic-fail-group-policy Specifies a VPN feature policy if you use the Cisco Secure Desktop Manager to set the Group-Based Policy attribute to “Use Failure Group-Policy” or “Use Success Group-Policy, if criteria match.”...
  • Page 707: Configuring Application Access

    Closing Application Access to Prevent hosts File Errors To prevent hosts file errors that can interfere with Application Access, close the Application Access window properly when you finish using Application Access. To do so, click the close icon. Cisco Security Appliance Command Line Configuration Guide 37-17 OL-10088-01...
  • Page 708: Recovering From Hosts File Errors When Using Application Access

    Microsoft anti-spyware software blocks changes that the port forwarding JAVA applet makes to the hosts file. See www.microsoft.com for information on how to allow hosts file changes when using anti-spyware software. Cisco Security Appliance Command Line Configuration Guide 37-18 OL-10088-01...
  • Page 709: Stopping Application Access Improperly

    Restore from backup — WebVPN forces a proper shutdown. WebVPN copies the hosts.webvpn • backup file to the file, restoring it to its original state, then deletes hosts.webvpn. You then hosts have to restart Application Access. Cisco Security Appliance Command Line Configuration Guide 37-19 OL-10088-01...
  • Page 710 Step 3 # added by WebVpnPortForward Step 4 Save and close the file. Step 5 Start WebVPN and log in. The home page appears. Click the Application Access link. Step 6 Cisco Security Appliance Command Line Configuration Guide 37-20 OL-10088-01...
  • Page 711: Configuring File Access

    Browse Networks on the WebVPN home page or toolbar (Figure 37-5). Figure 37-5 Browse Networks on the WebVPN Home Page and Floating Toolbar Cisco Security Appliance Command Line Configuration Guide 37-21 OL-10088-01...
  • Page 712 By default, the encoding type set on the remote browser determines the character set for WebVPN portal pages, so you need to set the character encoding only if it is necessary to ensure proper encoding on the browser. Cisco Security Appliance Command Line Configuration Guide 37-22 OL-10088-01...
  • Page 713: Configuring Access To Citrix Metaframe Services

    For a complete description of these commands, see the Cisco Security Appliance Command Reference. Configuring Access to Citrix MetaFrame Services WebVPN users can use a connection to the security appliance to access Citrix MetaFrame services.
  • Page 714: Using Webvpn With Pdas

    Unsupported WebVPN features: – Application Access (port forwarding) and other Java-dependent features MAPI proxy – HTTP proxy – Cisco Secure Desktop (CSD does provide limited support for Microsoft Windows CE) – Cisco Security Appliance Command Line Configuration Guide 37-24 OL-10088-01...
  • Page 715: Using E-Mail Over Webvpn

    Defines the separator between the e-mail and name-separator “:” (colon) VPN usernames and passwords. Configures the maximum number of outstanding outstanding non-authenticated sessions. Sets the port the e-mail proxy listens to. port IMAP4S:993 POP3S: 995 SMTPS: 988 Cisco Security Appliance Command Line Configuration Guide 37-25 OL-10088-01...
  • Page 716: E-Mail Proxy Certificate Authentication

    Enter the URL of the mail server in a browser in your WebVPN session. • • When prompted, enter the e-mail server username in the format domain\username. Enter the e-mail password. • Cisco Security Appliance Command Line Configuration Guide 37-26 OL-10088-01...
  • Page 717: Optimizing Webvpn Performance

    Some web resources require highly individualized treatment. The following sections describe functionality that provides such treatment: Configuring a Certificate for Signing Rewritten Java Content • Disabling Content Rewrite • Using Proxy Bypass • Configuring Application Profile Customization Framework • Cisco Security Appliance Command Line Configuration Guide 37-27 OL-10088-01...
  • Page 718: Configuring A Certificate For Signing Rewritten Java Content

    If you want to use proxy bypass for all hr sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*. To configure proxy bypass, use the proxy-bypass command in webvpn mode. Cisco Security Appliance Command Line Configuration Guide 37-28 OL-10088-01...
  • Page 719: Configuring Application Profile Customization Framework

    Misuse of an APCF profile can result in reduced performance and undesired rendering of content. In most cases, Cisco Engineering supplies APCF profiles to solve specific application rendering issues. APCF profiles use XML format, and sed script syntax, with the XML tags in...
  • Page 720 TEXT The child element of the action tag. The TEXT must be a valid Sed script. The applies to the tag defined before it. Cisco Security Appliance Command Line Configuration Guide 37-30 OL-10088-01...
  • Page 721: Apcf Example

    The WebVPN end user interface consists of a series of HTML panels. A user logs on to WebVPN by entering the IP address of a security appliance interface in the format https://address. The first panel that displays is the login screen (Figure 37-6). Figure 37-6 WebVPN Login Screen Cisco Security Appliance Command Line Configuration Guide 37-31 OL-10088-01...
  • Page 722: Viewing The Webvpn Home Page

    Viewing the WebVPN Application Access Panel To start port forwarding, also called application access, a user clicks the Go button in the Application Access box. The Application Access window opens (Figure 37-8). Cisco Security Appliance Command Line Configuration Guide 37-32 OL-10088-01...
  • Page 723: Viewing The Floating Toolbar

    Viewing the Floating Toolbar The floating toolbar shown in Figure 37-9 represents the current WebVPN session. Figure 37-9 WebVPN Floating Toolbar Be aware of the following characteristics of the floating toolbar: Cisco Security Appliance Command Line Configuration Guide 37-33 OL-10088-01...
  • Page 724: Customizing Webvpn Pages

    To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient Note features for configuring style elements, including color swatches and preview capabilities. Cisco Security Appliance Command Line Configuration Guide 37-34 OL-10088-01...
  • Page 725: Customizing The Webvpn Login Page

    To disallow a logo and prevent inheriting a logo, use the none option to set a null value. hostname(config-webvpn-custom)#logo file disk0:cisco_logo.gif Change the title of the Login box using the login-title command: Step 5 [no] login-title {text | style} value Cisco Security Appliance Command Line Configuration Guide 37-35 OL-10088-01...
  • Page 726: Customizing The Webvpn Logout Page

    The security appliance displays the WebVPN Logout page when WebVPN users log out of WebVPN service. Figure 37-11 shows the WebVPN Logout page and the associated CLI commands that you can use to customize the page. Cisco Security Appliance Command Line Configuration Guide 37-36 OL-10088-01...
  • Page 727: Customizing The Webvpn Home Page

    You can customize the appearance of the WebVPN Home page that the security appliance displays to authenticated WebVPN users. Figure 37-12 shows the WebVPN Home page and associated CLI commands that you can use to customize the page. Cisco Security Appliance Command Line Configuration Guide 37-37 OL-10088-01...
  • Page 728 Change the appearance of the Application Access box using the application-access command: [no] application-access {title | message} {text | style} value hostname(config-webvpn-custom)# application-access title text Applications hostname(config-webvpn-custom)# application-access title style color:blue hostname(config-webvpn-custom)# application-access message text Start Application Cisco Security Appliance Command Line Configuration Guide 37-38 OL-10088-01...
  • Page 729: Customizing The Application Access Window

    You can customize the Application Access window that launches when the remote user selects an application. Figure 37-13 shows the Application Access window and the associated CLI commands that you can use to customize it. Cisco Security Appliance Command Line Configuration Guide 37-39 OL-10088-01...
  • Page 730: Customizing The Prompt Dialogs

    The security appliance may send WebVPN users various prompt dialog messages as notices or warnings. Figure 37-14 shows a sample dialog message and the associated CLI commands you can use to customize the appearance of these messages. Cisco Security Appliance Command Line Configuration Guide 37-40 OL-10088-01...
  • Page 731: Applying Customizations To Tunnel Groups, Groups And Users

    To remove the command from the configuration, and remove a customization from the tunnel group, use the no form of the command. Cisco Security Appliance Command Line Configuration Guide 37-41 OL-10088-01...
  • Page 732: Requiring Usernames And Passwords

    Available configured customization profiles: DfltCustomization cisco hostname(config-group-webvpn)# customization value cisco In the next example, the user enters username webvpn mode and enables the customization cisco for the user cisco_employee: hostname(config)# username cisco_employee attributes hostname(config-username)# webvpn hostname(config-username-webvpn)# customization value cisco...
  • Page 733: Communicating Security Tips

    WebVPN requirements, by feature WebVPN supported applications • Client application installation and configuration requirements • Information you might need to provide end users • Tips and use suggestions for end users • Cisco Security Appliance Command Line Configuration Guide 37-43 OL-10088-01...
  • Page 734 It is possible you have configured user accounts differently and that different WebVPN features are available to each user. Table 37-6 organizes information by feature, so you can skip over the information for unavailable features. Cisco Security Appliance Command Line Configuration Guide 37-44 OL-10088-01...
  • Page 735 For example: https://10.89.192.163 or https://cisco.example.com. WebVPN username and password [Optional] Local printer WebVPN does not support printing from a web browser to a network printer. Printing to a local printer is supported. Cisco Security Appliance Command Line Configuration Guide 37-45 OL-10088-01...
  • Page 736 Also, depending on how you configured a particular account, it might be that: Some websites are blocked • Only the websites that appear as links on the • WebVPN Home page are available Cisco Security Appliance Command Line Configuration Guide 37-46 OL-10088-01...
  • Page 737 Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server. Cisco Security Appliance Command Line Configuration Guide 37-47 OL-10088-01...
  • Page 738 Clicking a URL (such as one in an -e-mail message) in an application running over Note WebVPN does not open the site over WebVPN. To open a site over WebVPN, cut and paste the URL into the Enter WebVPN (URL) Address field. Cisco Security Appliance Command Line Configuration Guide 37-48 OL-10088-01...
  • Page 739: Capturing Webvpn Data

    The CLI capture command lets you log information about websites that do not display properly over a WebVPN connection. This data can help your Cisco customer support engineer troubleshoot problems. The following sections describe how to use the capture command: •...
  • Page 740: Creating A Capture File

    The capture utility creates a capture_name.zip file, which is encrypted with the password koleso. Step 3 Send the .zip file to Cisco Systems, or attach it to a Cisco TAC service request. To look at the contents of the .zip file, unzip it using the password koleso.
  • Page 741 Capturing WebVPN Data The captured content displays in a sniffer format. When you finish examining the capture content, stop the capture by using the no version of the Step 4 command. Cisco Security Appliance Command Line Configuration Guide 37-51 OL-10088-01...
  • Page 742 Chapter 37 Configuring WebVPN Capturing WebVPN Data Cisco Security Appliance Command Line Configuration Guide 37-52 OL-10088-01...
  • Page 743: Installing Svc

    Updating SVCs, page 38-8 • Installing SVC This section presents the platform requirements and the procedure for installing SVC. Platform Requirements The SVC requires Windows 2000 or Windows XP on the remote computer. Cisco Security Appliance Command Line Configuration Guide 38-1 OL-10088-01...
  • Page 744: Chapter 38 Configuring Ssl Vpn Client

    Reentering the show webvpn svc command shows the new order of the images: hostname(config-webvpn)# show webvpn svc 1. disk0:/windows2.pkg 1 CISCO STC win2k+ 1.0.0 1,0,2,132 Thu 08/25/2005 21:51:30.43 2. disk0:/windows.pkg 2 CISCO STC win2k+ 1.0.0 Cisco Security Appliance Command Line Configuration Guide 38-2 OL-10088-01...
  • Page 745: Enabling Svc

    Step 6 Create and enable a group alias that displays in the group list on the WebVPN Login page using the group-alias command from tunnel group webvpn attributes mode: group-alias name enable Cisco Security Appliance Command Line Configuration Guide 38-3 OL-10088-01...
  • Page 746: Enabling Permanent Svc Installation

    To enable permanent SVC installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer {installed | none} no svc keep-installer {installed | none} Where: installed specifies the SVC is permanently installed on the remote computer. Cisco Security Appliance Command Line Configuration Guide 38-4 OL-10088-01...
  • Page 747: Enabling Rekey

    {[gateway {seconds | none}] | [client {seconds | none}]} Where: gateway seconds enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD. Cisco Security Appliance Command Line Configuration Guide 38-5 OL-10088-01...
  • Page 748: Enabling Keepalive

    It can also be set for specific groups or users with the svc compression command in group-policy and username webvpn modes. The global setting overrides the group-policy and username settings. Cisco Security Appliance Command Line Configuration Guide 38-6 OL-10088-01...
  • Page 749: Viewing Svc Sessions

    Client Ver : Cisco STC 1.1.0.117 Client Type : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461) Group : DfltGrpPolicy Login Time : 14:32:03 UTC Wed Apr 20 2005 Duration : 0h:00m:04s Cisco Security Appliance Command Line Configuration Guide 38-7 OL-10088-01...
  • Page 750: Logging Off Svc Sessions

    If the new filenames are different, uninstall the old files using the no svc image command. Then use the svc image command to assign an order to the SVC images and cause the security appliance to load the new SVC images. Cisco Security Appliance Command Line Configuration Guide 38-8 OL-10088-01...
  • Page 751: Public Key Cryptography

    This process relies on the receiver having a copy of the public key of the sender and having a high degree of certainty that this key belongs to the sender, not to someone pretending to be the sender. Cisco Security Appliance Command Line Configuration Guide 39-1...
  • Page 752: C H A P T E R 39 Configuring Certificates

    Separate signing and encryption keys helps reduce exposure of the keys. This is because SSL uses a key for encryption but not signing but IKE uses a key for signing but not encryption. By using separate keys for each, exposure of the keys is minimized. Cisco Security Appliance Command Line Configuration Guide 39-2 OL-10088-01...
  • Page 753: About Trustpoints

    CA is unavailable to provide updated CRL data. The security appliance can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a length of time configurable for each trustpoint. Cisco Security Appliance Command Line Configuration Guide 39-3 OL-10088-01...
  • Page 754: About Ocsp

    OCSP responder certificate to validate the responder certificate. The same applies for configuring validating responder certificates external to the validation path of the client certificate. Cisco Security Appliance Command Line Configuration Guide 39-4 OL-10088-01...
  • Page 755: Supported Ca Servers

    Before you configure a security appliance with certificates, ensure that the security appliance is configured properly to support certificates. An improperly configured security appliance can cause enrollment to fail or for enrollment to request a certificate containing inaccurate information. Cisco Security Appliance Command Line Configuration Guide 39-5 OL-10088-01...
  • Page 756: Configuring Key Pairs

    RSA general-purpose key: hostname/contexta(config)# show crypto key mypubkey Key pair was generated at: 16:39:47 central Feb 10 2005 Key name: Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: Cisco Security Appliance Command Line Configuration Guide 39-6 OL-10088-01...
  • Page 757: Removing Key Pairs

    To specify manual enrollment, use the enrollment terminal command to indicate that you will paste • the certificate received from the CA into the terminal. Cisco Security Appliance Command Line Configuration Guide 39-7 OL-10088-01...
  • Page 758 As needed, specify other characteristics for the trustpoint. The characteristics you need to define depend Step 3 upon your CA and its configuration. You can specify characteristics for the trustpoint using the following commands. Refer to the Cisco Security Appliance Command Reference for complete descriptions and usage guidelines of these commands. •...
  • Page 759: Obtaining Certificates

    To obtain certificates with SCEP, perform the following steps: Obtain the CA certificate for the trustpoint you configured. Step 1 hostname/contexta(config)# crypto ca authenticate trustpoint For example, using trustpoint named Main, which represents a subordinate CA: Cisco Security Appliance Command Line Configuration Guide 39-9 OL-10088-01...
  • Page 760 If your security appliance reboots after you issued the crypto ca enroll command but before you Note received the certificate, reissue the crypto ca enroll command and notify the CA administrator. Cisco Security Appliance Command Line Configuration Guide 39-10 OL-10088-01...
  • Page 761: Obtaining Certificates Manually

    Main, which is configured to use manual enrollment and general-purpose RSA keys for signing and encryption. hostname (config)# crypto ca enroll Main % Start certificate enrollment .. Cisco Security Appliance Command Line Configuration Guide 39-11 OL-10088-01...
  • Page 762 The output of this command shows the details of the certificate issued for the security appliance and the CA certificate for the trustpoint. Save the configuration using the write memory command: Step 7 hostname/contexta(config)# write memory Cisco Security Appliance Command Line Configuration Guide 39-12 OL-10088-01...
  • Page 763: Configuring Crls For A Trustpoint

    Configure how long the security appliance caches CRLs for the current trustpoint. To specify the number Step 7 of minutes the security appliance waits before considering a CRL stale, enter the following command. hostname/contexta(config-ca-crl)# cache-time n Cisco Security Appliance Command Line Configuration Guide 39-13 OL-10088-01...
  • Page 764: Exporting And Importing Trustpoints

    Note configured the security appliance to use DNS. For information about configuring DNS, see the dns commands in the Cisco Security Appliance Command Reference. If LDAP server requires credentials to permit CRL retrieval, enter the following command: hostname/contexta(config-ca-crl)# ldap-dn admin-DN password...
  • Page 765: Exporting A Trustpoint Configuration

    CA certificate map, which can contain many rules. For more information about using CA certificate map rules with tunnel groups, see the “Creating a Certificate Group Matching Rule and Policy” section on page 27-10. Cisco Security Appliance Command Line Configuration Guide 39-15 OL-10088-01...
  • Page 766 No part of the field or attribute can match the value given. For more information about the issuer-name and subject-name commands, see the Cisco Security Appliance Command Reference. The following example specifies that any attribute within the Issuer field must contain the string cisco. hostname(config-ca-cert-map)# issuer-name co cisco hostname(config-ca-cert-map)# The following example specifies that within the Subject field an Organizational Unit attribute must exactly match the string Engineering.
  • Page 767 A R T System Administration...
  • Page 769: Allowing Telnet Access

    (Optional) To set the duration for how long a Telnet session can be idle before the security appliance Step 2 disconnects the session, enter the following command: hostname(config)# telnet timeout minutes Cisco Security Appliance Command Line Configuration Guide 40-1 OL-10088-01...
  • Page 770: Chapter 40 Managing System Acces

    Step 3 To identify the IP addresses from which the security appliance accepts connections, enter the following command for each address or subnet: hostname(config)# ssh source_IP_address mask source_interface Cisco Security Appliance Command Line Configuration Guide 40-2 OL-10088-01...
  • Page 771: Using An Ssh Client

    All of these tasks are completed if you use the setup command. This section describes how to manually configure ASDM access. The security appliance allows a maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances between all contexts. Cisco Security Appliance Command Line Configuration Guide 40-3 OL-10088-01...
  • Page 772: Configuring Aaa For System Administrators

    Configuring Authentication To Access Privileged EXEC Mode, page 40-5 • • Configuring Command Authorization, page 40-7 Configuring Command Accounting, page 40-14 • Viewing the Current Logged-In User, page 40-14 • Recovering from a Lockout, page 40-15 • Cisco Security Appliance Command Line Configuration Guide 40-4 OL-10088-01...
  • Page 773: Configuring Authentication For Cli Access

    This section includes the following topics: Configuring Authentication for the Enable Command, page 40-6 • Authenticating Users Using the Login Command, page 40-6 • Cisco Security Appliance Command Line Configuration Guide 40-5 OL-10088-01...
  • Page 774: Configuring Authentication For The Enable Command

    To log in as a user from the local database, enter the following command: hostname> login The security appliance prompts for your username and password. After you enter your password, the security appliance places you in the privilege level that the local database specifies. Cisco Security Appliance Command Line Configuration Guide 40-6 OL-10088-01...
  • Page 775: Configuring Command Authorization

    Local Command Authorization Prerequisites, page 40-8 • Default Command Privilege Levels, page 40-8 • Assigning Privilege Levels to Commands and Enabling Authorization, page 40-8 • Viewing Command Privilege Levels, page 40-10 • Cisco Security Appliance Command Line Configuration Guide 40-7 OL-10088-01...
  • Page 776 [show | clear | cmd] level level [mode {enable | cmd}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Cisco Security Appliance Command Line Configuration Guide 40-8 OL-10088-01...
  • Page 777 This example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# privilege show level 5 mode cmd command configure hostname(config)# privilege clear level 15 mode cmd command configure hostname(config)# privilege cmd level 15 mode cmd command configure Cisco Security Appliance Command Line Configuration Guide 40-9 OL-10088-01...
  • Page 778: Configuring Tacacs+ Command Authorization

    If you enable TACACS+ command authorization, and a user enters a command at the CLI, the security appliance sends the command and username to the TACACS+ server to determine if the command is authorized. Cisco Security Appliance Command Line Configuration Guide 40-10 OL-10088-01...
  • Page 779 40-5). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support.
  • Page 780 For example, to allow enable, but not enable password, enter enable in the commands box, and deny password in the arguments box. Be sure to select the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 40-3). Cisco Security Appliance Command Line Configuration Guide 40-12 OL-10088-01...
  • Page 781 We recommend that you allow the following basic commands for all users: – show checksum show curpriv – enable – help – show history – login – logout – – pager Cisco Security Appliance Command Line Configuration Guide 40-13 OL-10088-01...
  • Page 782: Configuring Command Accounting

    See the following sample show curpriv command output. A description of each field follows. hostname# show curpriv Username : admin Current privilege level : 15 Current Mode/s : P_PRIV Cisco Security Appliance Command Line Configuration Guide 40-14 OL-10088-01...
  • Page 783: Recovering From A Lockout

    Configure the local database as a fallback method so you do not get locked out when the server is down. Cisco Security Appliance Command Line Configuration Guide 40-15 OL-10088-01...
  • Page 784: Configuring A Login Banner

    To add more than one line, precede each line by the banner command. For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname). hostname(config)# banner motd Contact me at [email protected] for any hostname(config)# banner motd issues. Cisco Security Appliance Command Line Configuration Guide 40-16 OL-10088-01...
  • Page 785: Managing Licenses

    To obtain an activation key, you will need a Product Authorization Key, which you can purchase from your Cisco account representative. After obtaining the Product Authorization Key, register it on the Web to obtain an activation key by performing the following steps:...
  • Page 786: C H A P T E R 41 Managing Software, Licenses, And Configurations

    Chapter 41 Managing Software, Licenses, and Configurations Viewing Files in Flash Memory http://www.cisco.com/go/license Use the following website if you are not a registered user of Cisco.com: http://www.cisco.com/go/license/public Enter the following information, when prompted: Step 3 Your Product Authorization Key •...
  • Page 787: Downloading Software Or Configuration Files To Flash Memory

    38-2. For information about installing Cisco Secure Desktop on the security appliance, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators. To configure the security appliance to use a specific application image or ASDM image if you have more than one installed, or have installed them in external Flash memory see the “Configuring the Application...
  • Page 788: Downloading A File To The Startup Or Running Configuration

    To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename {startup-config | running-config} To copy from an HTTP or HTTPS server, enter the following command: • hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename {startup-config | running-config} Cisco Security Appliance Command Line Configuration Guide 41-4 OL-10088-01...
  • Page 789: Configuring The Application Image And Asdm Image To Boot

    By default, the security appliance boots from a startup configuration that is a hidden file. You can alternatively set any configuration to be the startup configuration by entering the following command: hostname(config)# boot config {flash:/ | disk0:/ | disk1:/}[path/]filename Cisco Security Appliance Command Line Configuration Guide 41-5 OL-10088-01...
  • Page 790: Performing Zero Downtime Upgrades For Failover Pairs

    “Configuring the Application Image and ASDM Image to Boot” section on page 41-5). Step 2 Reload the standby unit to boot the new image by entering the following command on the active unit: active# failover reload-standby Cisco Security Appliance Command Line Configuration Guide 41-6 OL-10088-01...
  • Page 791: Upgrading And Active/Active Failover Configuration

    Make sure both failover groups are in the Standby Ready state on the primary unit, and then reload the Step 5 primary unit using the following command: primary# reload Cisco Security Appliance Command Line Configuration Guide 41-7 OL-10088-01...
  • Page 792: Backing Up Configuration Files

    • hostname# copy disk:[path/]filename tftp://server[/path]/filename To copy to a FTP server, enter the following command: • hostname# copy disk:[path/]filename ftp://[user[:password]@]server[/path]/filename To copy to local Flash memory, enter the following command: • Cisco Security Appliance Command Line Configuration Guide 41-8 OL-10088-01...
  • Page 793: Backing Up A Context Configuration Within A Context

    Configuring Client Updates as an Auto Update Server, page 41-11 • Viewing Auto Update Status, page 41-12 • Configuring Communication with an Auto Update Server To configure the security appliance as an Auto Update client, perform the following steps: Cisco Security Appliance Command Line Configuration Guide 41-9 OL-10088-01...
  • Page 794 Monday, Tuesday, Wednesday, Thursday, Friday, Saturday and Sunday. Other possible values are daily (Monday through Sunday), weekdays (Monday through Friday) and weekend (Saturday and Sunday). Cisco Security Appliance Command Line Configuration Guide 41-10 OL-10088-01...
  • Page 795: Configuring Client Updates As An Auto Update Server

    Configure the parameters for the client update that you want to apply for the security appliances using Step 2 the client-update command: client-update {component {asdm | image} | device-id dev_string | family family_name | type type} url url-string rev-nums rev-nums} Cisco Security Appliance Command Line Configuration Guide 41-11 OL-10088-01...
  • Page 796: Viewing Auto Update Status

    The following example configures a client update for Cisco 5520 Adaptive Security Appliances: hostname(config)# client-update type asa5520 component asdm url http://192.168.1.114/aus/asdm501.bin rev-nums 7.2(1)
  • Page 797 Chapter 41 Managing Software, Licenses, and Configurations Configuring Auto Update Support Last poll: 11:36:46 PST Tue Nov 13 2004 Last PDM update: 23:36:46 PST Tue Nov 12 2004 Cisco Security Appliance Command Line Configuration Guide 41-13 OL-10088-01...
  • Page 798 Chapter 41 Managing Software, Licenses, and Configurations Configuring Auto Update Support Cisco Security Appliance Command Line Configuration Guide 41-14 OL-10088-01...
  • Page 799: Using Snmp

    SNMP V1, MIB-II compliant browser to receive SNMP traps and browse a MIB. Table 42-1 lists supported MIBs and traps for the security appliance and, in multiple mode, for each context. You can download Cisco MIBs from the following website. http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml After you download the MIBs, compile them for your NMS.
  • Page 800: C H A P T E R 42 Monitoring The Security Appliance

    The security appliance supports browsing of the MIB. The security appliance supports browsing of the following traps: session-threshold-exceeded • CISCO-CRYPTO-ACCELERATOR-MIB The security appliance supports browsing of the MIB. ALTIGA-GLOBAL-REG The security appliance supports browsing of the MIB. Cisco Security Appliance Command Line Configuration Guide 42-2 OL-10088-01...
  • Page 801: Enabling Snmp

    The SNMP community string is a shared secret between the security appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted. (Optional) To set the SNMP server location or contact information, enter the following command: Step 4 Cisco Security Appliance Command Line Configuration Guide 42-3 OL-10088-01...
  • Page 802 The following example sets the security appliance to receive requests from host 192.168.3.2 on the inside interface. hostname(config)# snmp-server host 192.168.3.2 hostname(config)# snmp-server location building 42 hostname(config)# snmp-server contact Pat lee hostname(config)# snmp-server community ohwhatakeyisthee Cisco Security Appliance Command Line Configuration Guide 42-4 OL-10088-01...
  • Page 803: Configuring And Managing Logs

    ID. For more information about enabling logging device IDs, see the “Including the Device ID in System Log Messages” section on page 42-19. Cisco Security Appliance Command Line Configuration Guide 42-5 OL-10088-01...
  • Page 804: Enabling And Disabling Logging

    Buffer logging: disabled Trap logging: level errors, facility 16, 3607 messages logged Logging to infrastructure 10.1.2.3 History logging: disabled Device ID: 'inside' interface IP address "10.1.1.1" Mail logging: disabled ASDM logging: disabled Cisco Security Appliance Command Line Configuration Guide 42-6 OL-10088-01...
  • Page 805: Configuring Log Output Destinations

    UDP or TCP, but not both. If you specify TCP, the security appliance discovers when the syslog server fails and discontinues sending logs. If you Cisco Security Appliance Command Line Configuration Guide 42-7...
  • Page 806: Sending System Log Messages To The Console Port

    You can specify the severity level number (0 through 7) or name. For severity level names, see the “Severity Levels” section on page 42-23. For example, if you set the level to 3, then the security appliance sends system log messages for level 3, 2, 1, and 0. Cisco Security Appliance Command Line Configuration Guide 42-8 OL-10088-01...
  • Page 807: Sending System Log Messages To An E-Mail Address

    Specify the recipient e-mail address to be used when sending system log messages to an e-mail Step 3 destination. You can configure up to five recipient addresses. You must enter each recipient separately. To specify a recipient address, enter the following command: Cisco Security Appliance Command Line Configuration Guide 42-9 OL-10088-01...
  • Page 808: Sending System Log Messages To Asdm

    The message_list argumentspecifies a customized message list that identifies the system log messages to send to ASDM. For information about creating custom message lists, see the “Filtering System Log Messages with Custom Message Lists” section on page 42-17. Cisco Security Appliance Command Line Configuration Guide 42-10 OL-10088-01...
  • Page 809: Sending System Log Messages To A Telnet Or Ssh Session

    The message_list argumentspecifies a customized message list that identifies the system log messages to send to the session. For information about creating custom message lists, see the “Filtering System Log Messages with Custom Message Lists” section on page 42-17. Cisco Security Appliance Command Line Configuration Guide 42-11 OL-10088-01...
  • Page 810: Sending System Log Messages To The Log Buffer

    Messages with Custom Message Lists” section on page 42-17. For example, to specify that messages with severity levels 1 and 2 should be saved in the log buffer, enter one of the following commands: Cisco Security Appliance Command Line Configuration Guide 42-12 OL-10088-01...
  • Page 811 Automatically Saving the Full Log Buffer to an FTP Server See the “Saving the Current Contents of the Log Buffer to Internal Flash Memory” section for more information about saving the buffer. Cisco Security Appliance Command Line Configuration Guide 42-13 OL-10088-01...
  • Page 812: Filtering System Log Messages

    This section describes how to specify which system log messages should go to output destinations, and includes the following topics: Message Filtering Overview, page 42-15 • Filtering System Log Messages by Class, page 42-15 • Filtering System Log Messages with Custom Message Lists, page 42-17 • Cisco Security Appliance Command Line Configuration Guide 42-14 OL-10088-01...
  • Page 813: Message Filtering Overview

    ID numbers. For example, all system log message IDs that begin with the digits 611 are associated with the vpnc (VPN client) class. System log messages associated with the VPN client feature range from 611101 to 611323. Cisco Security Appliance Command Line Configuration Guide 42-15 OL-10088-01...
  • Page 814 SNMP vpdn PPTP and L2TP Sessions 213, 403, 603 IKE and IPSec 316, 320, 402, 404, 501, 602, 702, 713, 714, 715 ospf OSPF Routing 318, 409, 503, 613 Network Processor Cisco Security Appliance Command Line Configuration Guide 42-16 OL-10088-01...
  • Page 815: Filtering System Log Messages With Custom Message Lists

    3, then the security appliance sends system log messages for level 3, 2, 1, and 0. The class message_class argument specifies a particular message class. See Table 42-2 on page 42-16 for a list of class names. Cisco Security Appliance Command Line Configuration Guide 42-17 OL-10088-01...
  • Page 816: Customizing The Log Configuration

    Disabling a System Log Message, page 42-20 • Changing the Severity Level of a System Log Message, page 42-21 Changing the Amount of Internal Flash Memory Available for Logs, page 42-22 • Cisco Security Appliance Command Line Configuration Guide 42-18 OL-10088-01...
  • Page 817: Configuring The Logging Queue

    Configuring the Logging Queue The Cisco ASA has a fixed number of blocks in memory that can be allocated for buffering system log messages while they are waiting to be sent to the configured output destination. The number of blocks required depends on the length of the system log message queue and the number of syslog servers specified.
  • Page 818: Generating System Log Messages In Emblem Format

    EMBLEM formatting for messages sent to the syslog server. The Cisco ASA can send system log messages using either the UDP or TCP protocol; however, you can enable the EMBLEM format only for messages sent over UDP. The default protocol and port are UDP/514.
  • Page 819: Changing The Severity Level Of A System Log Message

    403503 hostname(config)# show logging message 403503 syslog 403503: default-level errors, current-level alerts (disabled) hostname(config)# logging message 403503 hostname(config)# show logging message 403503 syslog 403503: default-level errors, current-level alerts (enabled) Cisco Security Appliance Command Line Configuration Guide 42-21 OL-10088-01...
  • Page 820: Changing The Amount Of Internal Flash Memory Available For Logs

    The following example specifies that the minimum amount of free internal Flash memory must be 4000 KB before the security appliance can save a new log file: hostname(config)# logging flash-minimum-free 4000 Cisco Security Appliance Command Line Configuration Guide 42-22 OL-10088-01...
  • Page 821: Understanding System Log Messages

    Level Message_number: Message_text Field descriptions are as follows: PIX|ASA Identifies the system log message facility code for messages generated by the Cisco ASA . This value is always PIX|ASA . Level 1-7. The level reflects the severity of the condition described by the system log message.
  • Page 822 Chapter 42 Monitoring the Security Appliance Configuring and Managing Logs Cisco Security Appliance Command Line Configuration Guide 42-24 OL-10088-01...
  • Page 823: Testing Your Configuration

    To enable debugging and system messages, perform the following steps: To show ICMP packet information for pings to the security appliance interfaces, enter the following Step 1 command: hostname(config)# debug icmp trace Cisco Security Appliance Command Line Configuration Guide 43-1 OL-10088-01...
  • Page 824: C H A P T E R 43 Troubleshooting The Security Appliance

    You will use this information for this procedure as well as the procedure in the “Pinging Through the Security Appliance” section on page 43-4. For example: Cisco Security Appliance Command Line Configuration Guide 43-2 OL-10088-01...
  • Page 825 ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1 If the ping reply does not return to the router, then you might have a switch loop or redundant IP addresses (see Figure 43-3). Cisco Security Appliance Command Line Configuration Guide 43-3 OL-10088-01...
  • Page 826: Pinging Through The Security Appliance

    For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC. To ping between hosts on different interfaces, perform the following steps:...
  • Page 827: Disabling The Test Configuration

    (305009 or 305011) and that an ICMP connection was established (302020). You can also enter the show xlate and show conns commands to view this information. If the ping fails for transparent mode, contact Cisco TAC. For routed mode, the ping might fail because NAT is not configured correctly (see Figure 43-5).
  • Page 828: Traceroute

    AAA settings. You can also disable password recovery for extra security. This section includes the following topics: Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance, page 43-7 • Cisco Security Appliance Command Line Configuration Guide 43-6 OL-10088-01...
  • Page 829: Performing Password Recovery For The Asa 5500 Series Adaptive Security Appliance

    Step 12 hostname# configure terminal Change the passwords in the configuration by entering the following commands, as necessary: Step 13 hostname(config)# password password hostname(config)# enable password password hostname(config)# username name password password Cisco Security Appliance Command Line Configuration Guide 43-7 OL-10088-01...
  • Page 830: Password Recovery For The Pix 500 Series Security Appliance

    At the “Do you wish to erase the passwords?” prompt, enter Y. Step 7 You can now log in with the default login password of “cisco” and the blank enable password. The following example shows the PIX password recovery with the TFTP server on the outside interface: monitor>...
  • Page 831: Disabling Password Recovery

    Success rate is 100 percent (5/5) monitor> tftp tftp [email protected] via 10.21.1.1........Received 73728 bytes Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005 Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] y Passwords have been erased.
  • Page 832: Other Troubleshooting Tools

    Viewing the Crash Dump If the security appliance crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco Security Appliance Command Reference.
  • Page 833 You did not enable the feature that allows traffic to pass between interfaces on the Possible Cause same security level. Enable this feature according to the “Allowing Communication Between Recommended Action Interfaces on the Same Security Level” section on page 7-6. Cisco Security Appliance Command Line Configuration Guide 43-11 OL-10088-01...
  • Page 834 Chapter 43 Troubleshooting the Security Appliance Common Problems Cisco Security Appliance Command Line Configuration Guide 43-12 OL-10088-01...
  • Page 835 A R T Reference...
  • Page 837: Supported Platforms And Feature Licenses

    Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 838: A P P E N D I X A Feature Licenses And Specifications

    If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 3. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 839 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 840 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 841 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 842 If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 843 1. This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 844 1. This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model. 2. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 845: Security Services Module Support

    SSMs supported by each platform: Table A-9 SSM Support Platform SSM Models ASA 5505 No support ASA 5510 AIP SSM 10 AIP SSM 20 CSC SSM 10 CSC SSM 20 4GE SSM Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 846: Vpn Specifications

    No support 1. The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.
  • Page 847: Cisco Vpn Client Support

    Appendix A Feature Licenses and Specifications VPN Specifications Cisco VPN Client Support The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-10. Table A-10 Cisco VPN Client Support Client Type Client Versions SSL VPN clients Cisco SSL VPN client, Version 1.1 or higher...
  • Page 848: Cryptographic Standards

    MD5—128 bits SHA-1—160 bits X.509 certificate authorities Cisco IOS software Baltimore UniCERT Entrust Authority iPlanet/Netscape CMS Microsoft Certificate Services RSA Keon VeriSign OnSite X.509 certificate enrollment methods SCEP PKCS #7 and #10 Cisco Security Appliance Command Line Configuration Guide A-12 OL-10088-01...
  • Page 849: Example 1: Multiple Mode Firewall With Outside Access

    The admin context allows SSH sessions to the security appliance from one host. Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 850: Appendix B Sample Configuration

    You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode. hostname Farscape password passw0rd enable password chr1cht0n mac-address auto Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 851 This is the context for customer B allocate-interface gigabitethernet 0/0.3 allocate-interface gigabitethernet 0/1.6 config-url disk0://contextb.cfg member silver context customerC description This is the context for customer C allocate-interface gigabitethernet 0/0.3 allocate-interface gigabitethernet 0/1.7-gigabitethernet 0/1.8 config-url disk0://contextc.cfg member bronze Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 852: Example 1: Admin Context Configuration

    ! This context uses dynamic PAT for inside users that access that outside. The outside ! interface address is used for the PAT address global (outside) 1 interface Example 1: Customer B Context Configuration interface gigabitethernet 0/0.3 nameif outside security-level 0 ip address 209.165.201.4 255.255.255.224 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 853: Example 1: Customer C Context Configuration

    MANAGE remark Allows the management host to use pcAnywhere on the Websense server access-list MANAGE extended permit tcp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-data access-list MANAGE extended permit udp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-status access-group MANAGE in interface outside Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 854: Example 2: Single Mode Firewall Using Same Security Level

    Syslog Server 192.168.2.2 dept2 10.1.2.1 Department 2 10.1.2.2 192.168.1.1 Department 2 Network 2 passwd g00fba11 enable password gen1u$ hostname Buster asdm image disk0:/asdm.bin boot system disk0:/image.bin interface gigabitethernet 0/0 nameif outside security-level 0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 855 1 ipsec-isakmp dynamic vpn_client crypto map telnet_tunnel interface outside ip local pool client_pool 10.1.1.2 access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2 telnet 10.1.1.2 255.255.255.255 outside telnet timeout 30 logging trap 5 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 856: Example 3: Shared Resources For Multiple Contexts

    Mail Server Syslog Server 10.1.1.6 10.1.1.7 10.1.1.8 See the following sections for the configurations for this scenario: Example 3: System Configuration, page B-9 • Example 3: Admin Context Configuration, page B-9 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 857: Example 3: System Configuration

    0/1.203 allocate-interface gigabitethernet 0/1.300 config-url ftp://admin:[email protected]/dept2.cfg Example 3: Admin Context Configuration hostname Admin interface gigabitethernet 0/0.200 nameif outside security-level 0 ip address 209.165.201.3 255.255.255.224 no shutdown interface gigabitethernet 0/0.201 nameif inside Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 858: Example 3: Department 1 Context Configuration

    209.165.201.4 255.255.255.224 no shutdown interface gigabitethernet 0/0.202 nameif inside security-level 100 ip address 10.1.2.1 255.255.255.0 no shutdown interface gigabitethernet 0/0.300 nameif shared security-level 50 ip address 10.1.1.2 255.255.255.0 no shutdown Cisco Security Appliance Command Line Configuration Guide B-10 OL-10088-01...
  • Page 859: Example 3: Department 2 Context Configuration

    (inside) 1 10.1.3.0 255.255.255.0 ! The inside network uses PAT when accessing the outside global (outside) 1 209.165.201.10 netmask 255.255.255.255 ! The inside network uses PAT when accessing the shared network Cisco Security Appliance Command Line Configuration Guide B-11 OL-10088-01...
  • Page 860: Example 4: Multiple Mode, Transparent Firewall With Outside Access

    An out-of-band management host is connected to the Management 0/0 interface. The admin context allows SSH sessions to the security appliance from one host. Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage. Cisco Security Appliance Command Line Configuration Guide B-12 OL-10088-01...
  • Page 861: Example 4: System Configuration

    Enter the show mode command to view the current mode. firewall transparent hostname Farscape password passw0rd enable password chr1cht0n asdm image disk0:/asdm.bin boot system disk0:/image.bin admin-context admin interface gigabitethernet 0/0 Cisco Security Appliance Command Line Configuration Guide B-13 OL-10088-01...
  • Page 862: Example 4: Admin Context Configuration

    The host at 10.1.1.75 can access the context using SSH, which requires a key pair to be generated using the crypto key generate command. hostname Admin domain isp interface gigabitethernet 0/0.150 nameif outside security-level 0 no shutdown Cisco Security Appliance Command Line Configuration Guide B-14 OL-10088-01...
  • Page 863: Example 4: Customer A Context Configuration

    10.1.3.1 255.255.255.0 route outside 0 0 10.1.3.2 1 access-list OSPF remark -Allows OSPF access-list OSPF extended permit 89 any any access-group OSPF in interface outside Cisco Security Appliance Command Line Configuration Guide B-15 OL-10088-01...
  • Page 864: Example 4: Customer C Context Configuration

    -containing the hit-count (how many times the url was accessed) access-list maia2 webtype deny url https://sales.example.com log informational interval access-list maia2 remark -Permits access to the URL. access-list maia2 webtype permit url http://employee-connection.example.com Cisco Security Appliance Command Line Configuration Guide B-16 OL-10088-01...
  • Page 865 Step 7 Next, allow HTTPS ASDM and WebVPN sessions to terminate on the security appliance using the 3DES-sha1 cipher. Requires that a proper 3DES activation-key be previously installed. ssl encryption 3des-sha1 Cisco Security Appliance Command Line Configuration Guide B-17 OL-10088-01...
  • Page 866: Example 6: Ipv6 Configuration

    The enforcement of Modified-EUI64 format interface identifiers in the IPv6 addresses of hosts on • the inside interface. The outside interface suppresses router advertisement messages. • An IPv6 static route. • Cisco Security Appliance Command Line Configuration Guide B-18 OL-10088-01...
  • Page 867 2001:400:2:1::/64 2001:400:1:1::/64 eq telnet ipv6 access-list outacl permit tcp 2001:400:2:1::/64 2001:400:1:1::/64 eq ftp ipv6 access-list outacl permit tcp 2001:400:2:1::/64 2001:400:1:1::/64 eq www access-group allow in interface outside Cisco Security Appliance Command Line Configuration Guide B-19 OL-10088-01...
  • Page 868: Example 7: Cable-Based Active/Standby Failover (Routed Mode)

    0 speed 100 duplex full ip address 209.165.201.1 255.255.255.224 standby 209.165.201.2 no shutdown interface Ethernet1 nameif inside security-level 100 speed 100 duplex full ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2 no shutdown Cisco Security Appliance Command Line Configuration Guide B-20 OL-10088-01...
  • Page 869: Example 8: Lan-Based Active/Standby Failover (Routed Mode)

    See the following sections for the configurations for this scenario: Example 8: Primary Unit Configuration, page B-21 • Example 8: Secondary Unit Configuration, page B-22 • Example 8: Primary Unit Configuration hostname pixfirewall enable password myenablepassword Cisco Security Appliance Command Line Configuration Guide B-21 OL-10088-01...
  • Page 870: Example 8: Secondary Unit Configuration

    Example 9: LAN-Based Active/Active Failover (Routed Mode) The following example shows how to configure Active/Active failover. In this example there are 2 user contexts, named admin and ctx1. Figure B-8 shows the network diagram for the example. Cisco Security Appliance Command Line Configuration Guide B-22 OL-10088-01...
  • Page 871: Example 9: Primary Unit Configuration

    You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode. hostname ciscopix enable password farscape password crichton asdm image flash:/asdm.bin Cisco Security Appliance Command Line Configuration Guide B-23 OL-10088-01...
  • Page 872: Example 9: Primary Admin Context Configuration

    Ethernet1 nameif outside security-level 0 ip address 192.168.5.101 255.255.255.0 standby 192.168.5.111 interface Ethernet2 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 standby 192.168.0.11 monitor-interface outside monitor-interface inside Cisco Security Appliance Command Line Configuration Guide B-24 OL-10088-01...
  • Page 873: Example 9: Primary Ctx1 Context Configuration

    Ethernet0 failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 Cisco Security Appliance Command Line Configuration Guide B-25 OL-10088-01...
  • Page 874: Example 10: Cable-Based Active/Standby Failover (Transparent Mode)

    100 no shutdown interface Ethernet3 description STATE Failover Interface telnet 192.168.2.45 255.255.255.255 mgmt access-list acl_in permit tcp any host 209.165.201.5 eq 80 access-group acl_in in interface outside Cisco Security Appliance Command Line Configuration Guide B-26 OL-10088-01...
  • Page 875 Example 10: Cable-Based Active/Standby Failover (Transparent Mode) ip address 209.165.201.1 255.255.255.0 standby 209.165.201.2 failover failover link state Ethernet3 failover interface ip state 192.168.253.1 255.255.255.0 standby 192.168.253.2 route outside 0.0.0.0 0.0.0.0 209.165.201.4 1 Cisco Security Appliance Command Line Configuration Guide B-27 OL-10088-01...
  • Page 876: Example 11: Lan-Based Active/Standby Failover (Transparent Mode)

    Ethernet0 nameif outside no shutdown interface Ethernet1 nameif inside no shutdown interface Ethernet2 description LAN Failover Interface no shutdown interface ethernet3 Cisco Security Appliance Command Line Configuration Guide B-28 OL-10088-01...
  • Page 877: Example 11: Secondary Unit Configuration

    Example 11: Secondary Unit Configuration firewall transparent failover failover lan unit secondary failover lan interface failover ethernet2 failover lan enable failover key key1 failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2 Cisco Security Appliance Command Line Configuration Guide B-29 OL-10088-01...
  • Page 878: Example 12: Lan-Based Active/Active Failover (Transparent Mode)

    See the following sections for the primary unit configuration: Example 9: Primary System Configuration, page B-23 • Example 9: Primary admin Context Configuration, page B-24 • Example 9: Primary ctx1 Context Configuration, page B-25 • Cisco Security Appliance Command Line Configuration Guide B-30 OL-10088-01...
  • Page 879: Example 12: Primary System Configuration

    Ethernet1 allocate-interface Ethernet2 config-url flash:/admin.cfg join-failover-group 1 context ctx1 description context 1 allocate-interface Ethernet3 allocate-interface Ethernet4 config-url flash:/ctx1.cfg join-failover-group 2 Example 12: Primary admin Context Configuration enable password frek password elixir Cisco Security Appliance Command Line Configuration Guide B-31 OL-10088-01...
  • Page 880: Example 12: Primary Ctx1 Context Configuration

    Ethernet0 failover interface ip folink 10.0.4.1 255.255.255.0 standby 10.0.4.11 Cisco Security Appliance Command Line Configuration Guide B-32 OL-10088-01...
  • Page 881: Example 14: Dual Isp Support Using Static Route Tracking

    ! is available. It is removed when the router becomes unavailable. route backupisp 0.0.0.0 0.0.0.0 172.16.2.1 254 ! The above route is a floating static route that is added to the Cisco Security Appliance Command Line Configuration Guide B-33 OL-10088-01...
  • Page 882: Example 14: Asa 5505 Base License

    ! This interface cannot communicate with the inside interface. This is required using ! the Base license no forward interface vlan 1 nameif home security-level 50 ip address 192.168.2.1 255.255.255.0 no shutdown interface ethernet 0/0 Cisco Security Appliance Command Line Configuration Guide B-34 OL-10088-01...
  • Page 883 (inside) 0 access-list natexmpt-inside nat (home) 0 access-list natexmpt-home http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational ssh 192.168.1.0 255.255.255.0 inside Cisco Security Appliance Command Line Configuration Guide B-35 OL-10088-01...
  • Page 884: Example 15: Asa 5505 Security Plus License With Failover And Dual-Isp Backup

    See the following sections for the configurations for this scenario: Example 15: Primary Unit Configuration • Example 15: Secondary Unit Configuration • Example 15: Primary Unit Configuration passwd g00fba11 enable password gen1u$ Cisco Security Appliance Command Line Configuration Guide B-36 OL-10088-01...
  • Page 885 192.168.2.0 255.255.255.0 access-list natexmpt-home extended permit ip any 192.168.1.0 255.255.255.0 nat (inside) 0 access-list natexmpt-inside nat (home) 0 access-list natexmpt-home sla monitor 123 type echo protocol ipIcmpEcho 209.165.200.234 interface outside num-packets 2 Cisco Security Appliance Command Line Configuration Guide B-37 OL-10088-01...
  • Page 886: Example 15: Secondary Unit Configuration

    5 no shutdown failover failover lan unit secondary failover lan interface faillink vlan5 failover polltime unit 3 holdtime 10 failover key key1 failover interface ip faillink 10.1.1.1 255.255.255.0 standby 10.1.1.2 Cisco Security Appliance Command Line Configuration Guide B-38 OL-10088-01...
  • Page 887 The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the security appliance Note operating system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works with or has the same function on the security appliance.
  • Page 888 EXEC, and global configuration commands are available in this mode. Enter the configure terminal command in privileged EXEC mode to start global configuration mode. The prompt changes to the following: hostname(config)# hostname/context(config)# Command-specific configuration modes • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 889 0.0.0.0 Command-Line Editing The security appliance uses the same command-line editing conventions as Cisco IOS software. You can view all previously entered commands with the show history command or individually with the up arrow or ^p command. Once you have examined a previously entered command, you can move forward in the list with the down arrow or ^n command.
  • Page 890 The filtering is performed by matching each output line with a regular expression, similar to Cisco IOS software. By selecting different filter options you can include or exclude all output that matches the expression. You can also display all output beginning with the line that matches the expression.
  • Page 891 Using the Command-Line Interface Command Output Paging Replace regexp with any Cisco IOS regular expression. See The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
  • Page 892 Your text file lines do not need to be indented, as long as the commands appear directly following the main command. For example, the following unindented text is read the same as indented text: interface gigabitethernet0/0 nameif inside interface gigabitethernet0/1 nameif outside Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 893 The login, enable, and user passwords are automatically encrypted before they are stored in the configuration. For example, the encrypted form of the password “cisco” might look like jMorNbK0514fadBh. You can copy the configuration passwords to another security appliance in their encrypted form, but you cannot unencrypt the passwords yourself.
  • Page 894 Appendix C Using the Command-Line Interface Text Configuration Files Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 895: Local Ports And Protocols

    32-bit address. Class D addresses are reserved for multicast IP. • Class A addresses (1.xxx.xxx.xxx through 126.xxx.xxx.xxx) use only the first octet as the network prefix. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 896 For example, 192.168.0.0/20. This section includes the following topics: Determining the Subnet Mask, page D-3 • Determining the Address to Use with the Subnet Mask, page D-3 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 897 For a network between 2 and 254 hosts, the fourth octet falls on a multiple of the number of host addresses, starting with 0. For example, the 8-host subnets (/29) of 192.168.0.x are as follows: Subnet with Mask /29 (255.255.255.248) Address Range 192.168.0.0 192.168.0.0 to 192.168.0.7 192.168.0.8 192.168.0.8 to 192.168.0.15 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 898 10.1.32.0 10.1.32.0 to 10.1.47.255 … … 10.1.240.0 10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 899: Ipv6 Addresses

    IPv6 address. Table D-2 IPv6 Address Compression Examples Address Type Standard Form Compressed Form Unicast 2001:0DB8:0:0:0:BA98:0:3210 2001:0DB8::BA98:0:3210 Multicast FF01:0:0:0:0:0:0:101 FF01::101 Loopback 0:0:0:0:0:0:0:1 Unspecified 0:0:0:0:0:0:0:0 Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 900 • Site-Local Address, page D-7 • • Link-Local Address, page D-7 IPv4-Compatible IPv6 Addresses, page D-7 • Unspecified Address, page D-8 • Loopback Address, page D-8 • Interface Identifiers, page D-8 • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 901 IPv6 address.” This address type is used to represent the addresses of IPv4 nodes as IPv6 addresses. This type of address has the format ::FFFF:y.y.y.y, where y.y.y.y is an IPv4 unicast address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 902 1, 2, 5, 8, or E, respectively. For example, a multicast address with the prefix FF02::/16 is a permanent multicast address with a link scope. Figure D-1 shows the format of the IPv6 multicast address. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 903 The following restrictions apply to anycast addresses: An anycast address cannot be used as the source address for an IPv6 packet. • Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 904 000...0 (128 bits) ::/128 Loopback 000...1 (128 bits) ::1/128 Multicast 11111111 FF00::/8 Link-Local (unicast) 1111111010 FE80::/10 Site-Local (unicast) 1111111111 FEC0::/10 Global (unicast) All other addresses. Anycast Taken from the unicast address space. Cisco Security Appliance Command Line Configuration Guide D-10 OL-10088-01...
  • Page 905 See the following caveats: The security appliance uses port 1521 for SQL*Net. This is the default port used by Oracle for • SQL*Net. This value, however, does not agree with IANA port assignments. Cisco Security Appliance Command Line Configuration Guide D-11 OL-10088-01...
  • Page 906 Gopher https HTTP over SSL h323 1720 H.323 call signalling hostname NIC Host Name Server ident Ident authentication service imap4 Internet Message Access Protocol, version 4 Internet Relay Chat protocol Cisco Security Appliance Command Line Configuration Guide D-12 OL-10088-01...
  • Page 907 Simple Network Management Protocol snmptrap Simple Network Management Protocol - Trap sqlnet 1521 Structured Query Language Network Secure Shell sunrpc (rpc) TCP, UDP Sun Remote Procedure Call syslog System Log Cisco Security Appliance Command Line Configuration Guide D-13 OL-10088-01...
  • Page 908 IPSec over UDP 10000 Configurable. (Cisco VPN 3000 Series compatible) IPSec over TCP — No default port is used. You must specify (CTCP) the port number when configuring IPSec over TCP. Cisco Security Appliance Command Line Configuration Guide D-14 OL-10088-01...
  • Page 909: Icmp Types

    ICMP type numbers and names that you can enter in security appliance commands: Table D-7 ICMP Types ICMP Number ICMP Name echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request Cisco Security Appliance Command Line Configuration Guide D-15 OL-10088-01...
  • Page 910 Appendix D Addresses, Protocols, and Ports ICMP Types Table D-7 ICMP Types (continued) ICMP Number ICMP Name mask-reply conversion-error mobile-redirect Cisco Security Appliance Command Line Configuration Guide D-16 OL-10088-01...
  • Page 911: Selecting Ldap, Radius, Or Local Authentication And Authorization

    RADIUS Authentication • Supported on PIX, VPN 3000, and the security appliance. The RADIUS server retrieves/searches the username and enforces any defined attributes as it performs the authorization function. • RADIUS Authorization Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 912: A P P E N D I X E Configuring An External Server For Authorization And Authentication

    This section describes the structure, schema, and attributes of an LDAP server. It includes the following topics: Reviewing the LDAP Directory Structure and Configuration Procedure • • Organizing the Security Appliance LDAP Schema • Defining the Security Appliance LDAP Schema Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 913: Reviewing The Ldap Directory Structure And Configuration Procedure

    Engineering, which is a member of an organizational unit called People, which is itself a member of Example Corporation. See Figure E-1 for an example of this multi-level hierarchy. A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 914: Searching The Hierarchy

    Terry within Example Corporation. This search takes longer. Table E-1 Example Search Configurations Search Naming LDAP Base DN Scope Attribute Result group= Engineering,ou=People,dc=ExampleCorporation, One Level cn=Terry Quicker search dc=com dc=ExampleCorporation,dc=com Subtree cn=Terry Longer search Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 915: Binding The Security Appliance To The Ldap Server

    All strings are case-sensitive and you must use an attribute name as capitalized in the table even if it conflicts with how a term is typically written. For example, use cVPN3000-IETF-Radius-Class, not cVPN3000-IETF-RADIUS-Class. Cisco Security Appliance Command Line Configuration Guide OL-10088-01...
  • Page 916 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 917 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 918 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 919 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 920 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 921 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 922 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 923 Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Table E-2 Security Appliance Supported LDAP Cisco Schema Attributes (continued) Single Attribute Name/ Attr. Syntax/ Multi- OID (Object Identifier) 3000 ASA PIX Type Valued Possible Values...
  • Page 924: Cisco -Av-Pair Attribute Syntax

    1.2.840.113556.8000.795.2.1. Likewise, the OID of the last attribute in the table, cVPN3000-WebVPN-SVC-Compression, is 1.2.840.113556.8000.795.2.115. Cisco -AV-Pair Attribute Syntax The syntax of each Cisco-AV-Pair rule is as follows: [Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:...
  • Page 925: Example Security Appliance Authorization Schema

    Appendix E Configuring an External Server for Authorization and Authentication Configuring an External LDAP Server Use Cisco-AV pair entries with the ip:inacl# prefix to enforce ACLs for remote IPsec and SSL VPN Note • Client (SVC) tunnels. Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce ACLs for WebVPN clientless •...
  • Page 926 TRUE ..(define subsequent security appliance authorization attributes here) ..CN=cVPN3000-Confidence-Interval,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation ,DC=com changetype: add adminDisplayName: cVPN3000-Confidence-Interval attributeID: 1.2.840.113556.1.8000.795.2.52 attributeSyntax: 2.5.5.9 cn: cVPN3000-Confidence-Interval instanceType: 4 isSingleValued: TRUE lDAPDisplayName: cVPN3000-Confidence-Interval distinguishedName: Cisco Security Appliance Command Line Configuration Guide E-16 OL-10088-01...
  • Page 927 CN=Class-Schema,CN=Schema,CN=Configuration,OU=People,DC=ExampleCorporation,DC=com objectClass: classSchema objectClassCategory: 1 possSuperiors: organizationalUnit name: cVPN3000-User-Authorization rDNAttID: cn showInAdvancedViewOnly: TRUE subClassOf: top systemOnly: FALSE changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 systemOnly: FALSE changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 Cisco Security Appliance Command Line Configuration Guide E-17 OL-10088-01...
  • Page 928: Loading The Schema In The Ldap Server

    CVPN3000-IPSec-Over-UDP-Port: 12125 cVPN3000-IPSec-Banner1: Welcome to the Example Corporation!!! cVPN3000-IPSec-Banner2: Unauthorized access is prohibited!!!!! cVPN3000-Primary-DNS: 10.10.4.5 CVPN3000-Secondary-DNS: 10.11.12.7 CVPN3000-Primary-WINS: 10.20.1.44 CVPN3000-SEP-Card-Assignment: 1 CVPN3000-IPSec-Tunnel-Type: 2 CVPN3000-Tunneling-Protocols: 7 cVPN3000-Confidence-Interval: 300 cVPN3000-IPSec-Allow-Passwd-Store: TRUE objectClass: cVPN3000-User-Authorization Cisco Security Appliance Command Line Configuration Guide E-18 OL-10088-01...
  • Page 929: Reviewing Examples Of Active Directory Configurations

    Using LDIF files, create the cVPN3000-User-Authorization record on the Microsoft AD database. This record contains the Cisco VPN authorization attributes for the user. Contact Cisco TAC to obtain the Microsoft AD LDAP schema for Cisco VPN attributes. Note To confirm the new record, choose Start > Settings > Control Panel > Administrative Tools > Active Step 2 Directory Users and Computers.
  • Page 930: Example 2: Configuring Ldap Authentication With Microsoft Active Directory

    View the user records by clicking the User folder in the Active Directory Users and Computers window as shown in Figure E-3. Figure E-3 Active Directory Users and Computers Window Showing User Folder Cisco Security Appliance Command Line Configuration Guide E-20 OL-10088-01...
  • Page 931 Step 2 Create an LDAP mapping table entry to map the AD attribute department to the Cisco attribute cVPN3000-IETF-Radius-Class as shown in the following example commands: hostname(config)# ldap attribute-map ActiveDirectoryMapTable Cisco Security Appliance Command Line Configuration Guide...
  • Page 932: Example 3: Ldap Authentication And Ldap Authorization With Microsoft Active Directory

    The authorization attributes for this group-name are retrieved from the Active Directory server. The department attribute is configured under the Organization tab in the Active Directory Users and Computers dialog box as shown in Figure E-5. Cisco Security Appliance Command Line Configuration Guide E-22 OL-10088-01...
  • Page 933 The Organization Tab of the Active Directory Users and Computer Dialog To configure this example, perform the following steps on the security appliance: Create an LDAP mapping table entry to map the Active Directory attribute department to the Cisco Step 1...
  • Page 934: Configuring An External Radius Server

    Step 1 depends on which type of RADIUS server you are using: If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step. • If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the •...
  • Page 935: Security Appliance Radius Authorization Attributes

    2 = L2TP 4 = IPSec 8 = L2TP/IPSec 16 = WebVPN 4 and 8 are mutually exclusive, (0-11, 16-27 are legal values) IPSec-Sec-Association String Single Name of the security association Cisco Security Appliance Command Line Configuration Guide E-25 OL-10088-01...
  • Page 936 String Specifies the name of the network/access list that describes the split tunnel inclusion list Single IPSec-Default-Domain String Specifies the single default domain name to send to the client (1-255 characters) Cisco Security Appliance Command Line Configuration Guide E-26 OL-10088-01...
  • Page 937 1 = Required 2 = If supported by peer certificate 3 = Do not check Single IKE-Keep-Alives Boolean 0 = Disabled 1 = Enabled Single IPSec-Auth-On-Rekey Boolean 0 = Disabled 1 = Enabled Cisco Security Appliance Command Line Configuration Guide E-27 OL-10088-01...
  • Page 938 Single Authenticated-User-Idle-Timeout Integer 1-35791394 minutes Single Cisco-IP-Phone-Bypass Integer 0 = Disabled 1 = Enabled Single IPSec-Split-Tunneling-Policy Integer 0 = No split tunneling 1 = Split tunneling 2 = Local LAN permitted Cisco Security Appliance Command Line Configuration Guide E-28 OL-10088-01...
  • Page 939 0 = No 1 = Yes Single Authorization-DN-Field String Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name Single IKE-KeepAlive-Confidence-Interval Integer 10-300 seconds Cisco Security Appliance Command Line Configuration Guide E-29 OL-10088-01...
  • Page 940 Single Tunnel-Group-Lock String Name of the tunnel group or "none" Single Access-List-Inbound String Access list ID Single Access-List-Outbound String Access list ID Single Perfect-Forward-Secrecy-Enable Boolean 0 = No 1 = Yes Cisco Security Appliance Command Line Configuration Guide E-30 OL-10088-01...
  • Page 941 1 = Enabled Single WebVPN-SSL-VPN-Client-Required Integer 0 = Disabled 1 = Enabled Single WebVPN-SSL-VPN-Client-Keep- Integer 0 = Disabled Installation 1 = Enabled Single Strip-Realm Boolean 0 = Disabled 1 = Enabled Cisco Security Appliance Command Line Configuration Guide E-31 OL-10088-01...
  • Page 942 RADIUS attribute names do not contain the cVPN3000 prefix to better reflect support for all three Note security appliances (VPN 3000, PIX, and the ASA). Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The appliances enforce the RADIUS attributes based on attribute numeric ID, not attribute name.
  • Page 943 ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. “A” stands for address, and refers to name-to-address mapped records in DNS. A record address Cisco Security Appliance Command Line Configuration Guide GL-1 OL-10088-01...
  • Page 944 Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable BPDU intervals to exchange information among bridges in the network. Protocol data unit is the OSI term for packet. Cisco Security Appliance Command Line Configuration Guide GL-2 OL-10088-01...
  • Page 945 Compression can reduce the size of transferring packets and increase communication performance. A file on the security appliance that represents the equivalent of settings, preferences, and properties configuration, config, config file administered by ASDM or the CLI. Cisco Security Appliance Command Line Configuration Guide GL-3 OL-10088-01...
  • Page 946 JTAPI applications. CTIQBE is used by the TAPI/JTAPI protocol inspection module and supports NAT, PAT, and bi-directional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for call setup and voice traffic across the security appliance.
  • Page 947 See also encryption. Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),...
  • Page 948 Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be EMBLEM consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications. Application of a specific algorithm or cipher to data so as to render the data incomprehensible to those encryption unauthorized to see the information.
  • Page 949 Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such as H.320 ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable video conferencing over LANs and other packet-switched networks, as well as video over the Internet. Cisco Security Appliance Command Line Configuration Guide GL-7 OL-10088-01...
  • Page 950 Hash, Hash Algorithm fixed-length message digest used by cryptographic services to ensure its data integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco uses both SHA-1 hashes within our implementation of the IPSec framework.
  • Page 951 You can use the default names or, if you are an experienced user, give each interface a more meaningful name. See also inside, intfn, outside. Cisco Security Appliance Command Line Configuration Guide GL-9...
  • Page 952 See IKE. Internet Service Provider. An organization that provides connection to the Internet via their services, such as modem dial in over telephone voice lines or DSL. Cisco Security Appliance Command Line Configuration Guide GL-10 OL-10088-01...
  • Page 953 MD4 and are designed to strengthen the security of the MD4 hashing algorithm. SHA-1 is more secure than MD4 and MD5. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
  • Page 954 In the context of security appliance configuration, a network is a group of computing devices that network share part of an IP address space and not a single host. A network consists of multiple nodes or hosts. See also host, Internet, intranet, IP, LAN, and node. Cisco Security Appliance Command Line Configuration Guide GL-12 OL-10088-01...
  • Page 955 NSAPI component being the IMSI. See also IMSI. Not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in Cisco NSSA IOS software release 11.2. It is a non-proprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area.
  • Page 956 Each host has registered using IGMP to receive the transmission. See also PIM-SM. Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco routers, PIM-SM when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next, until the packets reach every registered host.
  • Page 957 These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the Internet. Cisco Security Appliance Command Line Configuration Guide GL-15 OL-10088-01...
  • Page 958 Remote Procedure Call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients. Cisco Security Appliance Command Line Configuration Guide GL-16 OL-10088-01...
  • Page 959 SAs manually. SA is used by only, and unlike the IPSec SA, it is bidirectional. Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager and SCCP Cisco VoIP phones. Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as SCEP enrolling) certificates from CAs.
  • Page 960 Simple Mail Transfer Protocol. SMTP is an Internet protocol that supports email services. SMTP Simple Network Management Protocol. A standard method for managing network devices using data SNMP structures called Management Information Bases. Cisco Security Appliance Command Line Configuration Guide GL-18 OL-10088-01...
  • Page 961 See also AAA, RADIUS. Telephony Application Programming Interface. A programming interface in Microsoft Windows that TAPI supports telephony functions. Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. Cisco Security Appliance Command Line Configuration Guide GL-19 OL-10088-01...
  • Page 962 TAPI Service Provider. See also TAPI. IPSec encryption mode that encrypts both the header and data portion (payload) of each packet. tunnel mode Tunnel mode is more secure than transport mode. Cisco Security Appliance Command Line Configuration Guide GL-20 OL-10088-01...
  • Page 963 IP address that matches the correct source interface according to the routing table. Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. User EXEC mode lets you to see the security appliance settings. The user EXEC mode prompt appears user EXEC mode as follows when you first access the security appliance.
  • Page 964 This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A...
  • Page 965 40-7 NAT guidelines 16-3 downloadable access lists 19-7 Network Admission Control, default 33-3 network access 19-5 object groups 16-16 local database support 13-9 outbound 18-1 performance 19-1 remarks 16-16 server Cisco Security Appliance Command Line Configuration Guide IN-1 OL-10088-01...
  • Page 966 37-48 cable-based 14-18 quitting properly 37-19 failover criteria 14-25 re-enabling 37-19 HTTP replication 14-24 setting up on client 37-48 interface monitoring 14-24 username WebVPN attribute 30-81 interface poll times 14-36 Cisco Security Appliance Command Line Configuration Guide IN-2 OL-10088-01...
  • Page 967 34-4 downloadable access lists 19-7 interfaces, about network access 19-5 MAC addresses Auto-MDI/MDIX maximum VLANs auto-signon native VLAN support 4-11 group policy WebVPN attribute 30-63 non-forwarding interface username WebVPN attribute 30-82 Cisco Security Appliance Command Line Configuration Guide IN-3 OL-10088-01...
  • Page 968: Adding Comments C

    27-15 abbreviating commands certificate adding comments authentication, e-mail proxy 37-26 command line editing enrollment protocol 39-7 command output paging group matching displaying configuring 27-9 help rule and policy, creating 27-10 paging Cisco Security Appliance Command Line Configuration Guide IN-4 OL-10088-01...
  • Page 969 30-60 prompt login windows for WebVPN users 30-23 connection blocking username WebVPN attribute 23-6 30-20, 30-79 connection limits cut-through proxy 19-1 configuring 23-4 per context connect time, maximum, username attribute 30-73 Cisco Security Appliance Command Line Configuration Guide IN-5 OL-10088-01...
  • Page 970 ASA 5505 as Easy VPN client 34-8 duplex, configuring DfltGrpPolicy 30-31 dynamic crypto map 27-24 DHCP creating 32-6 addressing, configuring 31-3 See also crypto map Cisco IP Phones 10-4 Dynamic DNS 10-6 options 10-3 dynamic NAT Cisco Security Appliance Command Line Configuration Guide IN-6 OL-10088-01...
  • Page 971 WebVPN, defining Active/Standby cable-based failover 37-31 B-20, B-26 Enterprises Active/Standby LAN-based failover 10-4 B-21, B-28 Entrust, CA server support failover link 39-5 14-3 ESP security protocol forcing 27-2 14-46 Cisco Security Appliance Command Line Configuration Guide IN-7 OL-10088-01...
  • Page 972 WebVPN attribute 30-80 general tunnel-group connection parameters 30-2 filtering generating RSA keys 39-6 about 20-1 global addresses ActiveX 20-1 recommendations 17-13 20-8 specifying 17-23 Java applets 20-3 global e-mail proxy attributes 37-25 Cisco Security Appliance Command Line Configuration Guide IN-8 OL-10088-01...
  • Page 973 37-18 customization 30-60 reconfiguring 37-19 deny-message 30-61 WebVPN 37-18 filter 30-63 HSRP 15-8 home page 30-62 html-content-filter html-content filter 30-61 group policy WebVPN attribute 30-61 keep-alive-ignore 30-65 username WebVPN attribute 30-78 Cisco Security Appliance Command Line Configuration Guide IN-9 OL-10088-01...
  • Page 974 D-15 speed inheritance subinterfaces tunnel group 30-1 viewing monitored interface status 14-45 username attribute 30-71 internal group policy, configuring 30-34 inside, definition Internet Security Association and Key Management Protocol inspection engines Cisco Security Appliance Command Line Configuration Guide IN-10 OL-10088-01...
  • Page 975 27-11 Java applets, filtering 20-2 viewing configuration 27-26 Java object signing 37-28 IPSec parameters, tunnel group 30-3 java-trustpoint 37-28 ipsec-ra, creating an IPSec remote-access tunnel 30-6 IP spoofing, preventing 23-5 Cisco Security Appliance Command Line Configuration Guide IN-11 OL-10088-01...
  • Page 976 16-18 SASL classes 13-6 schema example filtering messages by E-15 42-15 schema loading types 42-16 E-18 schema planning device-id, including in system log messages E-3 to E-5 42-19 Cisco Security Appliance Command Line Configuration Guide IN-12 OL-10088-01...
  • Page 977 30-72 maximum object size to ignore username WebVPN attribute 30-82 40-3 maximum sessions, IPSec 29-11 Telnet MD5, IKE policy keywords (table) 27-3 windows, customizing for WebVPN users 30-23 Cisco Security Appliance Command Line Configuration Guide IN-13 OL-10088-01...
  • Page 978 6-16 implementation 17-16 SNMP 42-1 examples 17-32 monitoring switch traffic, ASA 5505 exemption from NAT More prompt about 17-9 configuration 17-31 about 21-1 identity NAT default policy 21-2 about 17-9 Cisco Security Appliance Command Line Configuration Guide IN-14 OL-10088-01...
  • Page 979 33-3 hello interval 9-11 clientless authentication 33-5 interface parameters 9-10 configuring 30-50 link-state advertisement enabling and disabling 33-2 logging neighbor states 9-17 exemptions 33-4 MD5 authentication 9-11 port 33-7 monitoring 9-18 Cisco Security Appliance Command Line Configuration Guide IN-15 OL-10088-01...
  • Page 980: Passwords C

    17-9 password management, Active Directory settings 30-24 dynamic, configuring 17-22 passwords static, configuring 17-25 changing static PAT, configuring 17-27 clientless authentication 33-6 pools, address recovery 43-6 DHCP 10-2 security appliance Cisco Security Appliance Command Line Configuration Guide IN-16 OL-10088-01...
  • Page 981: Private Networks D

    QoS privileged mode latency, reducing 24-9 accessing limit 24-8 prompt priority, configuring 24-8 privilege level, username, setting 30-70 prompts command more RADIUS protocol numbers and literal values D-11 attribute policy proxy Cisco Security Appliance Command Line Configuration Guide IN-17 OL-10088-01...
  • Page 982 6-10 class KEON, CA server support 39-5 configuring keys, generating 39-6, 40-2 default class signatures, IKE authentication method 39-2 monitoring RTSP inspection 6-16 oversubscribing about 25-60 resource types configuring 25-60 Cisco Security Appliance Command Line Configuration Guide IN-18 OL-10088-01...
  • Page 983 33-2 clearing 27-27 service policy See also SAs applying 21-17 security attributes, group policy 30-38 default 21-17 security contexts global 21-17 about interface 21-17 adding session management path admin context Cisco Security Appliance Command Line Configuration Guide IN-19 OL-10088-01...
  • Page 984 WebVPN attribute 30-84 MIBs 42-1 viewing sessions 38-7 traps 42-2 source quench, ICMP message D-15 checking status 22-13 SPAN configuration Spanning Tree Protocol, unsupported AIP SSM 22-2 speed, configuring CSC SSM 22-7 Cisco Security Appliance Command Line Configuration Guide IN-20 OL-10088-01...
  • Page 985 42-7 stealth firewall system configuration See transparent firewall system log messages subcommand mode prompt classes 42-16 subinterfaces, adding classes of 42-15 subnet masks configuring in groups /bits by message list 42-17 Cisco Security Appliance Command Line Configuration Guide IN-21 OL-10088-01...
  • Page 986 TCP Intercept Management 0/0 IP address enabling using Modular Policy Framework 23-4 management IP address enabling using NAT 17-23 multicast traffic 15-8 monitoring 6-20 15-10 TCP normalization 23-1 packet handling 16-6 Telnet Cisco Security Appliance Command Line Configuration Guide IN-22 OL-10088-01...
  • Page 987 30-4 access hours 30-71 tunnel-group ISAKMP/IKE keepalive settings 30-3 configuring 30-69, 30-71 tunneling, about 27-1 group-lock 30-74 tunnel mode 28-2 inheritance 30-71 tx-ring-limit 24-8 password, setting 30-70 password-storage 30-75 Cisco Security Appliance Command Line Configuration Guide IN-23 OL-10088-01...
  • Page 988 37-26 master 29-5 WebVPN virtual firewalls assigning users to group policies 37-15 See security contexts authenticating with digital certificates 37-14 VLANs CA certificate validation not done 37-2 allocating to a context Cisco Security Appliance Command Line Configuration Guide IN-24 OL-10088-01...
  • Page 989 37-45 security preautions 37-2, 37-5 security tips 37-43 setting HTTP/HTTPS proxy 37-4 SSL/TLS encryption protocols 37-4 supported applications 37-43 supported browsers 37-45 supported types of Internet connections 37-45 troubleshooting 37-18 Cisco Security Appliance Command Line Configuration Guide IN-25 OL-10088-01...

This manual is also suitable for:

Pix 500 seriesCisco asa 5500 series

Table of Contents