Cisco Systems OL-16647-01 Network Router manual

Page 1

Americas Headquarters Cisco Systems, In c. 170 West Tasman Drive San Jose, CA 951 34-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553-NETS (638 7) Fax: 408 527-0883 Cisco A SDM User Guide Ve r s i o n 6 .

Page 2

THE SPECIFICATION S AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITH OUT NOTICE. ALL STATEMENTS , INFORMATION, AND RECOMMENDATI ONS IN THI S MANUAL ARE BE LIEVED TO BE A CCURATE BUT ARE PRESENTED WI THOUT WARRANTY OF ANY KIND, EX PRESS OR IMPLIED.

Page 3

iii Cisco ASDM User Guide OL-16647-01 CONTENTS Preface xxxix Related Documentation xxxix Document Conventions xxxix Obtaining Documentation and Submitting a Serv ice Request i-xl xl PART 1 Getting Sta.

Page 4

Contents iv Cisco ASDM User Guide OL-16647-01 Enabling Extended Screen Reader Suppo rt 1-16 Organizational Folder 1-16 About the Help Window 1-16 Header Buttons 1-16 Browser Window 1-17 Home Pane 1-17.

Page 5

Contents v Cisco ASDM User Guide OL-16647-01 CHAPTER 3 Defining Preferen ces and Using Configuration, Diagno stic, and File Man agement Tools 3-1 Preferences 3-1 Configuration Tools 3-3 Reset Device t.

Page 6

Contents vi Cisco ASDM User Guide OL-16647-01 PIX 515/515E Default Configuration 4-4 Configuring the Security Appliance for ASDM Access 4-4 Setting Transparent or Routed Firew all Mode at the CLI 4-4 .

Page 7

Contents vii Cisco ASDM User Guide OL-16647-01 CHAPTER 6 Configuring Basic Device Settings 6-1 Management IP Address 6-1 System Time 6-2 Clock 6-2 NTP 6-3 Add/Edit NTP Server Configuration 6-4 Configu.

Page 8

Contents viii Cisco ASDM User Guide OL-16647-01 Configuring an Interface (Single Mode) 7-5 Enabling Same Security Level Communication (Single Mode) 7-8 PPPoE IP Address and Route Se ttings 7-9 CHAPTER.

Page 9

Contents ix Cisco ASDM User Guide OL-16647-01 Configuring Switch Ports 9-11 Interfaces > Switch Ports 9-11 Edit Switch Port 9-12 CHAPTER 10 Configuring Security Contexts 10-1 Security Context Overv.

Page 10

Contents x Cisco ASDM User Guide OL-16647-01 Interface 11-10 Redistribution 11-14 Static Neighbor 11-17 Summary Address 11-18 Virtual Link 11-19 RIP 11-22 Setup 11-23 Interface 11-24 Filter Rules 11-2.

Page 11

Contents xi Cisco ASDM User Guide OL-16647-01 MForwarding 12-11 PIM 12-11 Protocol 12-12 Edit PIM Protocol 12-12 Neighbor Filter 12-13 Add/Edit/Insert Neighbor Filte r Entry 12-14 Bidirectional Neighb.

Page 12

Contents xii Cisco ASDM User Guide OL-16647-01 RADIUS Server Support 14-4 Authentication Methods 14-4 Attribute Support 14-4 RADIUS Authorization Functions 14-4 TACACS+ Server Support 14-4 SDI Server .

Page 13

Contents xiii Cisco ASDM User Guide OL-16647-01 Active/Standby Failover 15-2 Active/Active Failover 15-2 Stateless (Regular) Failover 15-3 Stateful Failover 15-3 Configuring Failover with the High Ava.

Page 14

Contents xiv Cisco ASDM User Guide OL-16647-01 Configuring CLI Parameters 16-2 Adding a Banner 16-2 Customizing a CLI Prompt 16-3 Changing the Co nsole Timeout Period 16-4 Configuring File Access 16-4.

Page 15

Contents xv Cisco ASDM User Guide OL-16647-01 Configure Logging Flash Usage 17-4 Syslog Setup 17-4 Edit Syslog ID Settings 17-5 Advanced Syslog Configuratio n 17-6 E-Mail Setup 17-7 Add/Edit E-Mail Re.

Page 16

Contents xvi Cisco ASDM User Guide OL-16647-01 MAC Address vs. Route Lookups 18-8 Using the Transparent Firewall in Your Network 18-9 Transparent Firewall Guidelines 18-9 Unsupported Features in Trans.

Page 17

Contents xvii Cisco ASDM User Guide OL-16647-01 Add TLS Proxy Instance Wizard – Server Con figuration 19-21 Add TLS Proxy Instance Wizard – Client Configuration 19-22 Add TLS Proxy Instance Wizard.

Page 18

Contents xviii Cisco ASDM User Guide OL-16647-01 Log Options 20-14 Configuring Ethertype Rules (Transparent Mode Only) 20-16 Add/Edit EtherType Rule 20-17 CHAPTER 21 Configuring NAT 21-1 NAT Overview .

Page 19

Contents xix Cisco ASDM User Guide OL-16647-01 CHAPTER 22 Configuring Serv ice Policy Rules 22-1 Service Policy Overview 22-1 Supported F eatures 22-1 Service Policy Elements 22-2 Default Global Polic.

Page 20

Contents xx Cisco ASDM User Guide OL-16647-01 Configuring TACACS+ Authorization 23-9 Configuring RADIUS Authorization 23-10 Configuring a RADIUS Server to Se nd Downloadable Acce ss Control Lists 23-1.

Page 21

Contents xxi Cisco ASDM User Guide OL-16647-01 Configuring MMP Inspection for a TLS Proxy 24-18 NetBIOS Inspection 24-18 PPTP Inspectio n 24-19 RADIUS Accoun ting Inspecti on 24-19 RSH Inspection 24-1.

Page 22

Contents xxii Cisco ASDM User Guide OL-16647-01 Select RTSP Map 24-36 Select SCCP (Skinn y) Map 24-37 Select SIP Map 24-37 Select SNMP Map 24-38 Class Map Field Description s 24-39 DNS Class Map 24-39.

Page 23

Contents xxiii Cisco ASDM User Guide OL-16647-01 Add/Edit FTP Policy Map (Security Level) 24-80 Add/Edit FTP Policy Map (Details) 24-81 Add/Edit FTP Map 24-82 GTP Inspect Map 24-84 IMSI Prefix Filtering 24-84 Add/Edit GTP Policy Map (Security Level) 24-85 Add/Edit GTP Policy Map (Details) 24-86 Add/Edit GTP Map 24-88 H.

Page 24

Contents xxiv Cisco ASDM User Guide OL-16647-01 Add/Edit SIP Policy Map (Security Level) 24-121 Add/Edit SIP Policy Map (Deta ils) 24-12 2 Add/Edit SIP Inspect 24-124 SNMP Inspect Map 24-126 Add/Edit .

Page 25

Contents xxv Cisco ASDM User Guide OL-16647-01 Configuring Connection Settings 27-6 Connection Limit Overview 27-6 TCP Intercept Overview 27-6 Disabling TCP Intercept for Ma nagement Packets for Clien.

Page 26

Contents xxvi Cisco ASDM User Guide OL-16647-01 Getting Started with the CSC SSM 29 -4 Determining What Traffic to Scan 29-6 Rule Actions for CSC Scanning 29-8 CSC SSM Setup 29 -9 Activation/License 2.

Page 27

Contents xxvii Cisco ASDM User Guide OL-16647-01 CHAPTER 31 SSL VPN Wizard 31-1 SSL VPN Feature 31-1 SSL VPN Interface 31-2 User Authentication 31-2 Group Policy 31-3 Bookmark Li st 31-3 IP Address Po.

Page 28

Contents xxviii Cisco ASDM User Guide OL-16647-01 Add/Edit IKE Policy 34-5 Assignment Policy 34-6 Address Pools 34-7 Add/Edit IP Pool 34- 8 IPsec 34-8 Crypto Maps 34-9 Create IPsec Rule/Tunnel Policy .

Page 29

Contents xxix Cisco ASDM User Guide OL-16647-01 Browse ICMP 35-19 Add ICMP Group 35-20 Browse Other 35-21 Add Protocol Group 35-21 Add/Edit Intern al Group Policy > Servers 35-22 Add/Edit Internal .

Page 30

Contents xxx Cisco ASDM User Guide OL-16647-01 IPSec Remote Access Connection Profiles 35-49 Add or Edit an IPSec Remote Access Connection Profile 35-50 Add or Edit IPSec Remote Access Connection Prof.

Page 31

Contents xxxi Cisco ASDM User Guide OL-16647-01 CHAPTER 36 Configuring Dynamic Access Policies 36-1 Understanding VPN Access Polic ies 36-1 DAP Support for Remote Access Connection Ty pes 36-3 DAP and.

Page 32

Contents xxxii Cisco ASDM User Guide OL-16647-01 Encoding 38-15 Web ACLs 38-17 Port Forwarding 38-19 Why Port Forwar ding? 38 -19 Requirements and Restrictions 38-20 Add/Edit Port Forwarding List 38-2.

Page 33

Contents xxxiii Cisco ASDM User Guide OL-16647-01 Customization Example 38-48 Using the Customization Template 38-50 The Customization Template 38-50 Help Customization 38-63 Import/Export Application.

Page 34

Contents xxxiv Cisco ASDM User Guide OL-16647-01 CHAPTER 40 Configuring SSL Settings 40-1 SSL 40-1 Edit SSL Certificate 40-2 SSL Certificates 40-3 PART 5 Monitoring the Se curity Appliance CHAPTER 41 .

Page 35

Contents xxxv Cisco ASDM User Guide OL-16647-01 SSO Statistics for Clientless SSL VPN Session 42-14 CHAPTER 43 Monitoring Routing 43-1 Monitoring OSPF LSAs 43-1 Type 1 43-1 Type 2 43-2 Type 3 43-3 Typ.

Page 36

Contents xxxvi Cisco ASDM User Guide OL-16647-01 Blocks 44-17 CPU 44-17 Memory 44-18 WCCP 44-18 Service Groups 44-19 Redirection 44-19 CHAPTER 45 Monitoring Logging 45-1 About Log Viewing 45-1 Log Buf.

Page 37

Contents xxxvii Cisco ASDM User Guide OL-16647-01 ASA 5540 Feature Licenses A-4 ASA 5550 Feature Licenses A-4 ASA 5580 Feature Licenses A-5 PIX 515/515E Feature Licens es A-6 PIX 525 Feature Licenses .

Page 38

Contents xxxviii Cisco ASDM User Guide OL-16647-01 Login DN Example for Active Directory C-5 Defining the Security Appliance LDAP Configuration C-5 Supported Cisco Attributes for LDAP Authorization C-.

Page 39

xxxix Cisco ASDM User Guide OL-16647-01 Preface The ASDM User Guide contains th e information that is a v aila ble in the ASDM onli ne help system. This preface contai ns the follo wing topics: • Re.

Page 40

xl Cisco ASDM User Guide OL-16647-01 Preface Obtaining Documenta tion and Submitting a Se rvice Request • Information you need to enter in examp les is shown in boldface screen font. • V ariables for which you must supply a va lue are shown in italic screen font.

Page 41

P ART 1 Get ting Started.

Page 42

.

Page 43

CH A P T E R 1-1 Cisco ASDM User Guide OL-16647-01 1 Welcome to ASDM Cisco Adapti ve Security Device Manager (ASDM) deli vers wo rld-class security management an d monitoring services for se curity appliances thro ugh an intuiti v e , easy-to-use, management interface.

Page 44

1-2 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM ASDM Client Oper ating System and Browse r Requirements ASDM Client Operating System and Browser Requirements Ta b l e 1-1 lists the support ed and recommended client operating systems and Ja v a for ASDM.

Page 45

1-3 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Supported Platforms and SSMs • Adva nced Inspection and Pre ven tion (AIP) SSM, software V ersion 5.0, 5.1, and 6.0 • Content Security and Cont rol (CSC) SSM, software V ersion 6.1 and 6.

Page 46

1-4 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM New ASDM Feat ures New ASDM Features Note For supported platform features, see the “Ne w Features by Platform Release” section on page 2-1 . Ta b l e 1-3 lists the ne w features for ASDM V ersion 6.

Page 47

1-5 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Unsupported Commands Effects of Unsupported Commands • If ASDM loads an e xisting runni ng conf iguration and f inds IPv6-related commands, A SDM displays a dialog box informi ng you that it does not support IPv6.

Page 48

1-6 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Unsupported Comma nds T o exit Monitor-only mode , use the CLI tool or access the security applia nce console, and remove the alia s command. Y ou can use outside NA T instead of the alias command.

Page 49

1-7 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface About the ASDM Interface The ASDM interface is designed to pr ovide easy access to the many feat ures that the adaptiv e security appliance supports.

Page 50

1-8 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Refresh ASDM with the Runnin g Configurati on on the De vice—Loads a copy of the run ning config uration to ASDM. Click Refresh to make sure ASDM has a current copy of the ru nning configuration.

Page 51

1-9 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface • T ime Ranges—Sho ws and hides the display of the Time Ranges pane. Th e T ime Ranges pane is only av ailabl e for the Access Rules, Service Polic y Rules, AAA Rules, an d Filter Rules panes in the configuration vie w .

Page 52

1-10 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Administrator’ s Alerts to Clientless SS L VPN User s—Lets an administrator send an alert message to clientless S SL VPN users. Se e the Administrator’ s Alert to Clientless SSL VPN Users dialog box for more information.

Page 53

1-11 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface • About Cisco Adapti v e Security Appliance (ASA)—Di splays information about the adapti ve security appliance, including the soft ware v ersion, hardware set, conf iguration f ile loaded at startup, and software image load ed at startup.

Page 54

1-12 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface How Do I? Tab Fields • Sho w tasks—Choose the type of informat ion you want from the drop-d own list. The a v ailable type s are Security Polic y , ASDM, Administration, and All.

Page 55

1-13 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface Connection to Device ASDM maintai ns a constant connection to t he adapti v e security appliance to maintain up-to-date monitoring and home p ane data. This dialog box sho ws the stat us of the connection.

Page 56

1-14 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the ASDM Interface • Reset —Discards change s and re verts to the informatio n displayed before changes were made or the last time you click ed Refresh or A pply .

Page 57

1-15 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM About the ASDM Interface Ta b l e 1-7 lists t he keyboard sh ortcuts you can use with the Log V iewer s.

Page 58

1-16 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM About the He lp Window Enabling Extended Screen Reader Support By default, labels and descriptions are not includ ed in tab order when you press the T ab ke y to na vigate a pane. Some screen readers, such as J A WS, only read screen objects th at ha ve th e focus.

Page 59

1-17 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane Browser Window When you open help and a help page i s already open, the ne w help page will appear in the same bro wser windo w . If no help page is open, then the help page w ill appear in a ne w bro wser windo w .

Page 60

1-18 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane Device Dashboard Tab The De vice Dashboard tab lets you view , at a glance, important information abo ut your adapti ve secur ity appliance, such as the status of your interfaces, th e v ersion you are runn ing, licensing info rmation, and performance.

Page 61

1-19 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane VPN Peers— Display only . Shows the number of VPN peers allo wed. This entry is blank if no VPN peers are supported. Clientless SSL VPN Peers— Display only . Shows the number o f clientless SSL VPN peers allowed.

Page 62

1-20 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane Firewall Dashboard Tab The Firew all Dash board tab lets you view important information abou t the traff ic passing throug h your security applia nce, including the number of connecti ons, N A T translations, d ropped packets, attacks, and top usag e statistics .

Page 63

1-21 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane – Hits—Sho ws the number of packet hits that occurred. – Source—Sho ws the source IP address. – Dest—Sho ws the destination IP address. – Service—Sho ws the service (proto col or port) for the conn ection.

Page 64

1-22 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane – Last Update— Display only . Shows the date of the last softw are update obtained from T rend Micro. – Daily Node #— Display only . Shows the numb er of network de vices for wh ich the CSC SSM provided services in the preceding 24 hour s.

Page 65

1-23 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM Home Pane – Subject/File/URL— Display only . Sho ws the subject of e-mails that contai n a threat, the names of FTP files that contain a threat , or blocked or filtered URLs. – Receiv er/Host— Display only .

Page 66

1-24 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM Home Pane – IPS V ersion— Disp lay only . Shows the IPS software v ersion. – IDM V ersion— Display only . Shows t he IDM software versi on. – Bypass Mode— Display onl y . Shows the bypass mode, which can be set to O n or Off .

Page 67

1-25 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welcome to ASDM System Home Pane System Home Pane The ASDM system home pane lets you vie w impo rtant status information about yo ur adapti ve security appliance.

Page 68

1-26 Cisco ASDM User Guide OL-16647-01 Chapter 1 Welco me to ASDM System Home Pane Firewall Mode Security Context Routed T ra nspar ent Single Multiple Context Sy stem • • • • •.

Page 69

CH A P T E R 2-1 Cisco ASDM User Guide OL-16647-01 2 Introduction to the Security Appliance The security appliance combines advanced stateful f ire wall and VPN concent rator functional ity in one de .

Page 70

2-2 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release T able 2-1 lists the ne w features for V ersion 8.1(2). Note V ersion 8.1(x) is only suppo rted on the Cisco ASA 5580 adapti v e security appliance.

Page 71

2-3 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Sho w Activ e Directory Groups The CLI command sho w ad-groups w as added to list the active directory groups.

Page 72

2-4 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release New Features in Version 8.1(1) T able 2-2 lists the ne w features for V ersion 8.1(1). Note V ersion 8.1(x) is only suppo rted on the Cisco ASA 5580 adapti v e security appliance.

Page 73

2-5 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release New Features in Version 8.0(4) Note These features are not av ailable in V ersion 8.1(1). See the “New Features in V ersion 8.

Page 74

2-6 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release T able 2-3 lists the ne w features for V ersion 8.0(4). T able 2- 3 New F eat ur es f or A SA and PIX V ersion 8.0(4) Feature Description Unified Communications Features 1 Phone Proxy Phone Proxy functionali ty is supported.

Page 75

2-7 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Auto Sign-On wit h Smart T unnels for IE 1 This feature lets you enable the repl acement of logon creden tials for WININET connecti ons.

Page 76

2-8 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Smart T unnel o ver Mac OS 1 Smart tunnels now support Mac OS. In ASDM, see Conf iguration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart T unnels.

Page 77

2-9 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release New Features in Version 8.0(3) T able 2-4 lists t he new f eatures for V ersion 8.

Page 78

2-10 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release New Features in Version 8.0(2) T able 2-5 lists the ne w features for V ersion 8.0(2). Note There was no ASA or PIX 8.0(1) release.

Page 79

2-11 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release High A v ailability Remote command ex ecution in Fa ilov er pairs Y ou can execute commands on the peer unit in a f ailov er pair witho ut havi ng to connect directly to the peer .

Page 80

2-12 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Cisco Secure Desktop Host Scan As a condition for the compl etion of a Cisco An.

Page 81

2-13 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Platform Enhancemen ts VLAN support for remote access VPN connections Provides supp ort for mapping (tagging) of client traff ic at the group o r user le vel.

Page 82

2-14 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance New Features by Platform Release Bro wser -based SSL VPN Features (continued) Personal bookmark support Users can def ine their o wn bookmarks. These bookmark s are stored on a fil e server .

Page 83

2-15 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance New Features by Platfo rm Release Firewall Features Application Inspection Modular policy framew ork inspect c.

Page 84

2-16 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Firewall Functional Overview Firew alls protect inside networks from unauthorized access by users on an outside network.

Page 85

2-17 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Firewall Functional Overview • Applying Appl ication Inspection , page 2-17 • Sending T r af fic t o the A.

Page 86

2-18 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Firewall Functional Overview Sending Traffic to the Adv anced Inspection and Prevention Security Services Module If your model support s the AIP SSM for intrusion pre v ention, then you can send traf f ic to the AIP SSM for inspecti on.

Page 87

2-19 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Firewall Functional Overview Firewall Mode Overview The security appliance runs in tw o dif ferent fi rew all modes: • Routed • T ransparent In routed mode, the security appliance is considered to be a router hop in the netw ork.

Page 88

2-20 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance VPN Functional Overview – Session lookup – TCP sequence number check – N A T translations based on existin.

Page 89

2-21 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introductio n to the Secur ity Appliance Security Context Overview which, like a single mode conf igurat ion, is the startup conf iguration. The system conf iguration identif ies basic settings for the secur ity appliance.

Page 90

2-22 Cisco ASDM User Guide OL-16647-01 Chapter 2 Introduction to the Security Appliance Security Context Overview.

Page 91

CH A P T E R 3-1 Cisco ASDM User Guide OL-16647-01 3 Defining Preferences and Using Configuration, Diagnostic, and File Management Tools This chapter describes the preferences and tools av aila ble f .

Page 92

3-2 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Preferences “You are not allowed to modify the ASA configuration, because you do not have sufficient privileges.” f.

Page 93

3-3 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Configuration Tools Step 6 After you ha ve specif ied settings on these three tabs, click OK to sav e your settings and clo se the Preferences dialog box.

Page 94

3-4 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Configuration Tools Step 2 Enter the Management IP address of the ma nagement interface, instead of using the d efault address, 192.

Page 95

3-5 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Configuration Tools Save Internal Log Buffer to Flash This feature lets you sa ve the internal log b uf fer to flash memory .

Page 96

3-6 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Configuration Tools Step 6 After you ha v e closed the Command Line Interface di alog box , if you changed the conf iguration, click Refresh to vie w the changes in ASDM.

Page 97

3-7 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Step 1 In the main ASDM application windo w , choose T ools > Show Commands Ignor ed by ASDM on Device .

Page 98

3-8 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools • Debug all packet drops in a pro duction network. • V erify the configurat ion is working as in tended.

Page 99

3-9 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools T o use the Ping tool, perform the follow ing steps: Step 1 In the main ASDM application windo w , choose To o l s > P i n g .

Page 100

3-10 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools • Loopback testing of tw o interfaces—A pin.

Page 101

3-11 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Pinging to a Security Appliance Interface When .

Page 102

3-12 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Step 6 Specify the minimum and ma ximum TTL v alues for the first probes. The minimum default is one, bu t it can be set to a higher v alue to suppress the display of known hops.

Page 103

3-13 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools ASDM Java Console Y ou can use the ASDM Ja v a console to vi e w and copy lo gged entries in a text forma t, which can help you troubleshoot ASDM error s.

Page 104

3-14 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Step 3 Choose t he ingress interface (in side or outside) from the drop -down list . Step 4 Enter the source host IP add ress and choose th e network IP address from the drop-down list.

Page 105

3-15 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Modes The follo wing table sho ws the modes in .

Page 106

3-16 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools Diagnostic Tools Modes The follo wing table sho ws the modes in .

Page 107

3-17 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools Diagnostic Tools Summary The Summary dialog box sho ws the traf fic selectors and the buf fer parameters for the packet capture.

Page 108

3-18 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Save Captures The Sav e Captures dialog box lets you sa ve the i ngress and e gress packet captures to ASCII or PCAP file format for fur ther packet analysis.

Page 109

3-19 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools File Management The File Management tool .

Page 110

3-20 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Manage Mount Points This feature lets you configure r emote storage (mount points) for network f ile systems usin g a CIFS or FTP connection.

Page 111

3-21 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 2 Mak e the changes to the remaining settings, and click OK when you are done.

Page 112

3-22 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls File Transfer The File T ransfer too l lets you transfer f iles from either a local or remo te location.

Page 113

3-23 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 9 T o transfer a file to a remote server , choose the Remote server op tion. a. Enter the pa th to the loca tion of th e file.

Page 114

3-24 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls Step 1 In the main ASDM application windo w , choose T ools > Up grade Software from Cisco.

Page 115

3-25 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools ASDM Assistant The ASDM Assistan t tool lets you search and view useful ASDM procedural help about certain tasks.

Page 116

3-26 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls b. For the Relo ad Start T ime, you can select from th e follo wing options: – Click Now t o perform an immediate reload.

Page 117

3-27 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Step 1 Create a fol der or on your computer to store backup f iles so they will be easy to f ind if you ha ve to rest ore later .

Page 118

3-28 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls ASDM displays a status windo w . When the backup completes, ASDM closes it and opens the Ba ckup Statistics windo w .

Page 119

3-29 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Preferen ces and Using C onfiguration, Diagnostic, a nd File Management Tools File Manageme nt Tools Restoring Configurations Y o u can specify conf igurations and images to restore fr om a zip file on your l ocal computer .

Page 120

3-30 Cisco ASDM User Guide OL-16647-01 Chapter 3 Defining Prefer ences an d Using Configuration, Di agnostic, and File Management Tools File Management Too ls By default, all f iles are checked; ASDM restores them if they are av ailable.

Page 121

CH A P T E R 4-1 Cisco ASDM User Guide OL-16647-01 4 Before You Start This section descri bes the tasks you must perform before you use ASDM, and in cludes the follo wing topics: • Factory Default C.

Page 122

4-2 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Factory Defau lt Configurations Step 1 Choose File > Reset De vice to the F actory Default Configuration .

Page 123

4-3 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Factory Default Configurations interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vla.

Page 124

4-4 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuring the Security Appliance for ASDM Acce ss PIX 515/515E Default Configuration The default f actory conf iguration for th e PIX 515/515E security applian ce provides the fol lowin g: • The inside Ethernet1 interface.

Page 125

4-5 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Setting Transparen t or Routed Firewall Mod e at the CLI For multi ple context mode, the sy stem configurat ion is erased, which remo ves any contexts.

Page 126

4-6 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM This command also appears in each context conf iguration for i nformation only; you cannot enter th is command in a conte xt.

Page 127

4-7 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM Step 2 Enter or choose the adaptiv e security appliance IP ad dress or hostname to which you want to connect. T o clear the list of IP addresses, click the trash can icon next to the Device/IP Address/Name f ield.

Page 128

4-8 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Starting ASDM – Configuration > Interf ace > Edit Interface > Renew DHCP Lease – Config uring a standby de vice aft er fai.

Page 129

4-9 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview Configuration Overview T o configure and monitor the adapti v e securi ty applianc e, perform th e following steps: Step 1 For init ial configurat ion Using the Startup W izard , choose Wizards > Startup W izard .

Page 130

4-10 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview – Filter Rules pre vent outbound access to specif ic websites or FTP servers. The security appliance works with a sep arate server runni ng either W ebs ense Enterprise or Sentian b y N2H2.

Page 131

4-11 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview – The CLI. – SNMP and ICMP . – Logging, including e-mail, e v ent lists, f ilters, rate limit, syslog serv ers, and SMTP . For more information, see Config uring Logging .

Page 132

4-12 Cisco ASDM User Guide OL-16647-01 Chapter 4 Before You Start Configuration Overview.

Page 133

P ART 2 De vice S etup and Management.

Page 134

.

Page 135

CH A P T E R 5-1 Cisco ASDM User Guide OL-16647-01 5 Using the Startup Wizard The ASDM Startup W izard guides you through the in itial conf iguratio n of the adapti ve security appliance, and helps yo.

Page 136

5-2 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for ASA 5500 Seri es and PIX 50 0 Series Security Appliances Startup Wizard Screens for ASA 5500 Series .

Page 137

5-3 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 1 - Starting Point or Welcome T o access this feature from the main ASDM appli cation window (e xcept in multip le mode), choose File > Reset Device to the F actory Default Conf iguration .

Page 138

5-4 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Note If you reset the conf iguration to factory defaults, you cannot undo these changes b y clicking Cancel or by closing th is screen.

Page 139

5-5 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5500 Series Adaptive Security Appli ance Getting Started Guide and the Cisco ASA 5505 Getting Sta rted Guide .

Page 140

5-6 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Step 4 - Management IP Address Configuration This screen lets you conf igure the management IP address of the h ost for this context.

Page 141

5-7 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Do not conf igure—Check this check box to disabl e confi guration of this VLAN . For More Information See the Cisco ASA 5505 Getting Started Gu ide .

Page 142

5-8 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Step 7 - Interface IP Address Configuration This screen a.

Page 143

5-9 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 8 - Internet Interface Configuration - PPPoE This screen lets you configure th e specif ied outside inte rf ace by obtaining an IP address from a PPPoE server .

Page 144

5-10 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Modes The follo wing table sho ws the modes in which thi.

Page 145

5-11 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance For More Information See the Cisco ASA 5505 Getting Started Gu ide .

Page 146

5-12 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Obtain default route using PPPoE—Ch eck t his check box to set the default routing using the PPPoE server .

Page 147

5-13 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 12 - Static Routes This screen lets you create, edit, and remo ve static routes that will access networ ks connected to a router on any interf ace.

Page 148

5-14 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Enable auto-conf iguration—Check th is check box to allo w automatic conf iguration of t he DNS server , WINS serv er , lease length, and p ing timeout settings.

Page 149

5-15 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • A DNS server on a higher le vel security interf ace cannot use P A T . Fields • Use Network Address T ranslation (N A T)—Choose to en able NA T and a range of IP addresses to be used for translation.

Page 150

5-16 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance • Interface—Displays t he host or networ k name. • IP Address—Displa ys the IP address of the ho st or network.

Page 151

5-17 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Interface Name—Choose from a list of predetermined interfaces. • IP Address—Specifies an IP address for the interface.

Page 152

5-18 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Fields • Enable Easy VPN remote—Check this check box to enable the adaptive security appliance to act as an Easy VPN remote device.

Page 153

5-19 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance Step 17 - Startup Wizard Summary This screen summarizes all of t he settings you ha ve made for the securi ty appliance.

Page 154

5-20 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance Edit Interface T o access this feature from the main ASD M application window , choose Configuration > Interfaces .

Page 155

5-21 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Enable traf fic between t wo or more interfaces with the same secu rity lev el—Che ck this che ck box to enable traf f ic between two or more interf aces with the same security le v el.

Page 156

5-22 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance – Specify an IP address—Click to spec ify an IP add ress for an in terface: IP Address—Lets you enter an IP address for an interface.

Page 157

5-23 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screens for the ASA 5505 Adaptive Security Appliance • Use the follo wing IP address—Choose this opt ion to specify an IP address manuall y for the interface.

Page 158

5-24 Cisco ASDM User Guide OL-16647-01 Chapter 5 Using the Startup Wizard Startup Wizard Screen s for the ASA 5505 Adaptive Se curity Appliance.

Page 159

CH A P T E R 6-1 Cisco ASDM User Guide OL-16647-01 6 Configuring Basic Device Settings This section contains the following topics: • Management IP Ad dress, page 6-1 • System T ime, page 6-2 • C.

Page 160

6-2 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Time System Time Y o u can manually set the system d ate or time or ha ve the secu rity appliance dynamically set the system date and tim e using an NTP server .

Page 161

6-3 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Time NTP The NTP pane lets you def ine NTP servers to dynamic ally set the time on the security appliance. Th e time displays in the status bar at the bot tom of the main ASDM pane.

Page 162

6-4 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Configuring Advanced D evice Management Features Add/Edit NTP Server Configuration The Add/Edit NTP Serv er Conf iguration dialog box lets you add or edit an NTP server .

Page 163

6-5 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Configuring Advanc ed Device Management Feature s Note T o redirect HTTP , the interface requires an acce ss list that permits HTTP . Otherwise, the interface cannot listen to the HTTP port.

Page 164

6-6 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion History Metrics The History Metrics pane lets you con figure t he adaptiv e security appl iance to keep a history of va rious statistics, which ASDM can displ ay on any Graph/T abl e.

Page 165

6-7 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Features of temporary and permanen t licenses combine to form the ru nning license.

Page 166

6-8 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion Important Notes • If the security appliance co nfigu ration is updated from an Auto Update serv er , ASDM is not notif ied.

Page 167

6-9 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Set Polling Schedule The Set Polling Schedule d ialog box lets you conf igure specif ic days, and the time-of-day f or the security appliance to poll th e Auto Update server .

Page 168

6-10 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configurat ion Modes The follo wing table sho ws the modes in which this featur e is av ailable: Advanced Auto Update Settings Fields • Use Device ID to uniquely identify the ASA—Enab les authentication using a Device ID.

Page 169

6-11 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Image/Configuration Fields • Boot Order—Displays th e order in which bi nary image f iles will be used to boo t. • Boot Image Location—Displays t he physical location an d path of the boot f ile.

Page 170

6-12 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings Device Name/Password Modes The follo wing table sho ws the modes in which this featur e is av ailable: Device Name/Password The De vice Name/Passwor d pane lets you set the ho stname and domain name for the securit y appliance and set the enable and telnet passwords.

Page 171

6-13 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software The T elnet Password area cont ains the follo wing f ields. In multip le context mode, the T elnet Password area only appears in contexts; it does no t appear in the syst em ex ecution space.

Page 172

6-14 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software – Client Re vision—Specif ies the re vision number(s) of th e software component . Double-clicking an y of the ro ws in the Client Images table opens the Edit Client Update Entry dialog box, in which you can mo dify the client parameters.

Page 173

6-15 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software Modes The follo wing table sho ws the modes in which this featur e is av ailable: Firewall Mode Secur.

Page 174

6-16 Cisco ASDM User Guide OL-16647-01 Chapter 6 Configuring Basic Device Settings System Software.

Page 175

CH A P T E R 7-1 Cisco ASDM User Guide OL-16647-01 7 Configuring Interfaces in Single Mode This chapter describes ho w to conf igure and enable ph ysical Ethernet interfaces, ho w to create redundant interface pairs, an d how to add subinterfaces.

Page 176

7-2 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Interface Over view • Default Phy sical Interface Set tings, page 7-2 • Connector T ypes, page 7-2 • Auto-M.

Page 177

7-3 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Interface Overview • If you use a redundant interface for the f ailov er or state link, you must put a switch or hub between the two units; yo u cannot connect them directly .

Page 178

7-4 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Interface Over view Maximum Subinterfaces T o determine ho w many subinter faces are allo wed for your platform, see Appendi x A, “Feature Licenses.

Page 179

7-5 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Configuring an Interface (Sin gle Mode) • Filtering—HTTP(S) and FTP f iltering applies only f or outbound connections (from a higher le v el to a lo wer le vel).

Page 180

7-6 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Configuring an Inter face (Single Mode) a. Click Add > Redundant Interface . The Add Redundant Interf ace dialog box appears with the General tab select ed. b. In the Redundant ID field, enter an inte ger between 1 and 8.

Page 181

7-7 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode Configuring an Interface (Sin gle Mode) Note Route tracking is only a vail able in single, routed mode. SLA ID—A unique identif ier for t he SLA monitoring process.

Page 182

7-8 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e Enabling Same Secur ity Leve l Communication (Single Mode) parameters. For RJ-45 interfaces on the ASA 5500 se ries adaptiv e security appliance, the default auto-nego tiation setting also includes the Au to-MDI/MDIX feature.

Page 183

7-9 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfac es in Single Mode PPPoE IP Address and Route Settings If you enable same security i nterface communication , you can still conf igure interf aces at dif ferent security le vels as usual.

Page 184

7-10 Cisco ASDM User Guide OL-16647-01 Chapter 7 Configuring Interfaces in Single Mod e PPPoE IP Address and Route Settings – Monitor Options—Click this b utton to open the Route Monitoring Opti ons dialog box. In the Route Monitoring O ptions dialog box you can configure the parameter s of the tracked object monitoring process.

Page 185

CH A P T E R 8-1 Cisco ASDM User Guide OL-16647-01 8 Configuring Interfaces in Multiple Mode This chapter describes ho w to conf igure and enable ph ysical Ethernet interfaces, ho w to create redundant interface pairs, an d how to add subinterfaces in th e system conf iguration.

Page 186

8-2 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) Note If you use failo ver , you need to assign a dedicated interface as th e failo ver link an d an optional interf ace for Stateful Failo ver on the Fail over : S et u p tab .

Page 187

8-3 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the S yst em Configuration (Multiple Mode) Configuring and Enabling Physical Interface.

Page 188

8-4 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) Redundant Interface Overview This section i.

Page 189

8-5 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the S yst em Configuration (Multiple Mode) • If you shut do wn the acti v e interface, then the standby interf ace becomes activ e.

Page 190

8-6 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interfaces in the Sy stem Configuration (Mult iple Mode) • Maximum Subin terfaces, page 8-6 Default State of Subinterfaces When you add a subinterface, it is enabled by default.

Page 191

8-7 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Allocating Inte rfaces to Contexts Enabling Jumbo Frame Support for the ASA 5580 in the System Configuration (Mu.

Page 192

8-8 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Default State of Interfaces In multiple conte xt mode, all allocated interfaces are enabled b y default, no matter w hat the state o f the interface is in the system ex ecution space.

Page 193

8-9 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) W ithout N A T control, or for same secu rity inte rfaces, you can choo se to use N A T between any interface, or yo u can choose not to use N A T .

Page 194

8-10 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) The description can be up to 240 characters on a single line, with out carriage returns. T he system description is independent of t he context de scription.

Page 195

8-11 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode) Y ou can also enable communication between hosts connected to the same interface.

Page 196

8-12 Cisco ASDM User Guide OL-16647-01 Chapter 8 Configuring Interfaces in Multiple Mode Configuring Interface Parameters within each Context (Multiple Mode).

Page 197

CH A P T E R 9-1 Cisco ASDM User Guide OL-16647-01 9 Configuring Switch Port s and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance This chapter describes how to conf igure the switch ports and VLAN interf aces of the ASA 5505 adapti v e security appliance.

Page 198

9-2 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Over view Understanding ASA 5505 Ports and Interfaces The ASA 5505 adaptiv e security appliance su pports a built-in switch.

Page 199

9-3 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Interface Overview W ith the Base license, the th ird VLAN can only be conf igured to initiate t raf fic t o one other VLAN.

Page 200

9-4 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Over view Default Interface Configuration If .

Page 201

9-5 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces Y o u can only enable SP AN monitoring using the Command Line I nterface tool b y entering the switchport monitor command.

Page 202

9-6 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces If you enabled Easy VPN, y ou cannot add or delete VLAN interfaces, no r can you edit the security le vel or interface name.

Page 203

9-7 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces The backup interface does not pass through tra ff ic unless the default route th rough the primary interface f ails.

Page 204

9-8 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Add/Edit Interface > General The Add/Edit I nterface > Ge neral tab le ts you add or edit a VLAN interface.

Page 205

9-9 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring VLAN Interfaces Retry Count—Sets the number of times between 4 and 16 t hat the security appliance resends a DHCP request if it does not recei v e a reply after the f irst attempt.

Page 206

9-10 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces Modes The follo wing table.

Page 207

9-11 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring Switch Ports – Block T raff ic from this Interface to—Choose a VLAN ID in the list . • Select Backup Interface—Shows the backup ISP interf ace for this interface.

Page 208

9-12 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports • Mode—The mode, Access or T runk. Access ports can be assign ed to one VLAN.

Page 209

9-13 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Po rts and VLAN Interfac es for the Cisc o ASA 5505 Adaptive Security Ap pliance Configuring Switch Ports Interfaces > Interfaces.

Page 210

9-14 Cisco ASDM User Guide OL-16647-01 Chapter 9 Configuring Switch Ports and VLAN Inte rfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports.

Page 211

CH A P T E R 10-1 Cisco ASDM User Guide OL-16647-01 10 Configuring Security Contexts This chapter describe s how to use security contexts and enable multiple co ntext mode.

Page 212

10-2 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Common Uses for Security Contexts Y o u might wa nt to use multiple securi ty contexts in th e follo wing situations : • Y ou are a service provider and want to sell secu rity services to many custo mers.

Page 213

10-3 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview • In v alid Classif ier Criteria, page 10 -4 • Classification Examples, page 10-4 Note If the destination MA C address is a multicast or br oadcast MAC address, the packet is duplicated and deliv ered to each context.

Page 214

10-4 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0 Note For management traf fic destined for an interf ace, the interface IP address is used for classification.

Page 215

10-5 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview Figure 10-2 sho ws mult iple contexts sh aring an outside interf ace without MA C addresses assigned. The classifier assigns the packet to Conte xt B becaus e Context B includes the address translation that matches the destination address.

Page 216

10-6 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Figur e 1 0-3 Incoming T r af fic fr om Inside Netw or ks Host 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Classifier Conte xt A Conte xt B GE 0/1.3 GE 0/1.

Page 217

10-7 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Security Context Overview For transparent fire w alls, you must use unique i nterfaces. Figur e 10-4 sho ws a host on the Context B inside network accessing the Internet.

Page 218

10-8 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Security Context Overview Figure 10-5 sho ws a gateway context with two contexts behind the gateway .

Page 219

10-9 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Enabling or Disabling Multiple Con text Mode log in with a username, enter th e login command. F or e xample, you log in to the admin conte xt with the username “admin.

Page 220

10-10 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes original running co nfigu ration is sa ved as old_r unning.cfg (in the root di rectory of the internal Fl ash memory). The original startup conf iguration is not sa ved.

Page 221

10-11 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes Classes and Class Members Overview The security appliance manages res ources by assigning contexts to resource classes. Each context uses the resource limits set b y the class.

Page 222

10-12 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes Figure 1 0-7 Unlimited Resources Default Class All contex ts belong to the default cl ass if they are not assigned to another class; you do not ha v e to activ ely assign a context to the def ault class.

Page 223

10-13 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes Figure 10-8 sho ws the relationshi p between t he default class and o ther classes. Con texts A and C belong to classes with some limits set; o ther limits are inhe rited from the defa ult class.

Page 224

10-14 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Resource Classes For resources that do not ha ve a system l imit, you cannot set the percentage; you can only set an absolute v alue. If you do not set a limit, the limit is inherited from th e default class.

Page 225

10-15 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Reso urce Classes • Inspects/sec—Sets the limit f or application inspections per second. Select the check box to enable this limit. If you set t he limit to 0, it is unlimited.

Page 226

10-16 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Security Contex ts – Peak (#)—Sho ws the peak number of xlates since the statistics we re last cleared, either using the clear r esour ce usage command or because the de vice rebooted.

Page 227

10-17 Cisco ASDM User Guide OL-16647-01 Chapter 10 Configuring Security Contex ts Configuring Security Contexts Step 5 From the Interf aces > Physical Interface drop-down list, choose an interf ace.

Page 228

10-18 Cisco ASDM User Guide OL-16647-01 Chapter 10 Config uring Security Contexts Configuring Security Contex ts • Enabling Automatic MA C Address Assignment, page 10-18 MAC Address Overview T o allo w conte xts to share interf aces, we suggest that yo u assign unique MA C addr esses to each conte xt interface.

Page 229

CH A P T E R 11-1 Cisco ASDM User Guide OL-16647-01 11 Configuring Dynamic And Static Routing T o conf igure static routes and dynamic routing protocols, go to Configuration > De vice Setup > Routing area of the ASDM interface.

Page 230

11-2 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing If N A T is used, if OSPF is operating on public and pr iv ate areas, and if address filteri ng is required, then you need to run tw o OSPF processes—one process for th e public areas and one for the p riv ate areas.

Page 231

11-3 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup > Process Instances Tab Y o u can enable up to two OSPF pro cess instances. Each OSPF process has its own associ ated areas and networks.

Page 232

11-4 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • RFC 1583 Compatible—Check this check box to calculate summary route co sts per RFC 1583. Uncheck this check box to calculate summary rout e costs per RFC 2328.

Page 233

11-5 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup > Area/Networks Tab The Area/Networks tab displays the areas, and the networks the y contai n, for each OSPF process on the security appliance.

Page 234

11-6 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Fields • OSPF Process—When adding a ne w area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the s ecurity appliance, then that process is selected by def ault.

Page 235

11-7 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g – None—Choose this option to di sable OSPF area authentication. This is the def ault setting. – Passw ord—Choose this option to use a cl ear text passw ord for area authentication.

Page 236

11-8 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Add/Edit Route Summarization Use the Add Route Summari zation dialog box to add a ne w entry to the Route Summarizat ion table. Use the Edit Rout e Summariza tion dialog box to change a n existing entry .

Page 237

11-9 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Fields The Filtering table display s the follow ing information. Double-clicking a table entry opens the Add /Edit Filtering Entry dialog box for the selected entry .

Page 238

11-10 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • Sequence #—Enter a sequence number for the filter . V alid values range from 1 to 4294967294. When multiple f ilters apply to an LSA, the fil ter with the lo west sequence number is used.

Page 239

11-11 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g – Interface—Displays t he interface name. – Authentication T ype—Displ ays the type of OSPF authentication enabled on t he interface. The authentication type can be one of the following v alues: None—OSPF authentication i s disabled.

Page 240

11-12 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • MD5 IDs and K eys—Contain s the settings for ente ring the MD5 k eys and param eters when MD5 authentication is enabled. Al l devices on t he in terface using OSPF authenti cation must use the same MD5 key and ID.

Page 241

11-13 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Edit OSPF Interface Properties Fields • Interface—Displays the name of the interface for which you are configuring OSPF properties. Y ou cannot edit this f ield.

Page 242

11-14 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Edit OSPF Interface Advanced Prope rties The Edit OSPF Interface Adva nced Properties dialog box lets you change the values for the OSPF hello interv al, retransmit i nterv al, transmit delay , and dead interv al.

Page 243

11-15 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Fields The Redistrib ution table displays the follo wing i nformation. Double-clicki ng a table entry opens the Add/Edit OSPF Redistrib ution Entry dial og box for the sel ected entry .

Page 244

11-16 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Add/Edit OSPF Redistribution Entry The Add/Edit OSPF Redistrib ution Entry dialog box lets you add a new redistrib ution rule to or edit an existi ng redistribu tion rule in the Redistrib ution tabl e.

Page 245

11-17 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Modes The follo wing table sho ws the modes in which this featur e is av ailable: Static Neighbor The Static Neighbor pa ne displays ma nually defined neighbo rs; it does not displa y discovered neighbors.

Page 246

11-18 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Fields • OSPF Process—Choose the OSPF process associated wi th the static neighbor . If you are editing an existi ng static neighbor , you cannot change this v alue.

Page 247

11-19 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Add/Edit OSPF Summary Address Entry The Add/Edit OSPF Summary Ad dress Entry dialog box lets you add new entr ies to or modify existing entries in the Summary Address table.

Page 248

11-20 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing • Authentication—Displ ays the type of authen tication used by the virtual link: – None—No authentication i s used. – Passwo rd—Clear text passwor d authentication is used.

Page 249

11-21 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Advanced OSPF Virtual Link Properties The Advanced OSPF V irtual Link Properties dial og box lets you configure OSPF authentication and packet interv als.

Page 250

11-22 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – Dead Interval—Specif ies the interv al, in sec onds, in which no hello packets are receiv ed, causing neighbors to declare a ro uter do wn.

Page 251

11-23 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Setup Use the Setup pane to enab le RIP on the security appl iance and to conf igure global RIP protocol parameters. Y ou can only enable a single RIP process on the security appliance.

Page 252

11-24 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Interface The Interface pane allows you to c onf igure interface-specif ic RIP settings , such as the version of RIP the interface sends and recei ves and the authentication metho d, if any , used for the RIP broad casts.

Page 253

11-25 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Enable Authenticati on—Check this check box to en able RIP authentication . Uncheck this check box to disable RIP broadcast authentication.

Page 254

11-26 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – In—Filters netwo rks on incoming RIP upd ates.

Page 255

11-27 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Redistribution The Redistrib ution pane displays the routes that are being redistrib uted from other routin g processes into the RIP routing proc ess.

Page 256

11-28 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – OSPF and OSPF ID—Routes discov ered by the O SPF routing process. If you choose OSPF , you must also enter the OSPF pro cess ID. Additiona lly , you can select the specific types of OSPF routes to redistribute from the Match area.

Page 257

11-29 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Configuring EIGRP T o conf igure EIGRP routing on the Secur ity Applianc e, perform the f ollowing steps: Step 1 Go to the Conf iguration > De vice Setup > Routing > EIGRP area of the ASDM interface.

Page 258

11-30 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing Step 10 (Optional) Cont rol the sending and recei ving of def ault route information i n EIGRP updates on the Default Inf ormation pane. By default, def ault routes are sent and accepted.

Page 259

11-31 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Adva nced—Click this b utton to conf igure the EI GRP process settings, such as the router ID, def ault metrics, stub rout ing settings, neighbor change an d warning loggin g, and the administrati ve distances for the EIGRP routes.

Page 260

11-32 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing – Stub Connected—Adv ertises connected r outes. – Stub Static—Adv ertises static routes. – Stub Redistrib uted—Adve rtises redistrib uted routes.

Page 261

11-33 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • EIGRP AS—Displays the autonomous system number of the EIGRP routing proce ss. • IP Address—Enter the IP address of t he networks to participate in the EIGRP routing process.

Page 262

11-34 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Filter Rules The Filter Rules pane displays the route f iltering rule s conf igured for the EIG RP routing process.

Page 263

11-35 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information • Config uring EIGRP , page 11-29 Interface The Interface pane displays the EIGRP interf ace conf igurations.

Page 264

11-36 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Redistribution The Redistribution pane displays the rules fo r redist ributin g routes from other routin g protocols into the EIGRP routing process.

Page 265

11-37 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g • Optional OSPF Redistrib ution—these opt ions let you further specify which OSPF routes are redistrib uted into the EIGRP routing process. – Match Internal—Match routes intern al to the specified OSPF process.

Page 266

11-38 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Dynamic Routing For More Information • Config uring EIGRP , page 11-29 Summary Address The Summary Address pane displays a table of the statically-def ined EIGRP summary addresses.

Page 267

11-39 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Dynamic Routin g Default Information The Default Informati on pane displays a table of rules f or controlling the sending and receivin g of default ro ute information in EIGRP updates.

Page 268

11-40 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes • IP Address—T ype IP address of the network being p ermitted or denied. T o permit or deny all addresses, use the IP address 0.0.0. 0 with a network mask of 0.

Page 269

11-41 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Static Routes The default route identifies the gate way IP address to which the security appliance sends all IP pack ets for which it does not ha v e a learned or static route.

Page 270

11-42 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes Configuring Static Route Tracking This procedure pr ovides an o vervie w of conf iguring static route tracking.

Page 271

11-43 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing Static Routes • Interface—( Display only ) Lists the internal or e xternal network interface name enabled in Interfaces. • IP Address—( Display only ) List s the internal or extern al network IP address.

Page 272

11-44 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Static Routes • None—No options are specif ied for the static ro ute. • T unnel ed—Used only for def ault route. Onl y one defaul t tunneled ga tew ay is allo wed per securit y appliance.

Page 273

11-45 Cisco ASDM User Guide OL-16647-01 Chapter 11 Configuring Dynamic And Static Routing ASR Group Modes The follo wing table sho ws the modes in which this featur e is av ailable: ASR Group Use the ASR Group screen to assign asynch ronous routing group ID nu mbers to interfaces.

Page 274

11-46 Cisco ASDM User Guide OL-16647-01 Chapter 11 Config uring Dynamic A nd Static Routi ng Proxy ARPs Modes The follo wing table sho ws the modes in which this featur e is av ailable: Proxy ARPs In rare circumstances, you might w ant to disable proxy A RP for global addresses.

Page 275

CH A P T E R 12-1 Cisco ASDM User Guide OL-16647-01 12 Configuring Multicast Routing Multicast routing i s supported in single, r outed mode only . This section contains the follo wing topi cs: • Multicast, page 12-1 —enable or disable multi cast routing on the security appl iance.

Page 276

12-2 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP For More Information Config uring Multicast Routing, page 12-1 IGMP , page 12-2 Multicast Rou te, page 12-7 MBoun.

Page 277

12-3 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing IGMP • Add—Opens the Add/Edit Acce ss Group dialog box. Use thi s butto n to add a ne w access group en try at the bottom of the table. • Edit—Opens the Add/Edit Acce ss Group dialog box.

Page 278

12-4 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP Note If you simply want to forw ard multicast packet s for a specific group to an inte rface without the security appliance accepting those packet s as part of the group, see Static Group .

Page 279

12-5 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing IGMP Protocol The Protocol pan e displays the IGM P parameters for each interface on the security appliance . Fields • Protocol—D isplays the IGMP paramete rs set on eac h interface.

Page 280

12-6 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting IGMP • Query Interv al—Enter the interv al, in seconds, at which the designated rout er sends IGMP host-query messages. V alid values range fro m 1 to 3600 seconds. The default v alue is 125 seconds.

Page 281

12-7 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing Multicast Route Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit IGMP Static Group Use the Add IGMP Static Group dialog box to static ally assign a mu lticast grou p to an inter face.

Page 282

12-8 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting Multicast Route • Edit—Opens the Add/Edit Multicast Route dialog box. Use this b utton to change the selected static multicast route. • Delete— Use this button to remove the select ed static rout e.

Page 283

12-9 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing MBoundary MBoundary The MBoundary pane let s you conf igure a multicast bou ndary for administrati v ely-scoped multicast addresses.

Page 284

12-10 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting MBoundary • Action—The action for the f ilter entry . Permit allows the specif ied traf fic to pass. Deny pre vents the specified traf f ic from passing throug h the interf ace.

Page 285

12-11 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing MForwarding MForwarding The MForw arding pane lets you disable an d reenable multicast forwarding on a p er interface basis. By default, mul ticast forwarding is en abled on all interfaces.

Page 286

12-12 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Protocol The Protocol pan e displays th e interface-specif ic PIM properties. Fields • Protocol—Displays the PIM setti ngs for each interface. Doub le-clicking an entry in th e table opens the Edit PIM Protocol dialog box for that entry .

Page 287

12-13 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Neighbor Filter The Neighbor Filter pane disp lays the PIM neighbor f ilters, if an y , that are configured on th e security appliance. A PIM neighbor f ilter is an A CL that def ine s the neighbor de vices that can parti cipate in PIM.

Page 288

12-14 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Add/Edit/Insert Ne ighbor Filter Entry The Add/Edit/Inser t Neighbor Filter Entr y lets you create A C L entries for the PIM neighbor f ilter A CL. Fields • Interface—Select the na me of the interface the PIM neigh bor filter ent ry applies to from the list.

Page 289

12-15 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Fields The PIM Bidirectional Neighbo r Filter table contains the follo wi ng entries. Double-click an en try to open the Edit Bidirectional Nei ghbor Filter Entry dialog box for that entry .

Page 290

12-16 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Rendezvous Points When you confi gure PIM, you must choose one or more routers to operate as th e RP . An RP is a single, common root of a shared distribution tree and is statically configured on each router .

Page 291

12-17 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM Restrictions • Y o u cannot use the same RP address twice. • Y ou cannot specify All Groups for more th an one RP . Fields • Rendezvous Point IP Address—Enter the IP address of the RP .

Page 292

12-18 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Multicast Group Multicast groups are lists of access ru les that define which mul ticast addresses are part of the group. A multicast group can cont ain a single multicast addres s or a range of multicast addresses.

Page 293

12-19 Cisco ASDM User Guide OL-16647-01 Chapter 12 Con figuring Multicast Routing PIM – Destination—Displays th e multicast destination address. • Insert Before—Opens the Request Filt er Entry dialog box. Use this b utton to add a ne w multicast group entry before t he selected entry in the table.

Page 294

12-20 Cisco ASDM User Guide OL-16647-01 Chapter 12 Configur ing Multicast Ro uting PIM Route Tree By default, PIM leaf routers join th e shortest-path tree immediately after the f irst packet arri v es from a new sour ce. This reduces delay , but requires more memory t han shared tree.

Page 295

CH A P T E R 13-1 Cisco ASDM User Guide OL-16647-01 13 DHCP, DNS and WCCP Services A DHCP server provides netwo rk conf iguration parameters, such as IP addresses, to DHCP clients. The security appliance can provide DHCP server or DHC P relay services to DHCP clients attached to security appliance interfaces.

Page 296

13-2 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Relay Prerequisites Before you can enable a DHCP relay agent on an inte rf ace, you must ha ve at least one DHCP relay gl obal server in the conf iguration or DHCP relay interface server .

Page 297

13-3 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Relay Edit DHCP Relay Agent Settings Y ou can enable the DH CP relay agen t and configure the relay a gent para meters for the selected interface in the Edit DHCP Relay Agent Setti ngs dialog box.

Page 298

13-4 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Modes The follo wing table sho ws the modes in which this featur e is av ailable: DHCP Server The DHCP Server pane lets you configure the securi ty appliance interfaces as DHCP servers.

Page 299

13-5 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Server – Enable Auto-configuration from interface—Chec k this check box to enable DHCP auto config uration and select the interf ace from the menu.

Page 300

13-6 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Edit DHCP Server Y ou can enable DHCP and specify the D HCP address p ool for the selected interf ace in the Edit DHCP Server dial og box. Fields • Enable DHCP Server—Check this check box to enable the DHCP server on the selected interface.

Page 301

13-7 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DHCP Server Advanced DHCP Options The Adva nced DHCP Options dialog box lets yo u configure D HCP option parameters. Y ou use DHCP options to pro vide addition al information to DHCP clients.

Page 302

13-8 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services DHCP Server Note The name of the associated IP Address fiel ds can change based on the D HCP option you chose. For e xample, if you choose DHCP Option 3 (Router), the fields change name to Router 1 and Router 2.

Page 303

13-9 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services DNS Client DNS Client The DNS Client pane sho ws the DNS server gro ups and DNS lookup in formation for the securit y appliance, so it can resolve server names to IP ad dresses in your Clientless SSL VPN con figur ation or certificate conf iguration.

Page 304

13-10 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Fields • Name—Specifies th e server name. Fo r the Edit function, thi s field is D isplay only . • DNS Servers—Manages the DNS serv er list. Y ou can specify up to six addresses to which DNS requests can be forwarded.

Page 305

13-11 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services Dynamic DNS Fields • Update Methods—Lists the DDNS up date methods that are configured on the security appliance. This table inclu des: – Method Name— Display only .

Page 306

13-12 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services Dynamic DNS Add/Edit Dynamic DNS Update Methods The Add/Edit Dy namic DNS Update Met hods dialog b ox lets you add a ne w method or edit a prev iously added method.

Page 307

13-13 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services WCCP • DHCP Client—Th is area allo ws you to specify that the DHCP client updates bot h the A and PTR DNS records or neither .

Page 308

13-14 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services WCCP Add or Edit WCCP Service Group The Add or Edit Service Grou p dialog box lets you ch an ge the service group parameters for a conf igured service group. Fields • Service—Speci fies the service gr oup.

Page 309

13-15 Cisco ASDM User Guide OL-16647-01 Chapter 13 DH CP, DNS and WCCP Services WCCP Add or Edit WCCP Redirection The Redirection pane lets you add o r change packet redirection on the ingress of an interf ace using WCCP . Fields • Interface—Choose t he interface on which to enable WCCP redirection.

Page 310

13-16 Cisco ASDM User Guide OL-16647-01 Chapter 13 DHCP, DNS and WCCP Services WCCP.

Page 311

CH A P T E R 14-1 Cisco ASDM User Guide OL-16647-01 14 Configuring AAA Servers and the Local Database This chapter de scri bes support for AAA ( pronounced “triple A”) and ho w to conf igure AAA serv ers and the local database.

Page 312

14-2 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Overview About Authentication Authentication controls access by re quiring v al id user cred entials, whi ch are typ ically a usern ame and password.

Page 313

14-3 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt AAA Server and Local Database Support The security appliance supports a variety of AAA serv er type s and a loca l databa se that is store d on the security appliance.

Page 314

14-4 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort RADIUS Server Support The security appliance supports RADIUS servers.

Page 315

14-5 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt SDI Server Support The RSA SecurID servers are also known as SDI servers.

Page 316

14-6 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort Note The security appliance does not support chang ing user passwords during tu nnel negotiat ion.

Page 317

14-7 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database AAA Server and Local Da tabase Suppo rt LDAP Server Types The security appliance supports LD AP versio.

Page 318

14-8 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database AAA Server and Lo cal Database Supp ort Local Database Support The security appliance maintain s a local data base that you can populate with user profiles.

Page 319

14-9 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups Configuring AAA Server Groups If you want to use an e xternal AAA serv e.

Page 320

14-10 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups In T imed mode, fai led servers are reacti v ated after 30 seconds o f down time. Note This option is not a v ailable for the HTTP F orm protocol.

Page 321

14-11 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups • K erberos Server Fields, page 14-14 • LD AP Server Fields, page 14-15 • HTTP Form Server Fields, page 14-17 Step 7 Click OK .

Page 322

14-12 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Common Passw ord A case-sensitiv e password th at is common among users who access this RADIUS authorization serv er through this secu rity appliance.

Page 323

14-13 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups TACACS+ Server Fields The follo wing table describes the uniqu e fields for configur ing T ACA CS+ servers, for use with the “ Adding a Serv er to a Group” section on pa ge 14-10 .

Page 324

14-14 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Kerberos Server Fields The follo wing table describes the uniqu e fields for con figur ing Kerb eros servers, for use wi th the “ Adding a Serv er to a Group” section on pa ge 14-10 .

Page 325

14-15 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups LDAP Server Fields The follo wing table describes the unique f ields for conf iguring LD AP servers, for use with the “ Adding a Server to a Group” section on page 14-10 .

Page 326

14-16 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring AAA Server Groups Login DN The secu rity appliance uses the Login Di stinguished Name (DN) and Login Passw ord to establish trust (b ind) with an LD AP serv er .

Page 327

14-17 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Configuring AAA Server Groups HTTP Form Server Fields This area appears only when the selected server grou p uses HTTP Form, and only the server group name and the protocol are visi ble.

Page 328

14-18 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Testing Server Auth en tication and Authorization Testing Server Authentication and Authorization T o.

Page 329

14-19 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding a User Accoun t Note Although you can conf igure HTTP auth entication using the local dat abase, that functional ity is always enabl ed by def ault.

Page 330

14-20 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Adding a User Account • Full Access (ASDM, T elnet, SSH and console) —If you conf igure au thentication for management access using the local database, then this op tion lets the user use ASDM, SSH, T elnet, and the console port.

Page 331

14-21 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding a User Accoun t – IPSec—IP Security Protocol. IPSec provides the most complete architecture for VPN tunnel s, and it is perceiv ed as the most secure protoc ol.

Page 332

14-22 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Configuring LDAP Attribute Maps • Maximum Connect T ime—If the Inherit check box is not selected, this parameter specif ies the maximum user connection time in minu tes.

Page 333

14-23 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers and the Lo cal Database Adding an Authenticatio n Prompt Step 2 In the Name f ield, add a name for the map. Step 3 In the Custo mer Name field, add the name of your org anization’ s corresponding attrib ute.

Page 334

14-24 Cisco ASDM User Guide OL-16647-01 Chapter 14 Configuring AAA Servers a nd the Local Database Adding an Authentic ation Prompt Step 2 In the Messages area, add messages in the User accepted message and U ser rejected message fields.

Page 335

CH A P T E R 15-1 Cisco ASDM User Guide OL-16647-01 15 High Availability This section contains the following topics: • Understanding F ailov er , page 15-1 • Config uring Failo v er with the High .

Page 336

15-2 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Understanding Failover • Activ e/Activ e Failov er , page 15-2 • Stateless (Re gular) Failo ver , page 15-3 • Stateful F ailo .

Page 337

15-3 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Understanding Failover • Commands entered in the system ex ecution space are replicated fro m the unit on which fai lov er group 1 is in the active state to the unit on which failov er group 1 is in the standb y state.

Page 338

15-4 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard • The ISAKMP and IPSec SA table. The follo wing information i s not copied to t he standby unit when St ateful F ailov er is enabled: • HTTP connection table (unless H TTP replication is enabled).

Page 339

15-5 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard See Choose the T ype of Failo ver Conf iguration, page 15-7 for more information about this screen.

Page 340

15-6 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Step 2 Enter the IP address of the failo ver peer on t he Ch eck Failo ver Peer Connecti vi ty and Compatibility screen.

Page 341

15-7 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Field Information for the High Availability and Scalability Wizard The follo wing dialogs are a v ailable in the High A vailability and Scalability W izard.

Page 342

15-8 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Check Failover Peer Connect ivity and Compatibility The Chec.

Page 343

15-9 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Y o u need to con vert both the current secur ity appliance and the pe er security appliance to multip le context mod e before you can proceed.

Page 344

15-10 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard Although you can create security conte xts on this sc reen, you cannot assi gn interfaces to those contexts or conf igure any other properties for them.

Page 345

15-11 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard State Link Configuration The State Link Configuration scre en does not appear in the wizar d for ASDM running on the ASA 5505 platform.

Page 346

15-12 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availab ility and Scalability Wizard • Acti ve IP—Double-click this f ield to edit o r add an activ e IP address. Changes to this field also appear in the St andby IP field for the corresponding interface on t he peer unit.

Page 347

15-13 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Configuring Failover with the High Availability and Scalability Wizard Note Load balancing is ef fecti ve on ly on remote sessions in itiated with the Cisco VPN Client ( Release 3.0 and later), the Cisco VPN 3002 H ardware Client (Release 3.

Page 348

15-14 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Pri vate Interface Of This De vice—Specifies the name or IP address of the pr iv ate interface for this device.

Page 349

15-15 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover - Single Mode The Failo ver pane cont ains the tabs where you can conf igure Acti v e/Standby f ailo ver in single conte xt mode. For mor e information about fail over , see Understanding Failo ver .

Page 350

15-16 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Interface—Specif ies the interface used for fa ilov er communication. F ailov er requires a dedicated interface, howe ver you can share the interf ace with Stateful Failov er .

Page 351

15-17 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Logical Name—Specifies the logi cal interface used for failov er communication. If you selected the Use Named option in th e Interface drop-do wn list, t his field disp lays a list of named interfaces.

Page 352

15-18 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 353

15-19 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover: Interfaces (Transparent Firewall Mode) Use this tab t o define the standby managem ent IP address and to specify wh ether the status of the interfaces on the securit y appliance should be monitored.

Page 354

15-20 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – No Link—The physical link f or the interface is do wn. – Failed—No traf fic is recei ved on the interface, yet traf fi c is heard on the peer interface.

Page 355

15-21 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 356

15-22 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Delete—Removes the currently selected interface from the MA C addresses table.

Page 357

15-23 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover-Multiple Mode, Security Context The field s displayed on the F ailov er pane in multipl e context mode change d epending upon whether the context is i n transparent or routed f ire wall mode.

Page 358

15-24 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes • Subnet Mask—Identif ies the mask for this interf ace. Th is fi eld does not appear if an I P address has not been assigned to the interf ace.

Page 359

15-25 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 360

15-26 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover-Multiple Mode, System This pane includes tabs for conf iguring the syst em-le vel f ailov er settings in the system co ntext of a security appliance in multipl e context mo de.

Page 361

15-27 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Only unconf igured interf aces or subinterfaces that hav e not been assigned to a con text are displayed in this list an d can be select ed as the LAN Failo v er interface.

Page 362

15-28 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover > Criteria Tab Use this tab to def ine criteria for failo ver , such as how many interfaces must fa il and ho w long to wait between polls.

Page 363

15-29 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes Failover > Active/Active Tab Use this tab to enable Acti ve /Activ e failo ver on the security appliance by d efining f ailov er groups. In an Acti ve/Acti v e failo ver conf iguration, b oth security appliances p ass network traf f ic.

Page 364

15-30 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 365

15-31 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Acti ve MA C Ad dress—Displays the MA C address for the interf ace and failov er group on the unit where the failov er group is activ e.

Page 366

15-32 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Activ e Interface—Specifies the MA C address fo r the interface and failover group on the unit where the failover group is acti v e.

Page 367

15-33 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes – Standby MA C Address—Identif ies the MA C address on the standb y security appliance (usually secondary ). • Add—Displays the Add/Edit Interface MA C Address dialog box.

Page 368

15-34 Cisco ASDM User Guide OL-16647-01 Chapter 15 High Availability Field Information for the Failo ver Panes For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 369

CH A P T E R 16-1 Cisco ASDM User Guide OL-16647-01 16 Configuring Management Access This chapter contains the following topics: • Config uring De vice Access for ASDM, T elnet, or SSH, page 16-1 �.

Page 370

16-2 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring CLI Parameters Step 10 For SSH sessions, the def ault timeout v alue is 60 minutes. T o change this v alue, type a ne w one in the SSH T imeout f ield. Step 11 Click A pply .

Page 371

16-3 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring CLI Parameters • Login Banner—T his banner appears w hen a user logs in to the CLI. • Message-of-the-day (motd) Bann er—This banner appears when a user first connect s to the CLI.

Page 372

16-4 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring File Access The prompt is chan ged and displa ys in the CLI Prompt Pre view f ield. Step 2 Click A pply . The ne w prompt is sa ved to the runni ng configu ration.

Page 373

16-5 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring File Access Configuring the Security Appliance as a Secure Copy Server Y ou can enable the secure copy server on the security appliance. Only clients that are allo wed to access the security appliance using SSH can establish a secure copy connection.

Page 374

16-6 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring File Access The changes are sav ed to the running conf iguration. This TFTP server will be used to save the secu rity appliance conf iguration f iles. For more information, see Sav e Running Conf iguration to TFTP Server , page 3-4 .

Page 375

16-7 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring Conf ig uring ICMP Access T o defi ne an FTP mount point, perform the follo wi ng steps: Step 1 From the Conf iguration > Device Management > Ma nagement Access > File A ccess > Mount-Points pane, clic k Add > FTP Mount P oint .

Page 376

16-8 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring Configuring ICMP Access T o conf igure ICMP access rules, perform the follo wi ng steps: Step 1 From the Configuration > Device Managem ent > Management Access > ICMP pane, click Add .

Page 377

16-9 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring a Management Inte rface Step 7 (Option al) T o set ICMP unreachable message limit s, set the follo wing opt ions.

Page 378

16-10 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP Y o u can conf igure the security appl iance to send tr aps (e vent not ificatio ns) to a networ k management station (NMS), or you can use the NMS to bro wse th e MIBs on the security ap plia nce.

Page 379

16-11 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP Down load Cisco MIBs from the fo llowi ng location: http://www .cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml . Download Cisco OIDs from the f ollowing location: ftp://ftp.

Page 380

16-12 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP RFC1213-MIB Bro wsing of the follo wing tabl e: • ip.ipAddr T able • ifT able The follo wing objects are supported: RFC1213-MIB::ifNumber.0 = 1 RFC1213-MIB::ifIndex.

Page 381

16-13 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP ENTITY -MIB Bro wsing of the follo wing groups and tabl es: • entPhy sicalT able • entLogicalT able The follo wing objects are supported: ENTITY-MIB::entPhysicalDescr.

Page 382

16-14 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP ENTITY -MIB (continued) ENTITY-MIB::entPhysicalName.5 = 3 ENTITY-MIB::entPhysicalName.6 = slot 4 ENTITY-MIB::entPhysicalName.7 = slot 5 ENTITY-MIB::entPhysicalName.

Page 383

16-15 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP ENTITY -MIB (continued) ENTITY-MIB::entPhysicalAlias.8 = ENTITY-MIB::entPhysicalAssetID.1 = ENTITY-MIB::entPhysicalAssetID.2 = ENTITY-MIB::entPhysicalAssetID.

Page 384

16-16 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP CISCO-MEMOR Y -POOL-MIB Browsing o f the follo wing table: • ciscoMemoryPo olT able—The memory usage described in this tab le applies only to the security appliance general-purpose processor , and not to the network processors.

Page 385

16-17 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring SNMP Configuring an SNMP Ag ent and Management Station This section includes the following topics: • Con.

Page 386

16-18 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring SNMP • Adding an SNMP Management Station, p age 16-18 Configuring the SNMP Agent T o configure an SNMP .

Page 387

16-19 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuring Management Access Rules Step 9 Click A pply . The management station is conf igured an d changes are sav ed to the running configu ration.

Page 388

16-20 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Step 8 (Opti onal) T o conf igure adv anced options, click Mo re Options . Y ou can confi gure the follo wing settings: • If you want to turn o ff t his Management Access Rule, uncheck Enable Rule .

Page 389

16-21 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators If you conf igure enable authentication, the security appl iance prompts you for your username and password.

Page 390

16-22 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Limiting User CLI and ASDM Access with Management Authorization If you conf.

Page 391

16-23 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators • Local users—Conf igure the Access Restriction optio n.

Page 392

16-24 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators About Preserving User Credentials When a user logs into the security applian ce, they are require d to provide a username and password for authentica tion.

Page 393

16-25 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators command accounting records may not readily id enti fy who was lo gged in as the enable_15 username.

Page 394

16-26 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators – LD AP users—Conf igure the user with a p ri vilege le ve l between 0 .

Page 395

16-27 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators The V ariant column displays show , clear , or cmd. Y ou can set the privile ge only for the show , clear, or conf igure form of t he command.

Page 396

16-28 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Configuring Commands on the T ACACS+ Server Y ou can configure commands on a Cisco Secure Access Control Server (A CS) T ACA CS+ serv er as a shared prof ile component, for a gro up, or for indi vidual users.

Page 397

16-29 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators Figur e 16-2 Per mit ting Single W ord Commands • T o disallo w some ar guments, enter the ar guments preceded b y deny .

Page 398

16-30 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Figur e 16-4 Specifying Abbreviations • W e recommend that you allo w the.

Page 399

16-31 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators Step 4 Click A pply . Configuring Management Access Accounting T o enable a.

Page 400

16-32 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators Recovering from a Lockout In some circumstances, when you tu rn on command authorization or CLI authentication, you can be locked out of the security appliance CLI.

Page 401

16-33 Cisco ASDM User Guide OL-16647-01 Chapter 16 Configuring Manage ment Access Configuri ng AAA for System Administrators.

Page 402

16-34 Cisco ASDM User Guide OL-16647-01 Chapter 16 Co n figuring Management Access Configuring AAA for System Administrators.

Page 403

CH A P T E R 17-1 Cisco ASDM User Guide OL-16647-01 17 Configuring Logging The logging feature lets you enable logging and specify how lo g information is handled. Th e Log vie wing feature lets you vie w syslog messages in real-time. F or a description of the log vie wing feat ure, see Chapter 45, “Monitoring Log ging.

Page 404

17-2 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Using Logging Using Logging After you ha ve def ined the securit y context, choose Conf iguration > De vice Management > Logging . Under Logging, you can d o the follow ing: • In the Logging Setup pane, enab le logging an d conf igure the logging parameters.

Page 405

17-3 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Setup Step 4 Check the Send sysl ogs in EMBLEM f orma t check box to enable EMBLEM format so that it is used for all log destinat ions, except syslog serv ers.

Page 406

17-4 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Setup Step 4 In the Username field, specify the u se r na me to l o g in to t h e F TP s er v e r . Step 5 In t he Pa ss wo r d fi el d , s pe c if y th e password associated with the username to log in to the FTP server .

Page 407

17-5 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Syslog Setup Step 1 From th e Facilit y code to include in syslogs d rop-do wn list, choose a system log f acility for syslog servers to use as a basis to f ile messages. The defa ult is LOCAL(4)20, which is what mo st UNIX systems expect.

Page 408

17-6 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Setup Step 1 Check the Disable Message(s) check box to disable messages for the syslog message ID(s) displayed in the Syslog ID(s) list.

Page 409

17-7 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging E-Mail Setup In the User-Def ined ID field, specify an alphanumeric, us er-def ined string.

Page 410

17-8 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Event Lists Add/Edit E-Mail Recipients The Add/Edit E-Mail Recipient dialog box lets you set up a destin ation e-mail address for a specif ied se verity of syslog messages to be sent as e-mail messages.

Page 411

17-9 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Event Lists • All—All e vent classes • auth—User Authenticati on • bridge—Transparent fire wall • ca—PKI Certifica.

Page 412

17-10 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Logging Filters Add/Edit Event List The Add/Edit Event List dialog box lets you create or edit an e v ent list that you can use to specify which messages shou ld be sent to a log de stination.

Page 413

17-11 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Filters T o apply message f ilters to a log destinati on, perform the follo wing steps: Step 1 Choose t he name of the logging dest ination to which you w ant to apply a f ilter .

Page 414

17-12 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Logging Filters Step 5 Choose t he ev ent class from the drop- down l ist . A vailable e vent classes include the follo wing: �.

Page 415

17-13 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Logging Filters Add/Edit Class and Severity Filter The Add/Edit Class and Severity Filter dialo g box lets you specify a message class and se verity le v el to be used to filter messages.

Page 416

17-14 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Rate Limit Add/Edit Syslog Message ID Filter The Add/Edit Syslog Message ID Filt er dialog box lets you speci fy indi vidual syslog message ID s or ranges of IDs to include in the ev ent list filter .

Page 417

17-15 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Rate Limit Step 2 The No of Messages field displays the numbe r of me ssages sent. The Interval (Seconds) field displays the interv al, in seconds, that is used to l imit ho w many messages at this logging le vel can be sent.

Page 418

17-16 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Syslog Servers Add/Edit Rate Limit for Syslog Message The Add/Edit Rate Limit for Syslo g Message dialog box lets you assign rate limi ts to a specif ic syslog message.

Page 419

17-17 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Syslog Servers Note Y ou can set up a maximum of four syslog serv ers per secur ity conte xt (up to a total of 16).

Page 420

17-18 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing SMTP SMTP The SMTP pane allows you to configure the remote SM TP server IP address to which e-mail alerts and notif ications are sent in respon se to spec if ic e vents. T o access this pane, choose Conf iguration > Device Setup > Logging > SMTP .

Page 421

17-19 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logging Using NetFlow Step 6 When NetFlo w is en abled, certain syslog messages be com e redundant. T o maintain system performance, we recommend that you d isable all redundant syslog messages, because the same informati on is exported through NetFlo w .

Page 422

17-20 Cisco ASDM User Guide OL-16647-01 Chapter 17 Configuring Logg ing Using NetFlow Step 10 Click OK to close the Manage NetFlo w Collectors dialog box an d return to the Add Flo w Ev ent dial og box. Click OK again to close the Add Flo w Event dialog box and return to the NetFlow tab .

Page 423

P ART 3 Conf iguring the Fire w all.

Page 424

.

Page 425

CH A P T E R 18-1 Cisco ASDM User Guide OL-16647-01 18 Firewall Mode Overview This chapter describes how the f ire wa ll works in each f irew all mode. T o set the mode at the CLI, see the “Setting T ransparen t or Routed Fire wall Mo de at the CLI” section on page 4-4 .

Page 426

18-2 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view • An Inside User V isits a W eb Server , page 18-2 • An Outside User V isits a W eb Server on the DMZ.

Page 427

18-3 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Routed Mode Overview 3. The security appliance translat es the local so urce address (10 . 1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet.

Page 428

18-4 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view 2. The security appliance receiv es the packet and b ecause it is a new session, the security appliance verif ies that the packet is allowed according to th e terms of the security policy (access lists, f ilters, AAA).

Page 429

18-5 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Routed Mode Overview The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-3 ): 1. A user on the inside netw ork requests a web page from the DMZ web serv er using the destinat ion address of 10.

Page 430

18-6 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Routed Mode Over view The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-4 ): 1. A user on the outside netw ork attempts to reach an inside host ( assuming the host has a routable IP address).

Page 431

18-7 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview Transparent Mode Ove rview T raditionally , a fire wall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets.

Page 432

18-8 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview Passing Traffic Not Allowed in Routed Mode In routed mode, some types of traf fic cannot pass through the security appli ance ev en if you allo w it in an access list.

Page 433

18-9 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview Using the Transparent Firewall in Your Network Figure 18-6 sh ows a t ypical transparent f ire wall netw ork where the outside devices are on the same subnet as the inside devices.

Page 434

18-10 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview In single mode, you can only use tw o data interfaces (and the dedi cated management interface, if av ailable) e ven if your security applia nce includes more than two interfaces.

Page 435

18-11 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview How Data Moves Through the Transparent Firewall Figure 18-7 sho ws a typi cal transparent f ire wall implemen tation with an inside netwo rk that contains a public web server .

Page 436

18-12 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview An Inside User Visits a Web Server Figure 18-8 sh ows an inside user accessing an outsid e web server . Figur e 18 -8 Inside t o Outside The follo wing steps descr ibe ho w data mov es through the security appl iance (see Figure 18-8 ): 1.

Page 437

18-13 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview An Inside User Visits a Web Server Using NAT Figure 18-8 sh ows an inside user accessing an outsid e web server .

Page 438

18-14 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview 7. The security appliance performs N A T by transla ting the mapped address to the real address, 10.1.2.27. An Outside User Visits a Web Server on the Inside Network Figure 18-10 sho ws an outside user accessing the inside web server .

Page 439

18-15 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Ov erview Transparent Mode Overview If the destinat ion MA C address i s not in the security ap pliance table, the security applia nce attempts to disco ver the MA C address by sending an ARP request and a pin g.

Page 440

18-16 Cisco ASDM User Guide OL-16647-01 Chapter 18 Firewall Mode Overview Transparen t Mode Overview.

Page 441

CH A P T E R 19-1 Cisco ASDM User Guide OL-16647-01 19 Adding Global Objects The Objects pane provides a single location where you can configure, vie w , and modify the reusable components that you need to implement your polic y on the security appliance.

Page 442

19-2 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Using Network Obje cts and Groups Network Object Overview Network obj ects let you predef ine host and network IP addresses so t hat you can streamline subsequent confi guration.

Page 443

19-3 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Using Network Objec ts and Groups Modes The follo wing table sho ws the modes in which this featur e is av ailable: Configuring.

Page 444

19-4 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Using Network Obje cts and Groups Modes The follo wing table sho ws the modes in which this featur e is av ailable: Using Netwo.

Page 445

19-5 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Service Groups The Usages dialog box appears list ing all the rules currently using t he network object or group. This dialog box also lists an y network object groups that cont ain the object.

Page 446

19-6 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Ser vice Groups – Filter f ield—Enter the name of the service g rou p. The wildcard ch aracters asteris k (*) and question mark (?) are allowed. – Filter—Runs the f ilter .

Page 447

19-7 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Service Groups – Source Port/Range—Lets you en ter the source port or range for th e new TCP , UDP , or TCP-UDP service group member . – ICMP T ype—Lets you enter the ICMP typ e for the ne w ICMP service group member .

Page 448

19-8 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Class Maps Configuring Class Maps For information about class maps, see the “Class Map Field Descripti ons” section on page 24-39 .

Page 449

19-9 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions – Name—Shows the regular expression class map nam e.

Page 450

19-10 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Regular Expressions T able 1 9-1 re gex Me tach ara cters Character Description Notes . Dot Matches an y single ch aracter . For ex ample, d.g matches dog, dag, dtg, and an y word that cont ains those characters, s uch as doggonn it.

Page 451

19-11 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions • Build—Helps you b uild a re gular e xpression using the Build Re gular Expression dialog box. • T est—T ests a regular expression against some samp le text.

Page 452

19-12 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Regular Expressions – Character String—Enter a te xt string. – Escape Special Characters—If you entered any meta characters in you r text string th at you want to be used literally , check this box to add th e backslash () escape char acter befo re them.

Page 453

19-13 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Regular Expressions – One or more times (+)—A quantif ier that indicates that there is at least 1 of t he previous expression. F or ex ample, lo+se matches lose and loose, b ut not lse.

Page 454

19-14 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring TCP Maps Add/Edit Regular Expression Class Map The Add/Edit Re gular Expression Class Map dial og box groups reg ular expressions together . A regular expression class map can be used by i nspec tion class maps and inspect ion polic y maps.

Page 455

19-15 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Configuring Time Ra nges Configuring Time Ranges Use the T ime Ranges option to create a reusable component that defi nes starting and ending times that can be applied to various security features.

Page 456

19-16 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Configuring Time Range s • Start at—Specifies when the time range begins. – Month—Specif ies the month, in the ran ge of January through December . – Day—Specifies the day , in the range o f 01 through 3 1.

Page 457

19-17 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Encrypted T raffic Inspection – On these days of the week—Lets y ou choose specif ic days of the week. – Daily Start T ime—Specif ies the hour and th e minute that the time ran ge begins.

Page 458

19-18 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard Use the TLS Proxy to enable inspection of SSL en crypted V oIP signaling, na mely Skinny and SIP , interacting with Cisco Call Manager .

Page 459

19-19 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Configure TLS Proxy Pane Note This feature is not su pported for ASDM v ersion 6.

Page 460

19-20 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard Adding a TLS Proxy Instance Note This feature is not su pported for ASDM v ersion 6.

Page 461

19-21 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Add TLS Proxy Instance Wizard – Server Configuration Note This feature is not su pported for ASDM v ersion 6.1.5 o r the Adapti ve Security Appliance v ersion 8.

Page 462

19-22 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy Wizard See TLS Proxy W izard, pag e 19-17 to determine which TLS clients used b y the Cisco Unif ied Communication features are capable of client authentication. Step 5 Click Ne xt .

Page 463

19-23 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy Wizard Step 3 T o specify an LDC Is suer to use for the TLS Pr oxy , perform the follo wing. When you select and configure the LDC Issuer option, th e security appliance acts as the certificate autho rity and issues certificates to TLS clients.

Page 464

19-24 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Phone Proxy Add TLS Proxy Instance Wizard – Other Steps Note This feature is not su pported for ASDM v ersion 6.

Page 465

19-25 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Phone Proxy Configuring the Phone Proxy Note This feature is not su pported for ASDM v ersion 6.1.5 o r the Adapti ve Security Appliance v ersion 8.1.2. Config uring the Phone Proxy requires the f ollow ing steps: Step 1: Create the CTL file.

Page 466

19-26 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects Phone Proxy Step 5 In the TFTP Serv er Settings list, do one of t he following: • T o add a new TFTP ser ver for the Phone Proxy , click Add . The Add TFTP Serv er dialog box opens.

Page 467

19-27 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects Phone Proxy The IP address you enter should be the g lobal IP address based on where the IP phone and HTTP proxy server is located.

Page 468

19-28 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL File Interface—Specif ies the interface on which the TFTP server resides.

Page 469

19-29 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects CTL File The Create a Certificate T rust List (CTL) File pane is used to config ure the attributes for generati ng the CTL file. The name of the CTL f ile instance is generated b y the ASDM.

Page 470

19-30 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects TLS Proxy • capf: Specif ies the role of this trustpoint to be CAPF . Only one CAPF trustpoint can be conf igured.

Page 471

19-31 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects TLS Proxy • Add—Adds a TLS Proxy . • Edit—Edits a TLS Proxy . • Delete—Deletes a TLS Proxy . • Maximum Sessions—Lets you specify th e maximum number of TLS Proxy sessions to su pport.

Page 472

19-32 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL Provider – A vailable Al gorithms—Lists the a vailable algo rithms to be announced or matched during t he TLS handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and nu ll-sha1.

Page 473

19-33 Cisco ASDM User Guide OL-16647-01 Chapter 19 Adding Global O bjects CTL Provider Add/Edit CTL Provider The Add/Edit CTL Pro vider dialog box lets you def ine the parameters for the CTL Pr ovider . Fields • CTL Provid er Name—Specif ies the CTL Prov ider name.

Page 474

19-34 Cisco ASDM User Guide OL-16647-01 Chapter 19 Add ing Global Objects CTL Provider Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • • • • —.

Page 475

CH A P T E R 20-1 Cisco ASDM User Guide OL-16647-01 20 Configuring Access Rule s and EtherType Rules This chapter describes how to conf igure access rules a nd EtherT ype rules, and includes the follo.

Page 476

20-2 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Information About Both Access Rules and EtherType Rul.

Page 477

20-3 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Information About Access Rules and EtherType Rules Note “Inbound” and “outbound” refer to the ap.

Page 478

20-4 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules IP Addresses Used for Acces s Rules When You Use NAT .

Page 479

20-5 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Information About Access Rules and EtherType Rules If you want to allo w an outside host to access an inside host, you c an apply an inbound access rule on the outside interface.

Page 480

20-6 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Information About Access Rules and EtherType Rules Access Rules for Returning Traffic For TCP and UDP co.

Page 481

20-7 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s 802.3-forma tted frames are not handle d by the rule because they use a length field as opposed to a type fie l d .

Page 482

20-8 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules For more informati on about access rules, see the “Information About Access Rules and EtherT ype Rules” sectio n on page 20-1 .

Page 483

20-9 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s • Packet T race—Provides detailed in formation about packet pr ocessing with the adapti v e security appliance, as well as information for pa cket snif f ing and network f ault isolation.

Page 484

20-10 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules Modes The follo wing table sho ws the modes in which this featur e is av ailable: Rule Queries The Rule Queries dialog box lets yo u manage named rule queries that you can u se in the Filter field when searching for Rules.

Page 485

20-11 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s – Remov e—Remov es the selected criteria. • Defin e New Cr iteria—This area lets you def ine ne w criteria to add t o the match criteria.

Page 486

20-12 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules • Description—(Optional) Enter a description of the access rule.

Page 487

20-13 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s Fields • TCP—Select this opt ion to add TCP services or port numbers to an object group. • UDP—Select this option to add UDP servic es or port numbers to an object gro up.

Page 488

20-14 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Access Rules total number of hits during th e interv al.

Page 489

20-15 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Access Rule s The Log option consumes a certain amount of memory when enabled.

Page 490

20-16 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Ether type Rules (Trans parent Mode Only) Configuring Ethertype Rules (Transparent Mode Only) The EtherT ype Rules windo w sho ws access rules based on packet Eth erT ypes.

Page 491

20-17 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configuring Access Ru les and EtherType Rules Configuring Ethertype Rules (Tra nsparent Mode Only) Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit EtherType Rule The Add/Edit EtherT ype Rules dialog box lets you add or edit an EtherT ype rule.

Page 492

20-18 Cisco ASDM User Guide OL-16647-01 Chapter 20 Configurin g Access Rules and EtherType Rules Configuring Ether type Rules (Trans parent Mode Only).

Page 493

CH A P T E R 21-1 Cisco ASDM User Guide OL-16647-01 21 Configuring NAT This chapter describes Network Address Tr ansl ation, and includes the following sections: • N A T Overvie w , page 21-1 • Co.

Page 494

21-2 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Note In this document, all types of translation are ref erred to as N A T . When describing N A T , the terms inside and outside represent the security relationship between an y tw o interfaces.

Page 495

21-3 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview NAT in Transparent Mode Using N A T in transparent mode eliminates the need fo r the upstream or downstream routers to perform N A T for their networks.

Page 496

21-4 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Figure 21 -2 NA T Exampl e: T ransparent Mode NAT Control N A T control requires that packets trav ersing from an insid.

Page 497

21-5 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Interfaces at the same secur ity lev el are not required to use N A T to communicate.

Page 498

21-6 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w NAT Types This section descri bes the av ailable N A T types, and includes the follo wing t opics: • Dynamic N A T , .

Page 499

21-7 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Figur e 21 -6 Remote Host At t empts to Connect t o the Real A ddr ess Figure 21-7 sh ows a r emote host attempting to ini tiate a connection to a mapped address.

Page 500

21-8 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Dynamic N A T has these disadvantages: • If the mapped pool has fe wer ad dresses than the real group, you could run out of addresses if the amount of traf f ic is more than expected.

Page 501

21-9 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview The main dif ference between dynamic NA T and a range of addresses for static N A T is that static NA T allo ws a remote host to initiate a conn ection to a transl ated host (if an access list exists that al lows it), while dynamic N A T does not.

Page 502

21-10 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w Bypassing NAT When NAT Control is Enabled If you enable N A T control, then inside hosts must match a N A T rule when accessing out side hosts.

Page 503

21-11 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Figur e 21 -9 P olicy NA T with Diff er ent Destination Addr esses Figure 21-10 sho ws the use of so urce and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web ser vices and T elnet se rvices.

Page 504

21-12 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w For pol icy stati c N A T , both translated and remote ho sts can originate tr af fic.

Page 505

21-13 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT NAT Overview Order of NAT Rules Used to Match Real Addresses The security appliance matches real addresses to N A T rules in the follo wing order: 1. N A T exemption—In ord er , until the f irst match.

Page 506

21-14 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT NAT Overvie w When an inside host sends a DNS request for the add r ess of ftp.cisco.

Page 507

21-15 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Configuring NAT Contro l Figure 21-13 sho ws a web serv er and DNS server on the ou tside. The security appliance has a static translation for the outsid e server . In this case, when an inside user requests the address for ftp.

Page 508

21-16 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Using Dynamic NAT This section describes how t o confi gure dynamic N A T , including dy namic N A T and P A T , dynamic policy N A T and P A T , and identity N A T .

Page 509

21-17 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic N A T rule, you sp ecify real addresses and the.

Page 510

21-18 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Global Pools on Different Interf aces with the Same Pool ID Y ou can create a global pool for each interface using the same pool ID.

Page 511

21-19 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Figur e 21 -16 Dif f er ent NA T IDs Multiple Addresses in the Same Global Pool Y o u can ha ve multiple add resses.

Page 512

21-20 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Figur e 21 -1 7 NA T and P A T T ogether Outside NAT If a N A T rule translates addresses from an outside in terface to an inside interf ace, then the rule is an outside N A T rule, and you need to sp ecify that it translates inbound tra f fic.

Page 513

21-21 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT Figur e 21 -1 8 Outside NA T and Inside NA T Combined Real Addresses in a NAT Rule Must be Transla ted on All Lower.

Page 514

21-22 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Step 2 For a new pool, from the Interf ace drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3 For a ne w pool, in the Pool ID f ield, enter a number between 1 and 2147483647.

Page 515

21-23 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT T o conf igure a dynamic N A T , P A T , or identity N A T rule, perform the follow ing steps. Step 1 From t he Configuration > Firewall > N A T Rul es pane, choose Add > Add Dynamic NA T Rule .

Page 516

21-24 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Dynamic NAT Randomizing the I SN of the protected host pre vents an attacker from predecti ng the next I SN for a ne w connection and po tentially hijacking th e ne w session. TCP initial sequ ence number rand omization can be d isabled if require d.

Page 517

21-25 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Dynamic NAT T o conf igure dynamic polic y N A T or P A T , perform the followin g steps: Step 1 From t he Configuration > Firewall > N A T Ru les pane, choos e Add > Advanced > Add Dynamic P olicy NA T Ru l e .

Page 518

21-26 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Note Y ou can also set these values usin g a security policy rule (see the “Configu ring Connection Settings” section on page 27-6 ). If you set them in bot h places, then the security app liance uses the lo wer limit.

Page 519

21-27 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Policy N A T lets you identify real addresses for address tran slation by specifyin g the source and destination addresses. Y ou can also optionall y specify the source an d destination ports.

Page 520

21-28 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Step 1 From t he Configuration > Firewall > N A T Rul es pane, choose Add > Add Static NA T Rule .

Page 521

21-29 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Randomizing the I SN of the protected host pre vents an attacker from predectin g the next I SN for a ne w connection and po tentially hijacking th e ne w session. TCP initial sequ ence number rand omization can b e disabled if requ ired.

Page 522

21-30 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 21-22 sho ws typi cal static policy N A T , static policy P A T , and static p olicy identity N A T scenarios.

Page 523

21-31 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using Static NAT Step 6 Specify the mapped IP address by clicking one of the follo wing: • Use IP Address Enter the IP address or click the ... b utton to choose an IP address that you already defined in ASDM.

Page 524

21-32 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using NAT Exemptio n • Maximum Embry onic Connections —Specif ies the maximum number of embryonic connecti ons per host up to 65,536. An em bryonic connection is a connection request that has not f inished the necessary handshake between source and destinatio n.

Page 525

21-33 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring NAT Using NAT Exemption Note Y ou can later specify addresses that you do not want to exemp t. For e xample, you can specify a subnet to ex empt such as 10.1.1.0/24, but if you w ant to tran slate 10.

Page 526

21-34 Cisco ASDM User Guide OL-16647-01 Chapter 21 Configuring N AT Using NAT Exemptio n.

Page 527

CH A P T E R 22-1 Cisco ASDM User Guide OL-16647-01 22 Configuring Service Policy Rules This chapter describes ho w to enable service polic y rules. Service policies p rovide a co nsistent and flexi ble way to conf igure security appliance features.

Page 528

22-2 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Service Policy Ov erview • Application in spection • IPS • QoS output pol icing • QoS priority queue • QoS.

Page 529

22-3 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Service Policy Overview Feature Directionality Actions are applied to t raff ic bidirectionall y or unidirectionally d epending on the feature.

Page 530

22-4 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Service Policy Ov erview Note Application inspec tion includes multiple inspect ion types, and each inspection type is a separate feature when you consider the ma tching guidelines above.

Page 531

22-5 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Service Policy Overview p. SIP q. Skinny r. SMTP s. SNMP t. SQL*Net u. TFTP v. XDMCP w. DCERPC x. Instant Messaging Note RADIUS accounting is not listed because it is the onl y inspection allo wed on management traf fi c.

Page 532

22-6 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Polic y Rule for Through Traffic For e xample, if HTTP traf f ic matches a policy on the in side in.

Page 533

22-7 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Polic y Rule for Throug h Traffic – Default Inspection T raffic —The class matches the defa ult TCP and UDP ports used b y all applications that the secu rity appliance can inspect.

Page 534

22-8 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Polic y Rule for Through Traffic multiple A CEs to the same tr af fic class b y repeating this entire procedure. See the “Managing the Order of Service Polic y Rules” section on page 22-13 for information about changing the order of AC E s .

Page 535

22-9 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Polic y Rule for Throug h Traffic If you want to specify a TCP or UDP port number , or an ICMP service number, enter pr otocol / port . For e xample, enter TCP/8080.

Page 536

22-10 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 9 Click Finish . Adding a Service Policy Rule for Management Traffic Y ou can create a service policy for traff ic directed to the security appli ance for management purposes.

Page 537

22-11 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Adding a Service Policy Rule for Management Traffic both RADIUS accounting and connect ion limits are applied to the interf ace.

Page 538

22-12 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules Adding a Service Policy Rule for Management Traffic Step 6 Click Next . Step 7 The next di alog box depe nds on the traffic match criteria you c hose. • Source and Destination Address—Th is dialog box lets you set the source and desti nation addresses: a.

Page 539

22-13 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules Managing the Order of Service Policy Ru les In the Service field, enter a port number or name, or c lick ... to choose one already def ined in ASDM. Step 8 Click Next .

Page 540

22-14 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions Step 2 Click the Move Up or Mov e Down cursor (see Figure 22-1 ).

Page 541

22-15 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules RADIUS Accounting Field Descriptions Add RADIUS Accounting Policy Map The Add RADIUS Accounting Pol icy Map dialog box lets you add the basic sett ings for the RADIUS accounting map.

Page 542

22-16 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions RADIUS Inspect Map The RADIUS pane lets you vi ew pre viou sly confi gured RADIUS applicatio n inspection maps. A RADIUS map lets you change th e default conf iguratio n values used for RADI US applic ation inspe ction.

Page 543

22-17 Cisco ASDM User Guide OL-16647-01 Chapter 22 Config uring Service Policy Rules RADIUS Accounting Field Descriptions • Add—Adds the host entr y to the Host table.

Page 544

22-18 Cisco ASDM User Guide OL-16647-01 Chapter 22 Co nfiguring Service Policy Rules RADIUS Accounting Field Descriptions.

Page 545

CH A P T E R 23-1 Cisco ASDM User Guide OL-16647-01 23 Applying AAA for Network Access This chapter describes ho w to enable AAA (pronoun ced “triple A”) for netw ork access. For information about AAA for management access, see the “Configuring AAA for Sys tem Administrators” secti on on page 16-20 .

Page 546

23-2 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access Information About Authentication The security appliance l ets you conf igure netw ork access authentication using AAA serv ers.

Page 547

23-3 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Redirection is an imp rov ement ov er the basic met hod because it pro vides an impro ved user experience when authenticating, and an iden tical user e xperience for HTTP and HTTPS in both Easy VPN and fire w all modes.

Page 548

23-4 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access Configuring Network Access Authentication T o enable network access authentication, perform th e follo wing steps.

Page 549

23-5 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Enabling the Redirection Method of Authentication for HTTP and HTTPS This method of authenti cation enables HTTP(S) listenin g ports to authenticate netwo rk users.

Page 550

23-6 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access • Enabling V irtual HTTP—V ir tual HTTP lets you authenticate sepa rately with the security applian ce and with the HTTP server .

Page 551

23-7 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentication fo r Network Access Authenticating Telnet Connecti ons with a Virtual Server Although you c.

Page 552

23-8 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authentic ation for Ne twork Access If the destinatio n HTTP server requires aut hentication in addition t.

Page 553

23-9 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access Configuring the Authentication Proxy Limit Y o u can manually conf igure the u auth session limit b y setting the maxim um number of concurrent proxy connections allo wed p er user .

Page 554

23-10 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access T o conf igure T ACA CS+ authorization, perform the foll owing steps: Step 1 Enable authentication. For more information, see the “Conf iguring Networ k Access Authenti cation” section on page 23-4 .

Page 555

23-11 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access When you configure the security appliance to authenticate users for net.

Page 556

23-12 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access 2. If Cisco Secure A CS successfully authenticates the user, Cisco Secure A C S returns a RADIUS access-accept message that contains the interna l name of the applicable downloadable access list.

Page 557

23-13 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Auth orization for Network Access 6. If the access list required is mo re than approxima tely 4 KB in len.

Page 558

23-14 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Authoriz ation for Network Access access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253 access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.

Page 559

23-15 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Configuring Accounting fo r Network Access Converting Wildcard Netma sk Expressions in Downloadable Access Lists If a.

Page 560

23-16 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization Step 3 From the Interface drop-down list, choose the interface for applying the rule.

Page 561

23-17 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Ex empt Traffi c from Authentication and Authorization The order of entries ma tters, because the packet uses the first en try it matches, as opposed to a best match scenario.

Page 562

23-18 Cisco ASDM User Guide OL-16647-01 Chapter 23 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authenticatio n and Authorization.

Page 563

CH A P T E R 24-1 Cisco ASDM User Guide OL-16647-01 24 Configuring A pplication Layer Protocol Inspection This chapter descri bes how to configure application layer p rotocol inspec tion.

Page 564

24-2 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspection Engine Overview • RADIUS Accounting Inspection, p age 24-19 • RSH Inspection, page.

Page 565

24-3 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspection Engine Overview Inspection Limitations See the follo wing limitations fo r application protocol in spection: • State information for multimedia sessions that require inspection are not passed o ver the state link for stateful failov er .

Page 566

24-4 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Configuring App lication Inspection Configu ring Application Inspection This feature uses Security Policy Rules. Service policies pro vide a consistent and fle xible way to confi gure security appliance features.

Page 567

24-5 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection CTIQBE Inspection T o conf igure application in spection, perform the f ollow ing steps: Step 1 Click Configuration > Fi rewall > Ser vice Policy Rul es .

Page 568

24-6 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection DCERPC Inspection • Entering the debug ctiqbe command may delay message transmission, which may ha ve a performance impact in a real-ti me en vironment.

Page 569

24-7 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection DNS Inspection • T ranslates the DNS record based on the configuration completed using N A T rules.

Page 570

24-8 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection ESMTP Inspection Figur e 24-1 T ranslating th e Addr ess in a DN S Reply (DNS Rewr it e) DNS re write also works if the cl ient making the DN S request is on a DMZ netw ork and the DNS server is on an insi de interface.

Page 571

24-9 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection FTP Inspection Note If you disable FTP inspection engines, outbou nd users can start connections only in passi ve mode, and all inbound FTP is disabl ed.

Page 572

24-10 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection GTP Inspection • The security appliance replaces th e FTP server response to the SYST command with a series of Xs. to pre vent the serv er from rev ealing its system type to FTP clients.

Page 573

24-11 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection H.323 Inspection Figure 24-2 GPRS T unneling Protocol The UMTS is the commercial con v ergence of f ix ed-line telephon y , mobile, Internet and computer technology .

Page 574

24-12 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection H.323 Inspection H.323 Inspection Overview H.323 inspection provides support for H.323 complia nt applicat ions such as Cisco Call Manager and V ocalT e c Gatekeeper .

Page 575

24-13 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection HTTP Inspection The H.323 ITU standard requires that a TPKT head er, def ining the lengt h of the message, precede the H.225 and H.245, bef ore being passed on to the re liable connection.

Page 576

24-14 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Instant Messaging In spection Instant Messaging Inspection The IM inspect engine lets you apply .

Page 577

24-15 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection MGCP Inspection For search responses, when the LD AP serv er is lo cated outside, N A T should be considered to allo w internal peers t o communicate locally while re gister ed to external LD AP serv ers.

Page 578

24-16 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection MGCP Inspection the Internet or o ver other packet n etworks. Using N A T and P A T with MGCP lets you support a large number of de vices on an internal network wi th a limited set of external (glob al) addresses.

Page 579

24-17 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection MMP Inspection • DeleteCo nnection • Notifi cationRequest • Notify • AuditEndpoint • AuditConnection • RestartInProgr ess The first four commands are sent b y the call agent to the gatew ay .

Page 580

24-18 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection NetBIOS Inspection • V erifies that client to serv er MMP content lengths are n ot exceeded. If an ent ity content length is exceeded (4096), the TCP session is terminated.

Page 581

24-19 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection PPTP Inspection PPTP Inspection PPTP is a protocol for tunneling PPP traf f ic. A PPTP session is composed of one TCP channel and usually two PP TP GRE tunnels.

Page 582

24-20 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection RTSP Inspection RTSP Inspection Overview The R T SP inspection engine lets th e security applia nce pass R TSP pack ets. R TSP is used by RealAudio, RealNetworks, Ap ple QuickT ime 4, Real Player , and Cisco IP/TV connections.

Page 583

24-21 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection SIP Inspection • W ith Cisco IP/TV , the number of translates the security appliance pe rforms on.

Page 584

24-22 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Skinny (SCCP) Inspection • Session Initiation Protocol ( SIP)-Specific Ev ent Notif ication, R.

Page 585

24-23 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Skinny (SCCP) Inspection Note For specif ic information abo ut setting up the Phone Prox y on the s.

Page 586

24-24 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection SMTP and Extende d SMTP Inspection When the Cisco IP Phones are on a higher security interface c.

Page 587

24-25 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection SNMP Inspection W ith SMTP inspection enabled, a T elnet session us ed for interacti ve SMTP may ha.

Page 588

24-26 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Sun RPC Inspection The packets that need fix-up contain embedded host/port addr esses in the follo wing format: (ADDRESS=(PROTOCOL=tcp)(DEV=6)( HOST=a.

Page 589

24-27 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Sun RPC Inspection • IP address— Displays the IP address of the SunRPC server . • Mask —Displays the subnet mask of t he IP Address of the SunRPC serv er .

Page 590

24-28 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection TFTP Inspec tion TFTP Inspection TFTP inspection is enabled by default. TFTP , described in RFC 1350, is a simple protocol to read and wr ite files between a TFTP serv er and client.

Page 591

24-29 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions • Select H.323 M ap, page 24 -33 • Select HTTP Map, page 24.

Page 592

24-30 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions – Config ure—Displays the Select HTTP Map dialo g box, which lets you select a map name to use for this prot ocol.

Page 593

24-31 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions For More Information Inspect Map Field Descripti ons, page 24-59 Inspect command pages for each protocol in the Cisco Security Appliance Command Refer e nce .

Page 594

24-32 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select ESMTP Map The Select ESMTP Map dialog box lets you select or create a ne w ESMTP map.

Page 595

24-33 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select GTP Map The Select GTP Map dialog box lets you sel ect or create a new GTP map.

Page 596

24-34 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: Select HTTP Map The Select HTTP Map dialog box lets you select or create a new H TTP map.

Page 597

24-35 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Select IPSec-Pass-Thru Map The Select IPSec-Pa ss-Thru dialog box lets you select or create a n ew IP Sec map. An IPSec map lets you change t he confi guration v alues used for IPSec application inspectio n.

Page 598

24-36 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Select NETBIOS Map The Select NETBIOS Map dialog box lets you select or create a ne w NetBIOS map. A NetB IOS map lets you change the conf iguration v alues used for NetBIOS application inspection.

Page 599

24-37 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Service Poli cy Field Descri ptions Select SCCP (Skinny) Map The Select SCCP (Skinny) Map dialog box lets you select or create a ne w SCCP (Skinny) map.

Page 600

24-38 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Service Policy Field De scriptions Fields • Use the default SIP inspection map —Specifies to use the def ault SIP map.

Page 601

24-39 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Class Map Field Descriptions An inspection class map matche s appl ication traff ic with criteria specific to the applica tion, such as a URL string.

Page 602

24-40 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit DNS Traffic Class Map The Add/Edit DNS T raff ic Class Map dialog box lets you def ine a DNS class map. Fields • Name—Enter the name of the DNS class map, up to 40 charac ters in leng th.

Page 603

24-41 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Header Flag V alue—Lets you enter an ar bitrary 16-bit v alue in hex t o match. • T ype Criterion V alues—Specifies the v alue d etails for the DNS type match.

Page 604

24-42 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Manage Regular Expressions The Manage Regular Expression s dialog box lets you configure Re gular Expressions for use in pattern matching.

Page 605

24-43 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns • Add—Adds a re gular e xpression class map. • Edit—Edits a regular e xpression class map. • Delete—Deletes a regular expression class map.

Page 606

24-44 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit FTP Traffic Class Map The Add/Edit FTP T raf f ic Class Map dialog bo x lets you define a FTP class map. Fields • Name—Enter the name of the FTP class map, up to 40 ch aracters in length.

Page 607

24-45 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns GET—FTP client command for the retr (retri ev e a fi le) command. HELP—Help informatio n from the serv er . MKD—Create a directory .

Page 608

24-46 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions H.323 Class Map The H.323 Class Map panel l ets you conf ig ure H.323 class maps for H.323 inspection. An inspectio n class map ma tches applic ation traff ic with cr iteria specific to the a pplication.

Page 609

24-47 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns • Add—Adds an H.323 class map . • Edit—Edits an H.323 cl ass map. • Delete—Deletes an H.323 class map. Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit H.

Page 610

24-48 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Audio—Match audi o type.

Page 611

24-49 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Add/Edit HTTP Traffic Class Map The Add/Edit HTTP T raf f ic Class Map dialog box lets you def ine a HTTP class map. Fields • Name—Enter the name of the HTTP class map, up to 40 characters in length.

Page 612

24-50 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Request Body—Applies the re gular expressi on match t o the body of the request. Regular Expressi on—Lists the def ined regu lar expressions to match.

Page 613

24-51 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Request Header Count—App lies the regular expressio n match to the header of the request with a maximum number of header s.

Page 614

24-52 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Greater Than Lengt h—Enter a f ield length v alue in b ytes that response f ield lengt hs will be matched against.

Page 615

24-53 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Response Status Line—Applies the re gular expr ession match to the status line. Regular Expressi on—Lists the def ined regu lar expressions to match .

Page 616

24-54 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions Add/Edit IM Traffic Class Map The Add/Edit IM T raff ic Class Map dialog box lets you define a IM class ma p. Fields • Name—Enter the name of the IM class map, up to 40 characte rs in leng th.

Page 617

24-55 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns – Source IP Address—Match source IP address. – Destination IP Address—Match d estination IP address. – Filename—Match f ilename form IM file transfer serv ice.

Page 618

24-56 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions • Destination IP Address Criterion V alues—Specifies to match the de stination IP address of the IM service. – IP Address—Enter the destination IP address of the IM service.

Page 619

24-57 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Class Map Fiel d Descriptio ns Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit SIP Traffic Class Map The Add/Edit SIP T raf f ic Class Map dialog box lets you def ine a SIP class map.

Page 620

24-58 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Class Map Field Descriptions – Content T ype—Match the Con tent T ype header . – IM Subscriber—Match the SIP IM subscriber . – Message Path—Match the SIP V ia header .

Page 621

24-59 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Opens the Manage Re gular Expression Class di alog box, which lets you con figu re regul ar expression class maps.

Page 622

24-60 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions • DNS Inspect M ap, page 24 -64 • ESMTP Inspect Map, page 24-71 • FTP Inspect Map, page 24-79 • GTP Inspect Map, page 24-84 • H.

Page 623

24-61 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Use the Service Polic y Rules tab on the Security Pol icy pane to appl y the inspect map to traf fic matc hing the criteria specif ied in the servi ce policy .

Page 624

24-62 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions DCERPC Inspect Map The DCERPC pane lets you vie w pre viously co nfigured DCERPC application inspection maps.

Page 625

24-63 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Endpoint mapper service lo okup: enabled Endpoint mapper service look up timeout: 00:05:00 – Medium—D efault.

Page 626

24-64 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – High Pinhole timeout: 00:01:00 Endpoint mapp er service: enforced Endpoint mapper service look up: disabled – Default Lev el—Se ts the security lev el back to th e default lev el of Med ium.

Page 627

24-65 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions • Add—Conf igures a ne w DNS inspect map. T o edit a DNS inspect map, select the DNS entry in the DNS Inspec t Maps tabl e and click C ustomize.

Page 628

24-66 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit DNS Policy Map (Security Level) The Add/Edit DNS Polic y Map pane lets yo u configure th e security le vel and add itional settings fo r DNS application inspection maps.

Page 629

24-67 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: enforced – Default Le v el—Sets the security le ve l back to the default le v el of Lo w .

Page 630

24-68 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Drop packets that e xceed specified maximum length (global)—Drop s packets that exceed maximum length in b ytes. Maximum Pack et Length—Enter maximum packet le ngth in bytes.

Page 631

24-69 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit DNS Inspect The Add/Edit DNS Inspect d ialog box lets you def ine the mat ch criterion and v alue for the DNS inspect map.

Page 632

24-70 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – DNS Class Field V alue—Specifies to match eith er a DNS class field v alue or a DNS class field range. V alue—Lets you enter an arbitrary v alue between 0 and 6 5535 to match.

Page 633

24-71 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions An inspectio n class map ma tches applic ation traff ic with cr iteria specific to the a pplication. Y ou then identify th e class map in the in spect map and enable actions.

Page 634

24-72 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Log if body line length i s greater than 1000 Log if sender addre.

Page 635

24-73 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions • Add—Opens the Add MIME Fil e T ype Filter dial og box to add a MIME f ile type f ilter . • Edit—Opens the Edit MIME File T ype Filter dialog box to edit a MIME f ile type f ilter .

Page 636

24-74 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Drop Connections if comman d recipi ent count is greater than 100.

Page 637

24-75 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Edit—Opens the Edit ESMTP Inspect d ialog box to edit an ESMTP inspection. – Delete—Deletes an ESMTP inspection.

Page 638

24-76 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Log—Enable or d isable. • Body Line Length Criterion V alues—Specifies the val ue details for body line length match.

Page 639

24-77 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – A vailable P arameters T able: 8bitmime auth binarymime checkp.

Page 640

24-78 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Log—Enable or d isable. • MIME Filename Length Criteri on V alues—Specif ies the v alue details for MI ME filename length match.

Page 641

24-79 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions FTP Inspect Map The FTP pane lets you vie w pre viously con figured FTP application inspection maps. An FTP map lets you change the defa ult config uration v alues used for FTP application inspection.

Page 642

24-80 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions File Type Filtering The File T ype Filtering dialog bo x lets you conf igure the settings for a file type f ilter . Fields • Match T y pe—Shows the match ty pe, which ca n be a positive or negati ve match.

Page 643

24-81 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Default Le v el—Sets the security le ve l back to the default le v el of Medium. • Details—S hows the Parameters and Inspec tion s tabs to config ure additional settings.

Page 644

24-82 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit FTP Map The Add/Edit FTP Inspect dialog box lets yo u define the match criterion and v alue for the FTP i nspect map.

Page 645

24-83 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Op ens the Manage Regular Expressions di alog box, which lets you confi gure regu lar expressions. – Regular Expression Class—Lists the def ined regular e xpression classes to match.

Page 646

24-84 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions GTP Inspect Map The GTP pane lets you vie w pre viously conf igured GTP appli cation inspection maps. A GTP map lets you change the defa ult config uration v alues used for GTP application inspection.

Page 647

24-85 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Fields • Mobile Country Code—Def ines the non-zero, three-dig it va lue identifying the mobil e country code. One or two-digit ent ries will be prepended by 0 to create a three-digit v alue.

Page 648

24-86 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit GTP Policy Map (Details) The Add/Edit GTP Poli cy Map pane lets you conf igure the security l ev el and addition al settings for GTP application inspection maps.

Page 649

24-87 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Request Queue—Lets you ch ange the default fo r the maximum period of inacti vity before recei ving the GTP message during a GTP session.

Page 650

24-88 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit GTP Map The Add/Edit GTP Insp ect dialog box lets you define the mat ch criterion and v alue for t he GTP inspect map.

Page 651

24-89 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – V alue—Specifies whether v alue is an e xact match or a range. Equals—Enter a value. Range—Enter a range of values.

Page 652

24-90 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Limit payload to audio or video, based on the signaling exchange:.

Page 653

24-91 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit H.323 Policy Map (Security Level) The Add/Edit H.323 Polic y Map pane lets you con figur e the security le ve l and additional settin gs for H.

Page 654

24-92 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions • Details—Shows the State Checking , Call Attrib utes, T unneling and Protocol Conformance, HSI Group Parameters, and Inspections tab s to confi gure additional settings.

Page 655

24-93 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Add—Opens the Add HSI Grou p dialog box to add an HSI gro up. – Edit—Opens the Edit HSI Gr oup dialog box to edit an HSI group.

Page 656

24-94 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit H.323 Map The Add/Edit H.323 Inspect dialog box lets you def ine the match criteri on and v alue for the H.

Page 657

24-95 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Manage—Op ens the Mana ge H323 Clas s Maps dialog bo x to add, edit, or delete H.323 Class Maps. • Action—Drop packet, dr op connection, or reset.

Page 658

24-96 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – High Protocol violation acti on: Drop connection and log Drop connections fo r unsafe methods: Allo w only GET an d HEAD.

Page 659

24-97 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit HTTP Policy Map (Security Level) The Add/Edit HTTP Polic y Map pane lets you conf ig ure the securi ty le vel and additi onal settings for HTTP application inspection maps.

Page 660

24-98 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Modes The follo wing table sho ws the modes in which this featur .

Page 661

24-99 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit HTTP Map The Add/Edit HTTP Inspect dialog box lets you def ine the match criterion and value f or the HTTP inspect map.

Page 662

24-100 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions cookie, date, expect, e xpires, from, host, if-mat ch, if-modif .

Page 663

24-101 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Method—Specif ies to match on a request method: bc opy , bdelet.

Page 664

24-102 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Regular Expressi on—Lists the def ined regu lar expressions to match. Manage—Opens the Manage Regu lar Expressions di alog box, which let s you configu re regular expressions.

Page 665

24-103 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – H323 T raf fic Class—Specif ies the HTTP traff ic class match. – Manage—Opens the Manage HTTP Class Maps dial og box t o add, edit, or delete HTTP Class Maps.

Page 666

24-104 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit Instant Messaging (IM) Policy Map The Add/Edit Instant Messaging (I M) Policy Map pane lets y ou configu re the security le vel and additional settin gs for IM application inspection map s.

Page 667

24-105 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Destination IP Address—Match d estination IP address. – V ersion—Match IM fil e transfer service version. – Client Login Name—Match client login name from I M service.

Page 668

24-106 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Regular Expressi on—Lists the def ined regu lar expressions to match. – Manage—Opens the Manage Regu lar Expressions di alog box, which let s you configu re regular expressions.

Page 669

24-107 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Lo w—Default . Maximum ESP flo ws per client: Unlimi ted. ESP idle timeout: 00:10 :00. Maximum AH flo ws per client: Unlimit ed.

Page 670

24-108 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions AH idle timeout: 00 :00:30. – Default Lev el—Sets t he security level back to the de fault lev el of Low . • Details—Sho ws additional paramet er settings to conf igure.

Page 671

24-109 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions MGCP Inspect Map The MGCP pane lets you vie w pre viously conf igur ed MGCP application inspection maps. An MGCP map lets you change the def ault confi guration v alu es used for MGCP application inspection.

Page 672

24-110 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Add/Edit MGCP Policy Map The Add/Ed it MGCP Po licy Map pane l ets you con f igure the command queue, gate way , and call agent settings for MGCP applicat ion inspection maps.

Page 673

24-111 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit MGCP Group The Add/Edit MGCP Group dialog box lets yo u defin e the config uration of an MGCP grou p that will be used when MGCP application inspection is enabled.

Page 674

24-112 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions NetBIOS Inspect Map The NetBIOS pane lets you vie w pre viously config ured NetBIOS application inspection maps.

Page 675

24-113 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions RTSP Inspect Map The R TSP pane lets you vie w pre viously confi gur ed R TSP application inspection maps. An R TSP map lets you c hange the de fault configuration values us ed for R TSP application in spection.

Page 676

24-114 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Edit—Opens the Edit R TSP Inspect dialog box t o edit a R TSP inspection. – Delete—Deletes a R TSP inspection.

Page 677

24-115 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Modes The follo wing table sho ws the modes in which this featur e is av ailable: SCCP (Skinny) Inspect Map The SCCP (Skinn y) pane lets you vie w pre viously conf igured SCCP (Sk inny) applicatio n inspection maps.

Page 678

24-116 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Maximum message ID: 0x141. Minimum pref ix length: 4. Maximum pref ix length: 65536. Media timeout: 00 :01:00. Signaling timeout: 00:05: 00.

Page 679

24-117 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit SCCP (Skinny) Policy Map (Security Level) The Add/Edit SCCP (Skinn y) Polic y Map pane lets you conf igure the security le v el and additional settings for SCCP (Skin ny) application i nspection maps.

Page 680

24-118 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Limit payload to audio or vi deo, based on the signaling exchange: Y es. – Message ID Filtering—Open s the Messaging ID Filtering dial og box for conf iguring messag e ID filters.

Page 681

24-119 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Criterion—Sho ws the criterion of the inspection. – V alue—Shows the v alue to match in t he inspection. – Action—Sho ws the action if the match condition is met .

Page 682

24-120 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions SIP Inspect Map The SIP pane lets you vie w pre viously conf igured SIP applicat ion inspection maps. A SIP map lets yo u change the default conf iguration values used for SIP application inspection.

Page 683

24-121 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – High SIP instant m essaging (I M) extensions: Enab led. Non-SIP traf f ic on SIP port: Denied. Hide server ’ s and end point’ s IP addresses: Disabled.

Page 684

24-122 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions Non-SIP traf fic on SIP port: Permit ted. Hide server ’ s and endpoi nt’ s IP addresses: Disabled. Mask software version a nd n on-SIP URIs: Disabled.

Page 685

24-123 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Enable SIP instant messaging (IM) ext ensions—E nables Instant Messagi ng extensions. Def ault is enabled. – Permit non-SIP traf f ic on SIP port—Permits non-SIP traf f ic on SIP port.

Page 686

24-124 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Move Up—Moves an inspection up in the list.

Page 687

24-125 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions – Regular Expressi on—Lists the def ined regu lar expressions to match . – Manage—Op ens the Manage Regular Expressions di alog box, which lets you confi gure regu lar expressions.

Page 688

24-126 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions – Regular Expression Class—Lists the def ine d regular expression classes to match. – Manage—Op ens the Manage Regular Expression Class dialog box, which lets y ou confi gure regul ar expression class maps.

Page 689

24-127 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configuring Application Layer Protocol Inspection Inspect Map Fi eld Descri ptions Add/Edit SNMP Map The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.

Page 690

24-128 Cisco ASDM User Guide OL-16647-01 Chapter 24 Configu ring Applicat ion Layer Protoco l Inspection Inspect Map Field Descriptions.

Page 691

CH A P T E R 25-1 Cisco ASDM User Guide OL-16647-01 25 Configuring QoS Hav e you e ver part icipated in a long-distan ce phon e call that in v olv ed a satellite connection? The con versatio n might be interrupted with brief , but per ceptible, gaps at odd interv als.

Page 692

25-2 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview Supported QoS Features The security appliance suppor ts the following QoS features: • Policing—T o prev ent indi vidual flo ws from hogg ing the network bandw idth, you can limit th e maximum bandwidth used p er flo w .

Page 693

25-3 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview For traf f ic shaping, a tok en b ucket permits burstiness b ut bound s it.

Page 694

25-4 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS QoS Overview Traffic Shaping Overview T raf fic shap ing is used to match de vice an d link speed s, thereby cont rolling packet loss, v ariable delay , and link saturation , which can cause jitter an d delay .

Page 695

25-5 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating the Standard Pr iority Queue for an Interface Y o u cannot conf igure traf f ic shaping and standard priori ty queueing for the same interf ace; only hierarchical priori ty queueing is allo wed.

Page 696

25-6 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Po licy for Standard Priority Queu eing and/or Policing This setting guaran tees that the hardware-based t ransmit ring imposes no more than 10-ms of e xtra latency fo r a high-priority packet.

Page 697

25-7 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing • Conform Action—The action to tak e when the rate is less than the co nform-burst value. V alues are transmit or dr op.

Page 698

25-8 Cisco ASDM User Guide OL-16647-01 Chapter 25 Configuring QoS Creating a Policy for Tr affic Shaping and Hierarchical Priority Queueing Step 4 (Optional) T o confi gure priority queueing for a subset of shaped traf f ic: a. Click Enfor ce priority to selected shape traffic .

Page 699

CH A P T E R 26-1 Cisco ASDM User Guide OL-16647-01 26 Configuring Filter Rules This chapte r includes the fol lo wing sections: • URL Filtering, pa ge 26-1 • Filter Rules, page 26-5 URL Filtering Y o u can apply f iltering to connection requests origin ating from a more secure network to a less secure network.

Page 700

26-2 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering Configuring URL Filtering T o enable f iltering with an e xternal f iltering serv er , perform the follo wing st eps. Step 1 Go to Configuration > Firewall > URL Filter Servers to specify an external f iltering server .

Page 701

26-3 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering – Add/Edit Pa rameters for W ebsense URL Filtering, page 26-3 – Add/Edit Parameters for Secure Computin g S.

Page 702

26-4 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules URL Filtering Add/Edit Parameters for Secure Co mputing SmartFilter URL Filtering • Interface—Specif ies the interface on whic h the URL filtering serv er is connected. • IP Address—Specifies the IP address of the URL f iltering server .

Page 703

26-5 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Source/Destination Address—Caches entr ies based on both the source address initi ating the URL request as well as the UR L destination ad dre ss. Choose this mode if users do not share the same URL fil tering polic y on the server .

Page 704

26-6 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules Benefits The Filter Rules pane pro vides information about the f ilter rules that are currently conf igured on the security appliance.

Page 705

26-7 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Add—Lets you add a f ilter rule. – Edit—Lets you edit a f ilter rule. – Delete— Lets you delete a filter rule. – Find—Lets you f ind a filter ru le.

Page 706

26-8 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Filter HTTP (URL) – Do not f ilter HTTP (URL) – Filter HTTPS – Do not f ilter HTTPS – Filter FTP – Do not f ilter FTP • Source—Enter the source of the traff ic to which the f iltering action applies.

Page 707

26-9 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules – Block users from connect ing to an HTTP proxy server—Pre v ent HTTP requests made throu gh a proxy server .

Page 708

26-10 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules Step 3 For Source, Destination, Source or Destination, and Service filters, p erform the follo wing steps: a.

Page 709

26-11 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules For More Information Filtering the R ule T able, page 26-9 Browse Source/Destination/Service The Brow se Source/Destination/Service dialog box lets you choose from e xisting IP address, name, or service objects.

Page 710

26-12 Cisco ASDM User Guide OL-16647-01 Chapter 26 Configuring Filter Rules Filter Rules For More Information Filter Rules, page 26-5 URL Filtering, pa ge 26-1.

Page 711

CH A P T E R 27-1 Cisco ASDM User Guide OL-16647-01 27 Configuring Advanced Firewall Protection This chapter describes ho w to pre ven t network attacks by configuring protection features, and include.

Page 712

27-2 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Th reat Dete ction • Basic Threat Detection Ov ervie w , page 27-2 • Config uring Basic Thre.

Page 713

27-3 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Threa t Detection Configuring Scanning Threat D etection A typical scanning attack consists of a.

Page 714

27-4 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Th reat Dete ction Caution The scanning threat detection feature can affect the security appliance performance and memory significantly while it creates and gathers host- and subnet-ba sed data structure and information.

Page 715

27-5 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Threa t Detection Caution Enabling statistics can af fect the secu rity applian ce performance, depending on the type of statistics enabled.

Page 716

27-6 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Co nnection Settings Configuring Connection Settings This section descri bes how to set maximum .

Page 717

27-7 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Connec tion Settings VPN requires the ability t o process the 3-way h and shake packets to pro vide selectiv e A CK and other TCP options for Clientless SS L VPN connections.

Page 718

27-8 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Co nnection Settings Step 1 Configure a service polic y on the Conf iguration > Fire wall > Servi ce Policy Rules pane accordin g to Chapter 22, “Conf iguring Service Polic y Rules.

Page 719

27-9 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Connec tion Settings Randomizing the ISN of the protected host pre vents an attacker from predecting the next ISN for a ne w connection and potentiall y hijacking the ne w session.

Page 720

27-10 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit • Drop SYN P ackets with data—D r op s S Y N p ac k e ts wi t h d at a . • Drop SYN A CK P ackets with data—Drops TCP SYN ACK packets t hat contain data.

Page 721

27-11 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit IP Audit Policy The IP Audit Polic y pane lets you add audit p olicies and assign them to interfaces. Y ou can assign an attack policy an d an informational polic y to each interf ace.

Page 722

27-12 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit – Attack—Sets the policy type as attack. – Information—Sets the p olicy type as informati onal. • Action—Sets one or more actions to take when a pa ck et matches a signat ure.

Page 723

27-13 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit IP Audit Signature List T able 27-3 li sts supported signatures and sy stem message numbers.

Page 724

27-14 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit 1103 400009 IP Overlapping Fragments (T eardrop) At tack T riggers wh en two fragments contained within the same IP datagram ha ve of fsets th at indicat e that they sha re positio ning with in the datagram.

Page 725

27-15 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring IP Audit 2008 400018 ICMP T imestamp Reply Informational Triggers when a IP d atagram is recei ved with the protocol f ield of the IP he ader set to 1 (ICMP) and the type field in the ICMP header set to 14 (T imestamp Reply).

Page 726

27-16 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring IP Audit 3042 400028 TCP FIN only flags Attack Triggers when a single orphaned TCP FIN packet is sent to a pri vile ged port (ha ving port number less than 1024) on a specific host.

Page 727

27-17 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring th e Fragment Size Configuring the Fragment Size By default, th e security appliance allo ws up to 24 fragments per IP pack et, and up to 200 fragments await ing reassembly .

Page 728

27-18 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring the Fr agment Size – T imeout—Specif ies the maximum numb er of seconds to w ait for an entire fr agmented packet to arri ve. The timer starts after the f irst fragmen t of a packet arri ves.

Page 729

27-19 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring th e Fragment Size • Fai l— Display only . Displays the number of failed reassembly attempts. • Ov er f l ow— Display only . Displays the number of IP packets in the ov erflo w queue.

Page 730

27-20 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Anti-Spoofing Configuring Anti-Spoofing The Anti-Spoof ing windo w lets you en able Unicast Re verse P ath F orwardin g on an interface.

Page 731

27-21 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring TCP Options Fields • Inbound and Outb ound Reset—Sets whether to reset denied TCP co nnections for inbound an d outbound t raf fi c. – Interface—Sho ws the interface name.

Page 732

27-22 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring TCP Options CLOSING state. Having man y sockets in the CLOSING state can degrade the performance of an end host.

Page 733

27-23 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Adva nced Firewall Protection Configuring Global Timeo uts Configuring Global Timeouts The T imeouts pane lets you set the timeo ut durations for u s e with the security appliance. All durations are displayed in the format hh: mm:ss.

Page 734

27-24 Cisco ASDM User Guide OL-16647-01 Chapter 27 Configuring Advance d Firewall Protection Configuring Global T imeouts • SIP Disconnect—Modif ies the idle time af ter whic h SIP session is d eleted if the 200 OK is not receiv ed for a CANCEL or a BYE message.

Page 735

CH A P T E R 28-1 Cisco ASDM User Guide OL-16647-01 28 Configuring IPS This chapter descri bes how to configure the adaptiv e security appliance to sup port an AIP SSM that is installed in the security appliance. Note The Cisco PIX 500 series security appli ances do not support SSMs.

Page 736

28-2 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview How the AIP SSM Works with the Adaptive Security Appliance The AIP SSM runs a separate application from the adapti v e security ap pliance. It is , ho wever , integrated into the adaptiv e security appliance traffic flo w .

Page 737

28-3 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview • Promiscuous mode —This mode sends a duplicate str eam of traf fic to the AIP SSM.

Page 738

28-4 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS AIP SSM Overview Figur e 28-3 Security Cont exts and Vir tual Sensors Figure 28-4 sh ows a si ngle mode security appliance paired w ith multiple virtual sen sors (in inline mode); each def ined traf fic f low goes t o a different senso r .

Page 739

28-5 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Accessing IDM from ASDM 4. Using ASDM on the ASA 5500 seri es adaptiv e security appliance, iden tify traff ic to di v ert to the AIP SSM. See the “Di verting T raff ic to the AIP SSM” section on page 28-6 .

Page 740

28-6 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM Step 1 In the ASDM Device List pane, double-click Syst em under the acti ve de vi ce IP address. Step 2 On the Context Management > Security Conte xts pane, choo se a context that you w ant to conf igure, and click Edit .

Page 741

28-7 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Diverting Traffic to the AIP SSM The Add Service Polic y Rule W iza rd - Service Polic y dialog box appear s. Complete the Service Policy and T raff ic Classificati on Criteria dialog box es.

Page 742

28-8 Cisco ASDM User Guide OL-16647-01 Chapter 28 Configuring IPS Resetting the AIP SSM Password V irt ual Sensors to Security Contexts” section on page 28-5 ). If you do not speci fy a sensor name, then the traf f ic uses the default sensor . In mul tiple context mode, you can specify a default sen sor for the contex t.

Page 743

CH A P T E R 29-1 Cisco ASDM User Guide OL-16647-01 29 Configuring Trend Micro Content Security Note The ASA 5580 does not support th e CSC SSM feature.

Page 744

29-2 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM • Other IP Address or Hostn ame—Connect s to an alternate IP address or hostname on the SSM. Step 3 En ter the port nu mber in th e Port field, and then click Contin ue .

Page 745

29-3 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM • A service polic y that determines which traf f ic is di verted to the SSM for scans.

Page 746

29-4 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM • The management port of the adapti v e security appl iance is connected to th e management network.

Page 747

29-5 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM • Acti vat ion keys, r eceiv ed after completing Step 2 . • The SSM management port IP address, netmask, and gate way IP address. The SSM ma nagement port IP address must be accessible by the hosts used to run ASDM.

Page 748

29-6 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM The new service polic y appears in the Service Policy Rules pane.

Page 749

29-7 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Managing the CSC SSM Y ou enable traff ic scanning with th e CSC SSM on th e CSC Scan t ab in the Add Service Polic y Rule W izard Rule Actions screen .

Page 750

29-8 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Managing the CSC SSM Figure 29-4 sho ws service policy rules that select only th e traf fic that the adapti ve security appliance should scan.

Page 751

29-9 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup • If CSC card fails—Conf igures the action to take if the CSC SSM becomes inoperable. – Permit traf fic—Allo ws traf f ic if th e CSC SSM fails.

Page 752

29-10 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 Activation/License The Acti vat ion.

Page 753

29-11 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 IP Configuration The IP Conf igurati.

Page 754

29-12 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Fields • Host and Domain Names—Contains in formation about the hostname and domai n name of the CSC SSM. – HostName—Sets the hostname of the CSC SSM.

Page 755

29-13 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup Fields • IP Address—Sets the address of a host or netw ork you want to add to the Selected Hosts/Netwo rk list. • Mask—Sets the netmask for the ho st or network you specif ied in the I P Address f ield.

Page 756

29-14 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Note The default passw ord is “cisco. ” Fields • Old Passw ord—Requires the current passw ord for management access to t he CSC SSM. • New P assword—Sets the ne w passw ord for management access to the CSC SSM.

Page 757

29-15 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup Note This feature is a v ailable only in mult iple-conte xt mode in the system co ntext. For More Information See Password , page 29-13 Wizard Setup The W izard Setup screen lets y ou start the CSC Set up W izard.

Page 758

29-16 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Fields • Activ ation Code — Display only . Displays the acti v ation code settin gs you ha ve made on t his screen. – Base License—Sho ws the acti vation code.

Page 759

29-17 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup For More Information See Managing the CSC SSM, page 29-2 CSC Setup Wizard Ho st Configuration.

Page 760

29-18 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More I.

Page 761

29-19 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security CSC SSM Setup • Add—Click to sp ecify additional traf f ic details for CSC scanning . For more informat ion, see Specify traf fic for CSC Scan, page 29-19 .

Page 762

29-20 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security CSC SSM Setup For More Information See CSC Setup W izard T raf f ic Selection for CSC Scan, page 29-18 CSC Setup Wizard Summary The CSC Setup W izard Summary screen d isplays the settings that you ha ve made wi th the CSC Setup W izard.

Page 763

29-21 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Web • Password— Display only . Indicates whether or not you ha ve changed the password in the P assword Config uration screen. • Back—Click to return to precedin g screens of the CSC Se tup W izard.

Page 764

29-22 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Mail • Scanning—Includes a field and a link ab out HTTP scanning on th e CSC SSM. – HTTP Scanning— Display only . Shows whether or not HTTP sc anning is enable d on the CSC SSM.

Page 765

29-23 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Mail Fields • Scanning—Includes f ields and links ab out SMTP scanning. – Incoming Scan — Display only . Shows whet her or not the incoming SMTP scanning feature is enabled on the CSC SSM.

Page 766

29-24 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security File Transfer Note T o access the CSC SSM, you must re enter the CSC SSM password. Sessions in the CSC SSM browser time out after ten minutes of inact ivity .

Page 767

29-25 Cisco ASDM User Guide OL-16647-01 Chapter 29 Configuring Trend Mic ro Content Security Updates • Config ure File Blocking—Ope ns a screen for config uring FTP f ile blocking settings on th e CSC SSM.

Page 768

29-26 Cisco ASDM User Guide OL-16647-01 Chapter 29 Config uring Trend Micro Conte nt Security Updates For More Information See Managing the CSC SSM, page 29-2.

Page 769

CH A P T E R 30-1 Cisco ASDM User Guide OL-16647-01 30 Configuring ARP Inspection and Bridging Parameters This chapter describes how to enable ARP inspection and ho w to customize bridging operations for the security appliance in tr ansparent f ire wall mode.

Page 770

30-2 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Configuring ARP Inspection Note The dedicated management interface, if present, neve r floods packets e ven i f this parameter is set to flood.

Page 771

30-3 Cisco ASDM User Guide OL-16647-01 Chapter 30 Configuring ARP Inspec tion and Bridgin g Parameters Configuring ARP Inspection Modes The follo wing table sho ws the modes in which this featur e is .

Page 772

30-4 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Add/Edit ARP Static Configuration The Add/Edit ARP Static Conf iguration dialog b ox lets you add or edit a st atic ARP entry .

Page 773

30-5 Cisco ASDM User Guide OL-16647-01 Chapter 30 Configuring ARP Inspec tion and Bridgin g Parameters Customizin g the MAC Address Table drops the traf fic and generates a system message .

Page 774

30-6 Cisco ASDM User Guide OL-16647-01 Chapter 30 Config uring ARP Inspection and Bridging Parameters Customizing the MAC Address Table Add/Edit MAC Address Entry The Add/Edit MA C Ad dress Entry dialog box lets you add o r edit a static MA C address ent ry .

Page 775

P ART 4 Conf iguring VPN.

Page 776

.

Page 777

CH A P T E R 31-1 Cisco ASDM User Guide OL-16647-01 31 SSL VPN Wizard SSL VPN Feature Clientless, bro wser-based SSL VPN lets users establish a s ecure, remote-access VPN tunnel to the security appli ance using a web browser . After auth entic ation, users access a portal page and can access specific, supported internal resour ces.

Page 778

31-2 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard SSL VPN Interface SSL VPN Interface Provide a Co nnection name (pre viously called t unnel gr oup ), enable an interface for SSL VPN connections, and pro vide digital certif icate information in this windo w .

Page 779

31-3 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Group Policy Modes The follo wing table sho ws the modes in which this featur e is av ailable: Group Policy Group policies conf igure co mmon attrib utes for group s of users. Create a ne w group polic y or select an existing o ne to modify .

Page 780

31-4 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard IP Address Pools an d Client Image IP Address Pools and Client Image Provide a range of IP addresses to remote SSL VPN users and id entify SSL V PN client ima ges to the security appliance in this win dow .

Page 781

31-5 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Summary Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • ——.

Page 782

31-6 Cisco ASDM User Guide OL-16647-01 Chapter 31 SSL VPN Wizard Summary.

Page 783

CH A P T E R 32-1 Cisco ASDM User Guide OL-16647-01 32 VPN The security appliance creates a virtual priv ate networ k b y creating a secure connection across a TCP/IP network (such as the Internet) that users see as a pr iv ate connection. It can create single-user-to-LAN connections and LAN-to -LAN connections.

Page 784

32-2 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Note The VPN wizard lets you assign either preshared keys or dig ital certifi cates for authentication. H o wev er , to use certif icates, you must enrol l with a certif ication authorit y and configur e a trustpoint prior to usin g the wizard.

Page 785

32-3 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard • Enable inbound IPsec sessions to bypass interface access lists—Enab le IPsec authenticated inbound sessions to alw ays be permitted through the secu rity appliance (that is, without a check of the interface access-list statements).

Page 786

32-4 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard When two peers want to communicat e, the y exchange certif icates and digi tally sign data to authenticate each other . When you add a ne w peer to the netw ork, it enrolls with a CA, and none of the other peers require additional co nfigurat ion.

Page 787

32-5 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Encryption —Select the s ymmetric en cryption al gorithm the securi ty appliance uses to establ ish the Phase 1 SA that protects Phase 2 negotiat ions.

Page 788

32-6 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard For IPsec to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks.

Page 789

32-7 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Cisco VPN Client Release 3.x or higher , or ot her Easy VPN Remote pr oduct—Click for IPsec connections, includi ng compatible software and hardware clients other than those named here.

Page 790

32-8 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard – Pre-shared Ke y—T ype the preshared key . – Certif icate—Click to use certif icates for authen tication between the local security appliance and the remote IPsec peer .

Page 791

32-9 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard • Authenticate using an AAA serv er group—Click to use an e xternal server gr oup for remote user authentication. • AAA Server Group Name—Select a AAA serv er group conf igured pre viously .

Page 792

32-10 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard User Accounts Use the User Accounts panel to add new users to th e security appliance internal user datab ase for authentication pur poses. Fields Provide th e follow ing information: • User to Be Added—Use the fields in this section to add a user .

Page 793

32-11 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Attributes Pushed to Client Use the Attributes Pushed to Client (Optional) panel to have the security app liance pass in formation about DNS and WINS servers an d the default domain name to remot e access clients.

Page 794

32-12 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard Fields • Host/Network to Be Ad ded—Complete these fi elds to ex empt a particular host or network from NA T . – Interface—Select the name of the interface that connects to the hosts or networks you hav e selected.

Page 795

32-13 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard.

Page 796

32-14 Cisco ASDM User Guide OL-16647-01 Chapter 32 VPN VPN Wizard.

Page 797

CH A P T E R 33-1 Cisco ASDM User Guide OL-16647-01 33 Configuring Certificates Digital certif icates provide digit al identif ication for authenticati on. A digital certif icate contains informa tion that iden tifies a device or user , such as the name, serial number , company , department, or IP address.

Page 798

33-2 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication CA Certificates Fields • Certificates —Displays a list of the certif icates av ailable id entified by issued to and by , the date the certificate e xpires, and the certificate’ s usage or pur pose.

Page 799

33-3 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication Add/Install a CA Certificate The CA Certif icate panel lets you add a ne w certif icate conf igurat ion from an exi sting f ile, by manually pasting a certif icate, or b y automatic enrollment.

Page 800

33-4 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication – Retry Period: Specify the maximum number of minutes to retry installi ng a certificate.The default is one minute. – Retry Count: Specify the number of retries for installing a certificate.

Page 801

33-5 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication Request CRL The Request CRL button updates the cur rent version of the Certificate Re v ocation List (CRL). CRL update pro vides the current status of certif icate us ers.

Page 802

33-6 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication The follo wing panels are the tab -selectable displays th at address CA certif icate conf igurati on specif ics.

Page 803

33-7 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication The methods you select are implemente d in the order in which you add them. If a method detects an error , subsequent re vocati on checking methods acti v ate.

Page 804

33-8 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication • Click the Enable Lightweight Dir ectory Access Protocol (LD AP) b utton to specify LD AP CRL retrie va l. W ith LD AP , CRL retriev al star ts an LD AP session by connecti ng to a named LD AP server , accessed by passw ord.

Page 805

33-9 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates CA Certificate Authentication OCSP Rules Fields • Certif icat e Map —Displays the name of the certif icate map to mat ch to this OCSP rule. Certif icate maps match user permissions to specif ic f ields in a certif icate.

Page 806

33-10 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates CA Certificate Authentication The security appliance supports tw o methods of checking re v ocation status: CRL and OCSP . Fields • CRL Options – Cache Refresh Time —Specify the number of minutes between cache refreshes.

Page 807

33-11 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – Disable nonce extension —By default the OCSP request incl udes the n once extension, wh ich cryptographically binds requests w ith responses to a void replay attacks.

Page 808

33-12 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication Add/Install an Identity Certificate The Identity Certif icate panel lets you imp ort an exis ting identity certif icate from a f ile or add a ne w certificate conf iguration from an e xisting file.

Page 809

33-13 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication Click the appropriate optio n to acti vat e one of the follo wing: Add Identity Certif.

Page 810

33-14 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication – Name (in K ey P air > Ne w window )—Selects a default ke y pair name, such as <Default-RSA-K e y>, or you can enter a ne w ke y pair name.

Page 811

33-15 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – Va l u e : ( in Certificate Sub ject DN > Selec t wind ow)— Enter the v alue for each of the DN attrib utes that you select in the At tribut e list.

Page 812

33-16 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Identity Certific ates Authentication Export Identity Certificate Fields • Export to a file —Specify th e name of the PK.

Page 813

33-17 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Identity Certificates Authentication – New —Click to add a ne w ke y pair , pro viding a name, modulus size, and usage. When yo u generate the ke y pair , you ha v e the option of sending it to the security appliance or sa ving it to a file.

Page 814

33-18 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Code-Signer Certificates Step 7 In the Advanced Options panel, verify that the FQDN: f ield is the correct FQDN of the security appliance and click OK to close the windo w . Step 8 In the Add Identity Certif icate panel, click the Add Certif icate at th e bottom.

Page 815

33-19 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Code-Signer Certificates Show Code-Signer Certificate Details The Show Details b utton displays the Code Si gner Details di.

Page 816

33-20 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority Import or Export a C ode-Signer Certificate Assign v alues to the f ields in the Import Certif i.

Page 817

33-21 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority Note The local CA provides a certificat e authority on the adaptiv e secur ity appliance for use with SSL VPN connections, both brow ser - and client-based.

Page 818

33-22 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority Configuring the Local CA Sever The CA Serv er window lets you cust omize, modify , and control Local CA server operation. This section describes the parameters that can be specified.

Page 819

33-23 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority Note Click A pply to be sure you sav e the Local CA certif icate and k ey pair so the conf iguration is not lost if you reboot t he security appliance.

Page 820

33-24 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Local Certificate Authority SMTP Server & Email Settings T o set up e-mail access for the Local CA se rver , yo u config.

Page 821

33-25 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Local Certificate Authority That Local CA database resides can be configured to be on an of f-box f ile system that is mounted and accessible to the security appl iance.

Page 822

33-26 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Certificates Reset Button The Rese t button remo ves an y changes or edits and returns th e display to the original content s.

Page 823

33-27 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Manage User Certifica tes Whene ver you change any certif icate status, be sure to update th e CRL to reflec t the latest c hanges. • T o change certificate status, see Re v oking a Local C A Certif icate and Unre voking a Local CA Certif icate .

Page 824

33-28 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Database Manage User Database The Local CA user database contains use r identif ication in formation and the status of each user in the system (enrolled, allo wed, re v oked, etc.

Page 825

33-29 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certific ates Manage User Data base Add a Local CA User The Add b utton allo ws you to enter a ne w user into the Local CA database. Each ne w user to be entered into the database must have a predefined us er name, e-mail address, and subject name.

Page 826

33-30 Cisco ASDM User Guide OL-16647-01 Chapter 33 Configuring Certificates Manage User Database Delete a Local CA User The Delete b utton remo ves the selected user from the database an d remov es an y certif icates iss ued to that user from the Local CA Database.

Page 827

CH A P T E R 34-1 Cisco ASDM User Guide OL-16647-01 34 IKE IKE, also called ISAKM P , is the negotiation pr otocol that lets two hosts agr ee on how to b uild an I Psec security associat ion.

Page 828

34-2 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Parameters • Select the second or thi rd option for the Fragmentation Policy paramet er in the Configuration > VPN > IPsec > Pre-Fragmentation pa nel.

Page 829

34-3 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Parameters Alerting Peers Before Disconnecting Client or LAN-to-LAN sessions may be dro pped fo r sev eral reasons, such as: a security appliance shutdo wn or reboot, sessi on idle timeout, maximu m co nnection time exceeded, or administrato r cut-of f.

Page 830

34-4 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies – Ke y Id String —T ype the alpha-numeric string the peer s use to look up the preshared key . • Disable inbound aggr essive mode connections —Select to disable aggres si ve mode connections.

Page 831

34-5 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies – Priority # —Sho ws the priority of the policy . – Encryption —Shows the encry ption method. – Hash —Sho ws the has al gorithm. – D-H Group —Sh ows the Di ff ie-Hellman gro up.

Page 832

34-6 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies D-H Group —Select th e Diff ie-Hellman group identi fier , which the two IPsec peers use to deri ve a shared secret without transm itting it to each other . Lifetime (secs)—Either select Unlimited or type an integer fo r the SA lifetime.

Page 833

34-7 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IKE Policies only with the priv ate IP addresses that get assigned to cl ients. Th e IP addresses assigned to other resources on your pri v ate network are part of your n etwork administr ation responsibilities, not part of security appliance management.

Page 834

34-8 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec • Ending Address —Sho ws the last IP address a vai lable in each configured pool. • Subnet Mask —Sho ws the subnet mask for addresses i n each conf igured pool. • Add —Click to add a ne w address pool.

Page 835

34-9 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Note The ASA supports LAN-to-LAN I Psec connections with Cisco peers, and with third-party peers that comply with all rele v ant stan dards.

Page 836

34-10 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Fields Note Y ou cannot edit, delete, or cop y an implicit rule. The securi ty appliance implici tly accepts the traf fic selection proposal from remote client s when configur ed with a dynamic tunn el policy .

Page 837

34-11 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec • SA Lifetime —Displays the S A lifetime for the rule. • CA Certificate —Displays the CA certif icate for the pol icy . This applies to static connection s only . • IKE Negotiation Mode —Displays w hether IKE negot iations use main or aggressi v e mode.

Page 838

34-12 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec central-site device. A dynamic tunnel policy is useful when the remo te access clients ha ve dynamically assigned IP addresses o r when you do no t want to configure separate pol icies for a large number of remote access clients.

Page 839

34-13 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Create IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab Fields • Security Association Lifetime parameters—Conf igures the duration of a Security Association (SA).

Page 840

34-14 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Add/Edit—Choose IP Address or Netw ork Object Group to add more sour ce addr esses or groups. – Delete—Click to delete an entry . – Filter—Enter an IP Address to f ilter the results displ ayed.

Page 841

34-15 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Destinatio n —Specify the IP address, network object group or interface IP address for the source or dest ination host or netw ork. A rule cannot use the same address as both the source and destination.

Page 842

34-16 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec – Tim e R an g e —Specify the name of an existing time range or create a new range. – .

Page 843

34-17 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec Fields • Pre- Fragmentation —Sho ws the current pre-fragmentation configu ration for e ver y configured interface. – Interface —Sho ws the name of each configured interface. – Pre- Fragmentation Enabled —Shows, for each interf ace, whether pre-fragmentation is enabled.

Page 844

34-18 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE IPsec IPsec Transform Sets Use this panel to vie w and add or edit transf orm sets. A transform is a set of operations done on a data flo w to provide data authen tication, data conf identiality , and data compression.

Page 845

34-19 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing – ESP Encryption —Selects the Encapsulating Security Proto col (ESP) encryption algorithms for the transform set s. ESP provi des data priv ac y services, optional data aut hentication, and anti-replay services.

Page 846

34-20 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing T o implement load balancing, y ou group together lo gically tw o or more de vices on the same pri v ate LAN-to-LAN network i nto a virtual cluster . All de vices in the virtu al cluster carry session load s.

Page 847

34-21 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Load Balancing – Enable IPsec Encryption —Enables or disables IPsec encryption. If you select this check box , you must also specify and v erify a shar ed secret.The secur ity appliances in the virtual c luster communicate via LAN-to-LAN tunnels using IPse c.

Page 848

34-22 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Setting Global NAC Parameters Step 2 Add an entry for each of y our securi ty appliance outside interfaces into your DNS server , if such entries are not already present. Each security appliance out side I P address should ha ve a DN S entry associated with it for lookups.

Page 849

34-23 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies server . When the timer e xpires, the security ap pliance tries to initiate a ne w EAP o v er UDP association with the remote host. The setting is in seconds.

Page 850

34-24 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies • Uses, Requirements, and Lim itations • Fields • What to Do Next About NAC N A C protects .

Page 851

34-25 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies Uses, Requirements, and Limitations When configured to support N A C, th e se curity appliance f.

Page 852

34-26 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies • Delete—Remov es an entry from the Posture V alidation Exception list. What to Do Next Follo wing th e confi guration of the N A C policy , you must assign it to a grou p policy for it to become activ e.

Page 853

34-27 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Admissio n Control Poli cies Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • �.

Page 854

34-28 Cisco ASDM User Guide OL-16647-01 Chapter 34 IKE Configuring Network Ad mission Control Policies.

Page 855

CH A P T E R 35-1 Cisco ASDM User Guide OL-16647-01 35 General A virtual pri v ate network is a networ k of virtual circuits t hat carry pri v ate traf fic o ver a public netwo rk such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN.

Page 856

35-2 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Client Software Fields • Enable Client Update—Enables or disables client update, both globally and for specif ic tunnel groups.

Page 857

35-3 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Client Software For VPN 3 002 hardware clients, th e upgrade proceed s automatically , with no notif ication.

Page 858

35-4 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Default Tunnel Gateway Default Tunnel Gateway T o confi gure the default tunnel g ate way , click the Static Route link in this windo w . The Config uration > Routing > Routing > St atic Route windo w opens.

Page 859

35-5 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • IPSec Security As sociations . • Network lists f or filterin g and split tunneling • User authentication servers, and spec ifically the intern al authentic ation server.

Page 860

35-6 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add AAA Server Group The Add AAA Serv er Group dialog box lets you confi gure a ne w AAA serv er group.

Page 861

35-7 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • Address Pools—(Netw ork (Client) Access only ) Specifi es the name of one or more address pools to use for this grou p policy .

Page 862

35-8 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies • Manage—Opens the Bro wse T ime Range di alog box, on which you can ad d, edit, or delete a time range. • Simultaneous Logins—Specif ies the maximum number of simultan eous logins allowed for this user .

Page 863

35-9 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es Fields • Bookmark List—Select a pre viously-conf igured Bookmark list or click Manage to create a new one. Bookmarks appear as links, from which users can na vigat e from the portal page.

Page 864

35-10 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies • HTTP Proxy—Enables or disables the forwardin g of an HTTP applet proxy to the cl ient. The proxy is useful for technol ogies that interfere with proper content tr ansformation, such as Ja v a, Acti veX, and Flash.

Page 865

35-11 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es Adding or Editing a Site-to- Site Internal Group Policy The Add or Edit Grou p Policy wi ndow lets you specify tunnel ing protocols, f ilters, connection settings, and server s for the gro up polic y being added or mod ified.

Page 866

35-12 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Policies example, you can attach an access list to a time range to restrict access to the se curity appliance. A time range consists of a start time, an end t ime, and opti onal recurring (that is, pe riodic) entries.

Page 867

35-13 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Group Polici es • Recurring T ime Ranges—Constrains the acti v e time of this time range within the start and end times when the time range is acti v e.

Page 868

35-14 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager ACL Manager The A CL Manager dialog box lets you def ine access control lists (A CLs) to control the access of a specific ho st or network to another host/net work, including the protoco l or port that can be used.

Page 869

35-15 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Extended ACL This pane prov ides summary information about e x tended A CLs, and let s you add or edit A CLs and AC E s . Fields • Add—Lets you add a ne w A CL. When you highlight an e xisting A CL, i t lets you add a ne w A CE for that A CL.

Page 870

35-16 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager • T ime—Specif ies the name of the time range to be applied i n this rule. • Description—Sho ws the description you t yped when you added the rule. An impli cit rule includes the follo wing description: “Implicit ou tbound rule.

Page 871

35-17 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Protocol—Selects the protocol to which this rule ap plies. Possible v alues are ip, tcp, udp, icmp, and other . The remaining av aila ble f ields in the Protocol and Service area depend upo n the protocol you select.

Page 872

35-18 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Browse Source/Destination Address The Brow se Source or Destination Ad dress dialog box lets you select an obj ect to use a s a source or destinatio n for thi s rule. Fields • T ype—Determines the type of object to use as the source or destination for th is rule.

Page 873

35-19 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add TCP Service Group The Add TCP Service Group.

Page 874

35-20 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager • Filter/Clear—Specif ies a filter crit erion that you can use to search for items in the Name list, thus displaying only thos e items that match that crit erion. When you make an en try in the Filter f ield, the Filter b utton becomes acti ve.

Page 875

35-21 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Browse Other The Brow se Other dialog box lets you sel ect a protocol group for this rul e. Fields • Add—Opens the Add Pro tocol Group dialog box, on which you can conf igure a ne w service group.

Page 876

35-22 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Policy > Servers The Add or Edit Group Polic y windo w , Servers item lets you specify DNS and WINS servers, as well as the DHCP scope and default domain.

Page 877

35-23 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Server Addresses (space delimited )—Specifies the IP addresses of the IPSec backup servers. This f ield is a v ailable only when th e v alue of the Server Co nfiguratio n selection is Use the Backup Servers Belo w .

Page 878

35-24 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Y o u must specify the so ftware ver sion for this client. Y ou can specify * to ma tch any version. – Y o ur entries must match e xactly those on the URL fo r the VPN client, or the TFTP serv er for the VPN 3002.

Page 879

35-25 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Fields • Inherit—(Multiple instances) Indicates that the corresponding setting tak es its v alue from the default gro up policy . Deselecting the Inherit check box mak es other options a v ailable f or the parameter .

Page 880

35-26 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note A carriage return/line feed, create d by pressing Enter , counts as 2 characters.

Page 881

35-27 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add or Edit Internal Group Policy > Advanced > IE Browser Proxy This dialog bo x configures attribut es for Microsoft Internet Explorer . Fields • Proxy Server Po licy—Conf igures the Micro soft Internet Explorer bro wser prox y actions (“methods”) for a client PC.

Page 882

35-28 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager – Rotating prox ies by time of day or day of the week to accommodate a server maintenance schedule. – Specifying a backup proxy serv er to use in case the pr imary proxy fails.

Page 883

35-29 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Poli cy > Client Firewall Tab The Add or Edit Group Policy wi ndo w , Client Firew all tab, lets you con figur e fir ew all settings for VPN clients for the group po licy being added or modified .

Page 884

35-30 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note If you require a f ire wall for a group , make sure the group does not in clude any clients ot her than W indo ws VPN clients. An y other clients in the group (in cluding ASA 5505 in client mode an d VPN 3002 hardwa re clients) are unable to connect.

Page 885

35-31 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Add/Edit Internal Group Poli cy > Hardware Client Tab The Add or Edit Group Poli cy > Hardw are Client dialog box lets you co nfigure sett ings for the VPN 3002 hardw are client for the group polic y being adde d or modi fied .

Page 886

35-32 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager If you ha ve a def ault home page on the remote network behind the security appli ance, or if you direct the bro wser to a website on the remote netwo rk behi nd the security appliance, the hardware client directs the bro wser to the proper pages for user lo gin.

Page 887

35-33 Cisco ASDM User Guide OL-16647-01 Chapter 35 General ACL Manager Note Cisco LEAP au thenticates wi reless clients to RA DIUS servers. It d oes not include RADI US accounting services.

Page 888

35-34 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Conn ections Fields • List Name—Specif ies the name of the list to be added or selects the nam e of the list t o be modif ied or deleted. • URL Display Name—Specif ies the URL name d isplayed to the user .

Page 889

35-35 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Connections Connection Prof iles—Conf igure protocol-specif ic attrib utes for connect ions (tunnel groups). • Add/Edit—Click to Add or Edit a Connectio n Profile (tun nel group).

Page 890

35-36 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Conn ections Setting Advanced Attributes for an IPSec or SSL VPN Connection Use the advanced attrib utes to fine-tune the p arameters of the IPSec or SSL VPN co nnection.

Page 891

35-37 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Connections Lookup. Y ou append the group to the username in the format username<delimiter>gr oup , the possibilities being, for e xample, J aneDoe@VPNGr oup, Ja neDoe#VPNGr oup , and J aneDoe!VPNGr oup .

Page 892

35-38 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Note This does not change the number of days before the password expi res, but rather , it enables the notif ication. If you select this o ption, you must also specify t he number of days.

Page 893

35-39 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections • Keep Installer on Client System —Enable to all ow permanent client installation on th e remote computer . Enabling disables the automatic uninstall ing feature of the client.

Page 894

35-40 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Figur e 35-1 Promp t Displa yed t o Remot e Users f or SSL VPN Client Do wnload Fields • Inherit—Check to i nherit the v alue from the def ault group polic y .

Page 895

35-41 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring SSL VPN Client Connections Dead Peer Detection Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect a condition where the pe er is not responding, and the connect ion has failed.

Page 896

35-42 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Fields • V iew (Unlabel ed)—Indicates whether the selected entry is e xpanded (minus sign) o r contracted (plus sign). • # column—Specifies the A CE ID number .

Page 897

35-43 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections – Add—Opens the Add Clientl ess SSL VPN dialog box for the selected conn ection. – Edit—Opens the Edit Clien tless SSL VPN dialog box for the sel ected connection.

Page 898

35-44 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections • Clientless SSL VPN attrib utes. Add or Edit Clientless SSL VPN Connections > Advanced >.

Page 899

35-45 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections day that the p assword expires. The default is to notify t he user 14 days prior to password expir ation and e very day thereafter unti l the user changes the password.

Page 900

35-46 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Assign Authentication Server Group to Interface This dialog box lets you associate an interf ace with a AAA serv er group. The results app ear in the table on the Authenticati on dialog box.

Page 901

35-47 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clientless SSL VPN Connections Add or Edit SSL VPN Connections > Advanced > SSL VPN This dialog box lets you config ure attrib utes that af fect what the remote user sees upon login.

Page 902

35-48 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Configuring Clien tless SSL VPN Connections Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers The table on this dialog b ox shows the attributes of the already-configured NetBIOS serv ers.

Page 903

35-49 Cisco ASDM User Guide OL-16647-01 Chapter 35 General IPSec Remote Access Co nnection Profiles Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN This dialog box lets you specify portal-related attrib utes for Clientless SSL VPN connections.

Page 904

35-50 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Add or Edit an IPSec Remo te Access Connection Profile Add or Edit an IPSec Remote Access Connection Profile The Add or Edit IPSec Remote Acce ss Connection Prof ile dialog box has a na vigation pane that lets you select basic or advanced elements to conf igure.

Page 905

35-51 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Manage—Opens the Conf igure Group Policies dialog box, fro m which you can add, edit, or delete grou p policies. – Client Protocols—Selects the proto col or protocols to u se for this connection.

Page 906

35-52 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Add/Edit Certif icate Matching Rule Criterion Add/Edit Certificate Matching Rule Use the Add/Edit Certif icate Matching Rule dialog box to assign the name of a li st (map) to a connection profile.

Page 907

35-53 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Certificate Matching Rule Criterion Use the Add/Edit Certificate Matching Rule Criterion dialog box to conf igur e a certif icate matching rule criterion for the selected grou p.

Page 908

35-54 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Operator —Select the operator used in the rule: – Equals —The distinguished name f ield must e xactly match the v alue. – Contains —The distinguished name f ield must in clude the v alue within it.

Page 909

35-55 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Site-to-Site Connection The Add or Edit IPSec Si te-to-Site Connection dialog box lets you create or modify an IPSec Site-to-Site connection.

Page 910

35-56 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Adding or Editing a Site-to-Site Tunnel Group The Add or Edit IPSec Site-to-Site T unnel Group dialog box lets you specify attr ibutes for the IPSec site-to-site conn ection that you ar e adding.

Page 911

35-57 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Crypto Map Entry In this windo w , specify crypto para meters for the Con nection Prof ile. Fields • Priority —A unique priority (1 through 65 ,543, with 1 the highest priority) .

Page 912

35-58 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Perfect F orward Secrecy —Ensures that the key for a gi ven IPSec SA w as not deriv ed from any other secret (lik e some other keys).

Page 913

35-59 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Sho w Details—Displays detailed inf ormation about a certif icate that you select in the table. • Delete—Removes the selected certificate from th e table.

Page 914

35-60 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Fields • The radio buttons specify whether to check certif i cates for rev ocation.

Page 915

35-61 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Note Allowi ng ov erride account-disabled is a poten tial security risk.

Page 916

35-62 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles – T o add an address pool to th e security appliance, choose Add . The Add IP Pool dialog box opens. – T o change th e conf iguration of an addres s pool on the security appliance, choose Edit .

Page 917

35-63 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Fields Use the follo wing descriptions to assign v alues to the f ields in this.

Page 918

35-64 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Select Address Pools The Select Address Pools windo w sho ws the poo l name, st.

Page 919

35-65 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit Tunnel Group > G eneral Tab > Authentication This dialog bo x is av ailable fo r IPSec on Remote Access and Site-to-Si te tunnel groups.

Page 920

35-66 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles – Server Group—Select an av ailabl e, pre viously conf igured authorization server group or group of servers, i ncluding the LOCAL grou p.

Page 921

35-67 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Add/Edit SSL VPN Connections > Advanced > Accounting The settings on this dialog box apply to the connection (t unnel group) globally across th e security appliance.

Page 922

35-68 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Add/Edit Tunnel Group > General > Advanced The Add or Edit T unnel Group .

Page 923

35-69 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Authentication Mode—S pecifies t he authentication mode: none, xauth, o r hybrid. – none—Specif ies no authentication mode.

Page 924

35-70 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles • Client VPN Software Up date T able—Li sts the client type , VPN Client revisions, and image UR L for each cl ient VPN softw are packag e installed.

Page 925

35-71 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Default Gr oup Polic y—Specif ies the follo wing group-po licy attr ibutes: – Group Polic y—Selects a group polic y to use as the def ault group polic y .

Page 926

35-72 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Fields • Name—Specif ies the name assigned to this tun nel group. For th e Edit function, this f ield is display-only . • T ype—( Display-only ) Display s the type of tun nel group you are adding or editing.

Page 927

35-73 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Enable notif ication pri or to expirat ion—When you check this op tion, t.

Page 928

35-74 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles 2. An extended authentication (xau th) e xchange then au thenticates th e remote VPN user . This extended authentication can use one of th e supported le gac y authentication methods.

Page 929

35-75 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles – Image URL—Specif ies the URL or IP address fr om which the correct VPN client software image can be do wnloaded. Fo r W indo ws-based VPN clients, the URL must be of the form htt p:// or https://.

Page 930

35-76 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles that support such notification; that is, RA DIUS, RADIUS with an NT serv er , and LD AP servers. The security appliance ign ores this command if RADIUS or LD AP auth entication has not been configured.

Page 931

35-77 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles Configuring Internal Group Policy IPSec Client Attributes Use this windo w to specify whether to strip the re alm and group from the username before passing them to the AAA serv er , and to specify passw ord management options.

Page 932

35-78 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSe c or SSL VPN Connection Profiles Note Allowi ng ov erride account-disabled is a poten tial security risk.

Page 933

35-79 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Mapping Certificates to IPSec or SSL VPN Connec tion Profiles • Add—Opens the Assign Address Pool s to Interface windo w , on which you can select an interf ace and select an address pool to assign.

Page 934

35-80 Cisco ASDM User Guide OL-16647-01 Chapter 35 General System Options Add or Edit an IP Address Pool Config ures or modif ies an IP address pool. Fields • Name—Specifies th e name assign ed to the IP address pool. • Starting IP Address—Specif ies the f irst IP address in the pool.

Page 935

35-81 Cisco ASDM User Guide OL-16647-01 Chapter 35 General System Options Y ou can require an access rule to apply to the lo cal IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet w as decrypted.

Page 936

35-82 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Zone Labs Integrity Server • Policy—Select s the split-tunneling policy , specifying whether to include or e xclude from the tunnel the indicated network lists. If you do not select Inherit, t he default is Exclude N etwork List Belo w .

Page 937

35-83 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Zone Labs Integrity Server Note The current release of the security appliance supports one Inte grity Serv er at a time ev en though the user interfaces suppor t the confi guration of up to f i ve Int egrity Serv ers.

Page 938

35-84 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Easy VPN Remote Easy VPN Remote Easy VPN Remote lets the ASA 5505 act as an Easy VPN client de vice.

Page 939

35-85 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Easy VPN Remote – Group Passw ord—Specif ies the password to use with the speci fied group p olicy . – Confir m Password —Requires you to conf irm the group passw ord just entered. – X.

Page 940

35-86 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Pro perties Advanced Easy VPN Properties Device Pass-Through Certain de vices like Ci sco IP phones, printers, and the like are incapable of performing authentication, and therefore of particip ating in indi vidual uni t authentication.

Page 941

35-87 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Propertie s – Add—Mov es the specif ied IP address and mask to the IP Addr ess/Mask list. – Remov e—Mov es the selected IP address and mask pair from the IP Address/ Mask list to the indi vidual IP Address and Mask fields in this area.

Page 942

35-88 Cisco ASDM User Guide OL-16647-01 Chapter 35 General Advanced Easy VPN Pro perties.

Page 943

CH A P T E R 36-1 Cisco ASDM User Guide OL-16647-01 36 Configuring Dynamic Access Policies This chapater describes ho w to con figure dynamic access policies.

Page 944

36-2 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies • DfltAccess Policy—Al ways the last en try in the D AP summary t able, always with a pri ority of 0.

Page 945

36-3 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies DAP Support for Remote Access Connection Types The D AP system supports the f.

Page 946

36-4 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies DAP and Endpoint Security The security applia nce obtains endpoint security attr ib utes b y using posture assessment metho ds that you confi gure.

Page 947

36-5 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Anti virus (Requires Cisco Secure Desktop) endpoint.a v . labe l .exists Host Scan true — Antivirus program exists endpoint.a v .

Page 948

36-6 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies DAP and Anti-Virus, Anti-Spyware, and Personal Firewa ll Programs The security appliance uses a D AP policy when the user attrib utes matches the configured AAA and endpoint attributes.

Page 949

36-7 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Fields • Selection Criteria—Determine the AAA and endpoint attrib utes to test for dynamic access pol icy retrie va l. • AAA Attrib utes – AAA Attrib ute—Identifi es the AAA attrib ute.

Page 950

36-8 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Step 8 In the Advanced f ield yo u can enter one or more l ogical exp ressions to set AAA o r endpoint attri butes other than what is possible in the AAA and Endpoint areas above.

Page 951

36-9 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies • Access Policy Attri butes—These tabs let y ou set attrib utes for net work and webtyp e A CL f ilters, file access, HTTP proxy , URL entry and lists, port forwarding, and clientless SSL VPN access methods.

Page 952

36-10 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies – File Server Bro wsing—Enables o r disables CIFS bro wsing for file serv ers or shared features. Note Browsing requi res NBNS (Master Browser or WI NS).

Page 953

36-11 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies has tested the follo wing applications: W indows T e rminal Services, T elnet, Secure FTP (FTP over SSH), Perforce, Outlook Expr ess, and Lotus Notes.

Page 954

36-12 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies – Both-default-Any Connect Client—Connect via eith er clientless or the An yConnect client, with a default of An yConnect.

Page 955

36-13 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies LD AP attri butes consist of an att ribut e name and attrib ute v alue pair in the D AP record .

Page 956

36-14 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Retrieve AD Groups from selected AD Server Group Y ou can query an Active Directory server for a v ailabl e AD groups in this window .

Page 957

36-15 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Fields • Endpoint Attrib ute T ype—Select from the drop-do wn list the endpoint at tribu te you want to set.

Page 958

36-16 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies • Policy (Location)—Enter the Cisco Secure Desk top Microsoft W in dows locati on prof ile, case sensitiv e.

Page 959

36-17 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Example : EV AL(endpoint.os.v ersion, “EQ”, “W indo ws XP”, “str ing”) Constructing DAP Logical Expressions Study these examples for help in cr eating lo gical expressions in Lua.

Page 960

36-18 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Y o u use ASDM to conf igure CheckAndMsg through t he Advanced f ield in D AP .

Page 961

36-19 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies Y o u can b uild the ex pression in this e xample because the deb ug dap trace returns: endpoint.

Page 962

36-20 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies The expected result is that the connectio n is not allo wed and the message appears as a blinking ! point. Step 5 Click the blinking ! to see the message and links for remediation.

Page 963

36-21 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies end)() Further Information on Lua Y ou can find detailed LU A programming information at http://www .lua.org/manual /5.1/manual.

Page 964

36-22 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies Using DAP to Apply a WebVPN ACL D AP can directly enfo rce a subset of access policy attri butes incl uding Network A CLs (for IPsec and AnyConnect), cl ientless SSL VPN W eb-T ype A CLs, URL lists, and Functions.

Page 965

36-23 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Polic ies Understandin g VPN Access Poli cies.

Page 966

36-24 Cisco ASDM User Guide OL-16647-01 Chapter 36 Configuring Dynamic Access Policies Understanding VPN A ccess Policies.

Page 967

CH A P T E R 37-1 Cisco ASDM User Guide OL-16647-01 37 Clientless SSL VPN End User Set-up This ections is f or the system ad ministrator w ho sets up Clientless (bro wser -based) SSL VPN for end users. It summarizes conf iguration requirements an d ta sks for the user remote system.

Page 968

37-2 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Communicating Security Tips Communicating Security Tips Advise users alw ays to log out from the session. (T o log out of Clientless SSL VPN, cl ick the logout icon on the Clientless SSL VPN toolbar or close the bro wser .

Page 969

37-3 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features T able 37 -2 Cli entless SSL VPN Rem ote S ystem Conf.

Page 970

37-4 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Using the Floating T oolbar in a Clientless SSL VPN Connection A floating toolbar is a v ailable to simplify the use of Clientless SSL VPN.

Page 971

37-5 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Network Br owsing and File Management File permi ssions con figu red for sha red remote access Only shared folders and files are accessible via Clientless SSL VPN.

Page 972

37-6 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Configuring Remote Systems to Use Clientless SSL VPN Features Using A pplications (called Port Forwarding or A pplication Access) Note On Macintosh OS X, only t he Safari bro wser supports this feature.

Page 973

37-7 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Capturing Clientless SSL VPN Data The CLI capture command lets you log information about websites that do not display properly o ve r a Clientless SSL VPN connection.

Page 974

37-8 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data Creating a Capture File Perform the follo wing steps to capture dat a about a Clientless SSL VPN session to a fi le. Step 1 T o start the Clientless SSL VPN capture utility , use the capture command from pri vile ged EXEC mode.

Page 975

37-9 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data https:// IP_addr ess or hostname of the security appliance/ web vpn_captur e.html The captured content displays in a snif fer format.

Page 976

37-10 Cisco ASDM User Guide OL-16647-01 Chapter 37 Clientless SSL VPN End User Set-up Capturing Clientless SSL VPN Data.

Page 977

CH A P T E R 38-1 Cisco ASDM User Guide OL-16647-01 38 Clientless SSL VPN Clientless SSL VPN lets users establish a secure, re mote-access VPN tunn el to the security appliance using a web b rowser . There is no need for eith er a software or hardware client.

Page 978

38-2 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Security Precautions • Educate users. I f an SSL-enabled s ite is not inside the pri v ate netw ork, users should not vi sit this site ov er a Clientless SSL VPN con nection.

Page 979

38-3 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Security Precaution s Add ACL This pane lets you create a ne w A CL. Fields • A CL Name—Enter a name for the A CL. Maximum 55 characters. Add/Edit ACE An Access Control Entry permits or denies access to sp ecif ic URLs and servi ces.

Page 980

38-4 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secu re Deskto p Examples Here are examples of A CLs for Clientless SSL VPN: Modes The follo wing t.

Page 981

38-5 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secure Desktop Note If you click the Br owse Fla sh button to up grade or do wngrade the Cisco Secu.

Page 982

38-6 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Setup for Cisco Secu re Deskto p Y o u can use the b uttons in this wind ow as fo llows: • T o select the pa th of the secured esktop_asa_ < n >_< n >*.

Page 983

38-7 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Application Helper Configuring Application Helper Clientless SSL VPN includes an Application Prof ile Customization Fra.

Page 984

38-8 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Ap plication Helper Upload APCF package Fields • Local File Path—Sho ws th e path to the APCF f ile on your computer . Click Brows e Local to automatically insert the path i n this field, or enter t he path.

Page 985

38-9 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Auto Signon Auto Signon The Auto Signon win dow o r tab lets you conf igure or edit auto si gnon for users of Clientless SSL VPN . Auto signon is a si mplified single signon method that you can use if you do not alr eady hav e an SSO method deploy ed on your internal netw ork.

Page 986

38-10 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Auto Signon Add/Edit Auto Signon Entry The Add/Edit Auto Si gnon Entry dialog box let s you add or edit a ne w auto signon i nstruction. An auto signon instruction def ines a range of internal servers using the auto sig non feature and the particular authentic ation meth od.

Page 987

38-11 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Session Settings Configuring Session Settings The Clientless SSL VPN Add/Edit Internal Group Polic y > More Options > Sessio n Settings windo w lets you s pecify person alized user inform ation between clientless SSL VPN s essions.

Page 988

38-12 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Java Code Signer Java Code Signer Code signing appends a digital sign ature to the e xecutable code itsel f. This digital signature pro vides enough information to au thentica te the sign er as well as to ensure that the code has not been subsequently modif ied since si gned.

Page 989

38-13 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Content Rewrite • Restore Cache Default—Click to restore de fault v alues for all cache par ameters.

Page 990

38-14 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Java Code Signer Add/Edit Content Rewrite Rule • Enable cont ent rewrite—Click to en able content r ewrite for this rewrite rule. • Rule Numb er—(Optional ) Enter a nu mber for thi s rule.

Page 991

38-15 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding Fields • Code Signer Certif icate —Choose th e conf igured certi f icate that you want to employ in Ja v a object signing.

Page 992

38-16 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding – windo ws-125 2 – none If you ch oose none or specif y a v alue that t he browser on the Clientless SSL VPN session do es not support, it uses it s own default encodin g.

Page 993

38-17 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding – shift_jis Note If you are usi ng Japanese Sh if t_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remo ve the font family .

Page 994

38-18 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Encoding • The follo wing example matches URLs such as ht tp://www .cisco.com and ftp://wwz.carrier .com: access-list test webtype permit url *://ww?.c*co*/ • The follo wing e xample matches URLs su ch as http://www .

Page 995

38-19 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding Modes The follo wing table sho ws the modes in which this featur e is av ailable: Port Forwarding Both the Port F orwardin g pane and Confi gure Port F orwarding List s dialog box let you view the port forwarding lists.

Page 996

38-20 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding Requirements and Restrictions The follo wing restrictions apply to port forwarding: • The remote host must be runn ing a 32-bit v ersion of one of the follo wing: – Microsoft W indo ws V ista, W indo ws XP SP2 or SP3; or W in dows 2000 SP4.

Page 997

38-21 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Port Forwarding • Neither port forw arding nor the ASDM Ja v a applet work with user authent ication using digital certificates. Ja v a does not have the ability to acce ss the web bro wser ke ystore.

Page 998

38-22 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring the Use of External Proxy Servers Configuring the Use of External Proxy Servers Use the Proxies pane to conf igure the security appliance to u se external proxy servers to handle HTTP requests and HTTPS requests.

Page 999

38-23 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • IP Address—Enter the host name or IP address of the external HTTPS proxy s erver • Port—Enter the port that listens fo r HTTPS requests. The default port is 4 43.

Page 1000

38-24 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Proxy Bypass • Path Mask—Di splays the URI path to match for proxy b ypass. • URL—Displays the tar get URLs. • Re write—Displays the re write options . These are a combination of XML, link, or non e.

Page 1001

38-25 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN DTLS Settings DTLS Settings Enabling Datagram T ransport Layer Security (DTLS) allo ws the AnyCon nect VPN Client establish ing an SSL VPN connection to use tw o simultaneous tunnels—an SSL tunnel and a DTLS tunnel.

Page 1002

38-26 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings The security appliance do wnloads the client based on the group polic y or local user polic y attrib utes.

Page 1003

38-27 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings Add/Replace SSL VPN Client Image In this windo w , you can specify a f ilename for a file on t he security appliance flash memory that yo u want to add as an SSL VPN client image, or to replac e an image al ready listed in the table.

Page 1004

38-28 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSL VPN Client Settings Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add/Edit SSL VPN Client .

Page 1005

38-29 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Bypass Interface A ccess List • Flash File System P ath—Identif ies the f ilename of the f ile in the flash memory of the securi ty appliance that you w ant to id entify as an client profile.

Page 1006

38-30 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSO Servers • T o conf igure SSO with the HTTP F orm protocol, see Conf iguring Session Settings .

Page 1007

38-31 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN SSO Servers SAML POST SSO Serv er Configuration Use the SAML server documentation provided b y th e server softw are vendor to conf igure the SAML server in Relyi ng Party mode.

Page 1008

38-32 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Clientless SSL VPN Access Step 2 Using your Cisco.com login, do wnload t he file cisco_v pn_auth.jar from http://www .cisco.com/cgi -bin/tableb uild.pl/asa an d copy it to the d efault libr ary directory for the SiteMinder server .

Page 1009

38-33 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Clientless SSL VPN Access • Config ure the amount of security appli anc e memory that Clientless SSL VPN can use.

Page 1010

38-34 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Modes The follo wing table sho ws the modes in which this featur e is av ailable: For More Informa.

Page 1011

38-35 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • Create one or more smart tunnel lists of the client applicati ons, then assign the list to the grou p policies or local u ser policies for whom you w ant to provid e smart tunnel access.

Page 1012

38-36 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access • When smart tunnel starts, the security appliance t unnels all traff ic from the bro wser process the user used to initiate the cli entless session.

Page 1013

38-37 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring a Smart Tunnel (Lotus example) T o conf igure a Smart T unnel, perform the follo wing steps: Note These example instructions p rovide the minimu m instructions required to add smar t tunnel support for an application.

Page 1014

38-38 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel List The Add Smart T unn el List dialog box lets you add a list of smart tunnel entri es to the security appliance confi guration.

Page 1015

38-39 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access For W i ndo ws, if you want to add smart tunnel access to an app lication started from the command prompt, you must speci fy “cmd.

Page 1016

38-40 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Modes The follo wing table sho ws the modes in which this featur e is av ailable: Add or Edit Smar.

Page 1017

38-41 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add or Edit Smart Tunnel Auto Sign-on Server Entry The Add or Edit Smart T unnel Entr y dialog box lets you identify a serv er to be added to a smart tunnel auto sign-on list.

Page 1018

38-42 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Configuring Customization Objects Y ou can customize all end-user visible conte nt on th e clientless SSL VPN portal.

Page 1019

38-43 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Add Customization Object T o add a customization object, create a copy of and provide a uni que name for the DfltCu stomization object. Then you c an modify or ed it it to meet your requirements.

Page 1020

38-44 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Creating XML-Based Portal Customization Objects and URL Lists This section includes the following .

Page 1021

38-45 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access text text A rbitrary U RL em pty string info- panel node The panel with a custom text and image mo.

Page 1022

38-46 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access window node see authenticatio n page description title-text string Arbitrary string Empty string t.

Page 1023

38-47 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access prompt-box-titl e stri ng Arbitrary string Address T itle for U RL prompt box bro wse-button -text.

Page 1024

38-48 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Customization Example The follo wing e xample illustrates the f ollow ing customization options: �.

Page 1025

38-49 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <logout-form> <form> <title-text l10n="yes">title WebVPN Logon</tit.

Page 1026

38-50 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <type>RSS</type> <url>rss.xyz.com?id=78</url> </pane> <pane> <id>text_pane</id> <type>TEXT</type> <url>rss.

Page 1027

38-51 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Note: all white spaces in tag values are significant and preserved.

Page 1028

38-52 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/auth-page/title-panel/font-color Description: The background color of the title panel .

Page 1029

38-53 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Description: Text of the information panel Text: arbitrary string Default value: empty string ****.

Page 1030

38-54 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: HTML color format, for example #FFFFFF Default value: #000000 Tag: custom/auth-page/logon-f.

Page 1031

38-55 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access ********************************************************* Tag: custom/portal/window Description: C.

Page 1032

38-56 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/application/mode Description: The application mode Value: enable|disable Default value: enable Tag: custom/portal/application/id Description: The application ID.

Page 1033

38-57 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Tag: custom/portal/column (multiple) Description: Contains settings of the home page column(s) Tag: custom/portal/column/order Description: The order the column from left to right.

Page 1034

38-58 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access Value: URL string Default value: empty string Tag: custom/portal/pane/text Description: The text v.

Page 1035

38-59 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <text>?? (Japanese)</text> </language> - <language> <code>ru</cod.

Page 1036

38-60 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <font-color>#000000</font-color> <background-color>#ffffff</background-color&.

Page 1037

38-61 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access </text> <logo-url l10n=" yes ">/+CSCOU+/csco_logo.

Page 1038

38-62 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Smart Tunnel Access <mode>enable</mode> <id>app-access</id> - <tab-title l10n=" yes &q.

Page 1039

38-63 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization <title /> <url l10n=" yes " /> <notitle /> <column /> <row /> <heigh.

Page 1040

38-64 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization Language—Displays the abbre viation of the langua ge rendered by the bro wser . This field is not used for file t ranslation; it indicat es the language used in the f ile.

Page 1041

38-65 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Help Customization https:// addr ess_of_secu rity_applia nce /+CSCOE+/help/en/rdp-hlp.inc Step 3 Choose File > Save (P age) As. Caution Do not change the contents of the File name box.

Page 1042

38-66 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins present in the Br owse Lan guage Code dialog box, en ter the abbre viation for the language you w ant into the Language Code field and click OK , or enter it into the Language text box to th e left of the dots.

Page 1043

38-67 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins About Installing Browser Plug-ins A bro wser plug-in is a separate program t hat a we b bro wser in v okes to perfor m a dedicated function, such as connect a client to a server within the bro wser windo w .

Page 1044

38-68 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins Plug-in Requirements and Restrictions Clientless SSL VPN must be enabled on the security ap pliance to pro vide remote access to the plug- ins.

Page 1045

38-69 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browser Access to Client-Server Plug-ins • vnc-plugin.jar—The V irtual Netw ork Computing plug- in lets the remote user use a moni tor , ke yboard, and mouse to vie w and contro l a computer with remote desktop sh aring turned on.

Page 1046

38-70 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Configuring Browse r Acce ss to Client-Server Plug-ins The plug-in is no w a v ailable for future Clientless SSL VPN sessions.

Page 1047

38-71 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization Step 3 Ex tract the fol lowing f iles fro m the Citrix Jav a client: • JICA-confi gN.jar • JICAEngN.jar Y o u can use W inZip to perform this step and the next.

Page 1048

38-72 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization The software image package for th e security appliance includes a la nguage localization template for each domain that is part of the standard functionality .

Page 1049

38-73 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN Language Localization Language —The language of e xisting La nguage Lo calization tables.

Page 1050

38-74 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Language —Specify a language. Use an abbreviation that is comp atible with the language options of your bro wser . The security appliance create s the ne w translation tab le with this name.

Page 1051

38-75 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Fields Import—Launches the Import An yConnect Customization Objects di alog, where you can specify a f ile to import as an object.

Page 1052

38-76 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Installs Specify f iles for customizing the An yConnect client installati on in this panel. Note The security appliance does not support t his feature for the An yConnect VPN client, v ersions 2.

Page 1053

38-77 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization When exp o rt i n g , it is automatically f illed-in with the name from th e entry you selected in the table. When importing , yo u enter the language name in the manner that you w ant it to be identif ied.

Page 1054

38-78 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Configure GUI Customizatio n Objects (Bookmark Lists) This dialog box lets you add, edit, and delete, import and e xport bookmar k lists. The Bookmarks windo w lets you conf igure lists of serv ers and URLs for access over clientless SSL VPN.

Page 1055

38-79 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization • Add—Opens the Add Boo kmark Entry dialog box , on which you can con figur e a ne w server or URL and display name. • Edit—Opens the Edit Bo okmark Entry dial og box, on which you can conf igure a ne w serv er or URL and display name.

Page 1056

38-80 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization • Enable Smart T unnel Option—Select to open the bookmark in a ne w windo w that uses the smart tunnel feature to pass data through the security appli ance to or from the destination serv er .

Page 1057

38-81 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Configure GUI Customization Objects (Web Contents) This dialogue box l ets you import and e xport web conten t objects. Fields • File Name—Displays the names of the web content objects.

Page 1058

38-82 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Add/Edit Post Parameter Use this pane to conf igure post parameters for bookmark entries and URL list s.

Page 1059

38-83 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Using Macros 1 - 4 The security appliance obtains v alues for the f irs t four su bstitutions from the SSL VPN Login page, which includes f ields for username, password, int ernal password (optional), an d group.

Page 1060

38-84 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization Figur e 38-1 Using ASDM t o Configure a Macr o that Sets a Homepag e Example 2: Setting a Bookmark or UR.

Page 1061

38-85 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Customization Figur e 38-2 Configur ing a Bookmar k Entry.

Page 1062

38-86 Cisco ASDM User Guide OL-16647-01 Chapter 38 Clientless SSL VPN AnyConnect Custom ization.

Page 1063

CH A P T E R 39-1 Cisco ASDM User Guide OL-16647-01 39 E-Mail Proxy E-mail proxies exten d remote e-mail capability to users of Clientless SSL VPN. When users attempt an e-mail session via e-mail proxy , the e-mail client establishes a tunnel using the SSL pr otocol.

Page 1064

39-2 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA AAA This panel has three tabs: • POP3S T ab • IMAP4S T ab • SMTPS T ab Modes The follo wing table sho ws the modes in which this featur e is av ailable: POP3S Tab The POP3S AAA panel associ ates AAA serv er groups and conf igures the def ault group polic y for POP3S sessions.

Page 1065

39-3 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy AAA Fields • AAA server group s—Click to go to the AAA Serv er Groups panel (Conf iguration > Featur es > Properties > AAA Setu p > AAA Server Gr oups), where you can add or edit AAA serv er groups.

Page 1066

39-4 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA – Secondary DN Field—(Optio nal) Select the secondary DN f ield you w ant to conf igure for POP3S authorization.

Page 1067

39-5 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy AAA • Default G roup Policy —Select the group pol icy to ap ply to IMAP4S users when AAA does not return a CLASSID attrib ute. If you do not specify a d efault group po licy , and there is no CLASSID, the security appliance can not establish the session.

Page 1068

39-6 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy AAA Modes The follo wing table sho ws the modes in which this featur e is av ailable: SMTPS Tab The SMTPS AAA panel associates AAA serv er groups and conf igures the defaul t group polic y for SMTPS sessions.

Page 1069

39-7 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Access – Primary DN Field—Select the primary DN f ield you w ant to conf igure for SMTPS authorization. The def ault is CN. Options in clude the follo wing: – Secondary DN Field —(Optional) Select the secondary DN f ield yo u want to conf igure for SMTPS authorization.

Page 1070

39-8 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Access Fields • Interface—Displays the names of all conf igured interfaces. • POP3S Enabled—Sho ws whether POP3 S is enable d for the interf ace. • IMAP4s Enabled—Show s whether IMAP 4S is enabled for the interface.

Page 1071

39-9 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Authentication Edit E-Mail Proxy Access The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy .

Page 1072

39-10 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Authentication Fields POP3S/IMAP4S/SMTPS Authenticati on—Let you conf igure authentication meth ods for each of the e-mail proxy types. Y ou can select multiple methods of authenticati on.

Page 1073

39-11 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Default Servers Note IMAP generates a number of sessi ons that are not limited b y the simultaneous user count b ut do count against the number of simultaneous login s allowe d fo r a username.

Page 1074

39-12 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Default Servers Fields • POP3S/IMAP4S/SMTPS Default Server—Let you config ure a default serv er , port and non-authenticated session limit for e-mai l proxies. • Name or IP Address—T ype the DNS name or IP address for the default e- mail proxy serv er .

Page 1075

39-13 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-Mail Proxy Delimi ters Modes The follo wing table sho ws the modes in which this featur e is av ailable: Delimiters This panel lets you co nfigure username/passw ord delimiters and server delimiters for e-mail proxy authentication.

Page 1076

39-14 Cisco ASDM User Guide OL-16647-01 Chapter 39 E-M ail Proxy Delimiters Note Passwor ds for Clientless SSL VPN e-mail pr oxy user s cannot contain characters that are us ed as delimiter s. – Server Delimiter—S elect a delimiter to separate the user name from the name of the e-mail server .

Page 1077

CH A P T E R 40-1 Cisco ASDM User Guide OL-16647-01 40 Configuring SSL Settings SSL The security appliance uses the S ecure Sockets Layer (SSL) protocol and its successor , T ransport Layer Security (TLS) to achie ve secu re message transmis sion for both ASDM an d Clientless, browser-based sessions.

Page 1078

40-2 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL Options for Client SSL v ersions include the follo wing: • Encryption —Lets you set SSL encr yption algorithms. – A vailable Algorithms —Lists th e encryptio n algorithms the security appliance supports that are not in use for SSL connections.

Page 1079

40-3 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL • Certificate —Click to select a pre viously enrolled certif icate to associate with the named interface.

Page 1080

40-4 Cisco ASDM User Guide OL-16647-01 Chapter 40 Configuring SSL Settings SSL.

Page 1081

P ART 5 Monitoring the S ecurity Appliance.

Page 1082

.

Page 1083

CH A P T E R 41-1 Cisco ASDM User Guide OL-16647-01 41 Monitoring Interfaces ASDM lets you monitor interf ace statistic s as well as interface-related features. ARP Table The ARP T able pane displays the ARP table, incl uding static and dynamic entries.

Page 1084

41-2 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces DHCP DHCP Server Table The DHCP Server T able lists the IP addresses assigned to DHCP clients. Fields • IP Address—Shows the IP addr ess assigned to the client. • Client-ID—Sho ws the client MA C address or ID .

Page 1085

41-3 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces DHCP Bound—The security appliance has a va lid lease and is operat ing normally . Renewing—The security appliance is trying to rene w the lease. It regularly sends DHCPREQUEST mes sages to the cu rrent DHCP server , and waits for a reply .

Page 1086

41-4 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces MAC Address Table – DHCPREQUEST – DHCPDECLINE – DHCPRELEASE – DHCPINFORM – BOO TREPL Y – DHCPOFFER – DHCP A CK – DHCPNAK • Count—Sho ws the number of times a specific message was processed.

Page 1087

41-5 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces Dynamic ACLs • T ype—Sho ws if the entry is static or d ynamic. • Age—Sho ws the age of the entry , in minutes. T o set the timeout, see MA C Address T able . • Refresh—Refreshes the table with current information from the security appli ance.

Page 1088

41-6 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces Interface Graphs Fields • A vailable Graphs for—Lists the type s of statistics av ailable for mo nitoring. Y ou can choose up to four types of statist ics to sho w in one graph windo w .

Page 1089

41-7 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces Interface Graphs Collisions—The number of messages retransmi t ted due to an Ethernet collision (singl e and multiple collisions).

Page 1090

41-8 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces PPPoE Client Graph/Table The Graph windo w sho ws a graph for the selected statistics. The Grap h wind o w can show up to four graphs and tables at a time. By default , the graph or table displays the real-time statistics.

Page 1091

41-9 Cisco ASDM User Guide OL-16647-01 Chapter 41 Monitoring Interfaces interface connection Fields Select a PPPoE interface—Select an interface t hat you want to vi e w PPPoE client lease information. Refresh—loads the latest PPP oE connection information fr om the security appliance f or display .

Page 1092

41-10 Cisco ASDM User Guide OL-16647-01 Chapter 41 M onitoring Interfaces interface conn ection Modes Firewall Mode Security Context Routed T ransparent Single Multiple Context Sy stem • — • —.

Page 1093

CH A P T E R 42-1 Cisco ASDM User Guide OL-16647-01 42 Monitoring VPN The VPN Monitoring sections sho w parameter s and statistics for the follo wing: • VPN statistics for specific Remote Access, LA.

Page 1094

42-2 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Connection Graphs • Remov e—Mov es the selected tunnel type from the Selected Grap hs box to the A vaila ble Graphs box. • Show Graphs—Displays a w indow consisting of grap hs of the tunnel types displaye d in the Selecte d Graphs box.

Page 1095

42-3 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics VPN Statistics These panels sho w detailed pa rameters and sta tistics for a specific remote-access, LAN-to-LAN, Clientless SSL VPN, or E-mail Proxy session. The parameter s and statistics dif fer depending on th e session protocol.

Page 1096

42-4 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics The contents of the second table, also unlabeled, on this panel depend on the sel ection in the Filter By list. In the follo wing list, the f irst-le v el bullets sho w the Fi lter By selection, and the second-le v el bullets sho w the column headings for this table.

Page 1097

42-5 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Bytes Tx/Bytes Rx—Sho ws the total number of b ytes transmitted to/recei ved from the remote peer or client by the security appliance. • Clientless SSL VPN—Indicates that the v alues in this table r elate to Clientless SSL VPN traf fic.

Page 1098

42-6 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Modes The follo wing table sho ws the modes in which this featur e is av ailable: Sessions Details The Session Details windo w displays conf iguration se ttin gs, statistics, and state informati on about the selected session.

Page 1099

42-7 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Unkno wn—Posture v alidation is in progress. The posture token is an informational te xt string which is configurable on the Access Control Se rver .

Page 1100

42-8 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Redirect URLs remain in force until eith er the IPSec session ends or until posture rev alidatio n, for which the A CS do wnloads a ne w access policy th at can contain a different redirect URL or no redirect URL.

Page 1101

42-9 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics The but tons in this windo w are as follo ws: Note Choose Monitoring > VPN > VPN Statistics > N A C Session Summary if you want to rev alidate or initialize all sessions that are subject to post ure validati on.

Page 1102

42-10 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics • Encryption Statistics—Sho ws the statistics for all the data encryption algorithms i n use b y currently activ e sessions. – Encryption Algorithm—List s the encryption al gorithm to which the statistics in this ro w apply .

Page 1103

42-11 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics • N/A—Number of peers for wh ich N A C is disabled according to the VPN N A C grou p policy . • Re validate All —Click if the posture of the peers or t he assigned access policies (that is, the do wnloaded A CLs), ha v e changed.

Page 1104

42-12 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics VLAN Mapping Sessions This panel displays the number of sessi ons assigned to an egress VLAN, as determined by the value of the Restrict Access to VLAN pa rameter of each group policy in use.

Page 1105

42-13 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Crypto Statistics This panel displays the crypto st atistics for curr ently acti v e user and administ rator sessions on the security appliance. Each row in the table r epresents one crypto statistic.

Page 1106

42-14 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Modes The follo wing table sho ws the modes in which this featur e is av ailable: Cluster Loads Use this pane l to view the current traff ic load distrib ution among th e s erver s in a VPN load-b alancing cluster .

Page 1107

42-15 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics Note These statistics are for SSO wi th S iteMinder an d SAML Brow ser Post Profile serv ers only . Fields • Show Statist ics For SSO Server — Selects an SSO serv er .

Page 1108

42-16 Cisco ASDM User Guide OL-16647-01 Chapter 42 Monitoring VPN VPN Statistics – Number of rejects – Number of timeouts – Number of unrecognized responses • Refresh—Updates the statistics sho wn in the SSO St atistics table • Clear SSO Server Stati stics—Resets statistics for the displayed server .

Page 1109

CH A P T E R 43-1 Cisco ASDM User Guide OL-16647-01 43 Monitoring Routing Y ou can use ASDM to monitor OSPF LSAs, OSPF an d EIGRP neighbors, and th e routing table. T o access the routing monito ring screens, go to Monitoring > Routing in the ASDM interface.

Page 1110

43-2 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF LSAs The T ype 1 pane displays all T ype 1 LSAs receiv ed by the security appliance. Each ro w in the table represent s a single LSA. Fields • Process— Display only .

Page 1111

43-3 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring OSPF LSAs Type 3 T ype 3 LSA are summary link advertisements that are passed between areas. The y describe the networks within an area. Fields • Process— Display only .

Page 1112

43-4 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF LSAs • Sequence #— Display only . Displays the link state sequence num ber . The link state sequence number is used to detec t old or dupli cate LSAs. • Checksum— Display only .

Page 1113

43-5 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring O SPF Neighbors Fields • Process— Display only . Displays the OSPF process for the LSA. • Area— Display only . Displays the OSPF area for the LSA. • Network— Display only .

Page 1114

43-6 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Monitoring OSPF Neighbors – 2-W ay—This state designates that bi- directional communication has been established between the security appliance and the neighbor . Bi-directi onal means that each device has seen the hello packet from the other device.

Page 1115

43-7 Cisco ASDM User Guide OL-16647-01 Chapter 43 Monitoring Routing Monitoring EIGRP Neighbo rs • Interface— Display o nly . Displays the interface on which the OSPF neighbor has formed adjacency .

Page 1116

43-8 Cisco ASDM User Guide OL-16647-01 Chapter 43 M onitoring Routing Displaying Routes Displaying Routes The Routes pane displays the st atically conf igured, connected, and discov ered routes in the security appliance routing table. Fields • Protocol— Display only .

Page 1117

CH A P T E R 44-1 Cisco ASDM User Guide OL-16647-01 44 Monitoring Properties This chapte r includes the fol lo wing sections: • Monitoring AAA Serv ers, page 44-1 • Monitoring De vice Access, page.

Page 1118

44-2 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring AAA Se rvers Step 1 From t he ASDM toolba r , click Monitoring . The monitorin g functions display in the l eft-hand Navigation pane. Step 2 Click Properti es . The Properties Navigation pane op ens.

Page 1119

44-3 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring AAA Servers The dialog box closes. Fields Used to Monitor AAA Servers The follo wing table describes the f ields for monito ring AAA Servers.

Page 1120

44-4 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess Monitoring Device Access This section includes the following topics: • Monitoring User Lockou ts •.

Page 1121

44-5 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access Step 2 Click Properti es . The Properties Navigation pane op ens. Step 3 Click the plus (+) symbol next to De vice A ccess. The list of De vice Access functi ons expand s below i t.

Page 1122

44-6 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess All lockouts from the secu rity appliance are remo ved and usernames remo ved f rom the list.

Page 1123

44-7 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access Prerequisites • Y ou are connected to the secu rity appliance using ASDM. • Y o u ha ve alread y completed the initial security appliance conf igurations included in th e ASDM startup wizard.

Page 1124

44-8 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess • Y o u ha ve alread y configured the security applia nce access for the session traf fic y ou want to monitor .

Page 1125

44-9 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device Access The follo wing table describes the f ields for monito ring activ e SSH sessions.

Page 1126

44-10 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Monitoring Device A ccess Procedure T o disconnect an activ e security applia nce session, perform the foll o wing step s: Step 1 From t he ASDM toolba r , click Monitoring . The monitorin g functions display in the l eft-hand Navigation pane.

Page 1127

44-11 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Connection Graphs Modes The follo wing table sho ws the modes in which this featur e is av ailable: Fields for Monitoring Users Who Have Authenticated with a Server The follo wing table describes the f ields for mon itoring authenticated u sers.

Page 1128

44-12 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties Connection Grap hs Perfmon The Perfmon pane lets you vie w the performance information in a graphical format. Y ou can choose up to four types of statisti cs to sho w in one graph windo w .

Page 1129

44-13 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties CRL • Sho w Graphs—Click to display a ne w or updated g raph windo w . Modes The follo wing table sho ws the modes in which this featur e is av ailable: CRL This pane allo ws yo u to vie w or clear as sociated CRLs of s elected CA cert ific ates.

Page 1130

44-14 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties IP Audit • If ne w entries arri ve b ut there is no room in th e cache because the size was exceeded or no more memory is av ailabl e, the cache will be thinned b y one third, based on the entries age.

Page 1131

44-15 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties IP Audit Impossible IP Packet (1102) IP T eardrop (1 103) – ICMP Requests—Sho ws the packet count for th e follow ing signa.

Page 1132

44-16 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties System Resources Gra phs – RPC Requests to T arget Hosts—Show s the pa cket count for the fo llow ing signatures: Port Regi.

Page 1133

44-17 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties System Resources Graphs Blocks This pane let s you view the free and used m emory bl ocks. Y ou can choose up to four types of statistics to sho w in one graph windo w . Y ou can open multiple graph windo ws at the same t ime.

Page 1134

44-18 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP Memory This pane lets you vie w the memory utilizati on. Y ou ca n choose up to four types of statistics to show in one graph windo w . Y ou can open multiple graph windo ws at the same time.

Page 1135

44-19 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP Service Groups This pane allo ws you to vie w and refresh the servic e group, the display mode, and hash set tings, which include the source and destinat ion IP addresses and the source and destinat ion port numbers.

Page 1136

44-20 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP • WCCP Interface Statistics— Display-only . Shows the current WCCP interface statistics.

Page 1137

44-21 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP.

Page 1138

44-22 Cisco ASDM User Guide OL-16647-01 Chapter 44 Monitoring Properties WCCP.

Page 1139

CH A P T E R 45-1 Cisco ASDM User Guide OL-16647-01 45 Monitoring Logging Y ou can view real-time syslog messag es that appear in the log buf fer . When you open the Cisco ASDM 6.1(3) for ASA 8.0(4) main application windo w , the most recent ASDM s ystem log messages appear at the bottom of a scroll ing windo w .

Page 1140

45-2 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Loggin g Log Buffer Log Buffer Viewer The Log Buf fer V iewer pane lets yo u vie w messages th at appear in the log b uf fer , an e xplanation of the message, details about the m essage, and recommended actio ns to take, if necessary , to resolve an error .

Page 1141

45-3 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Log ging Real-Time Log Viewer Real-Time Log Viewer The Real-T ime Log V ie wer lets you view real-time syslog messages in a separate window . T o access this pane, choose Monitoring > Logging > Real-T ime Log V iewer .

Page 1142

45-4 Cisco ASDM User Guide OL-16647-01 Chapter 45 Monitoring Loggin g Real-Time Log Viewer • Click Sav e Log to sa ve the cont ents of the log to your comput er . • Click Clear Display to clear the list of messages. • Click Color Settings to specify that messages of dif ferent se ver ity le vels display in dif ferent colors.

Page 1143

CH A P T E R 46-1 Cisco ASDM User Guide OL-16647-01 46 Monitoring Failover Failo ve r monitoring in ASDM d epends upon the mode of th e de vice. In single conte xt mode, or with in a security conte xt in multip le context mode, y ou can monitor the stat e of failo v er for the de vice an d vie w stateful failov er statistics.

Page 1144

46-2 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Contex t Fields Failo ver state of the system— Display only . Displays the fail ov er state of the security ap pliance.

Page 1145

46-3 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Sing le C ontext Mo de or in a Security Context – *Acti ve T ime—The amount o f time, in seconds, that the unit has been in the acti ve state. – *[context_name] Interface name (n.

Page 1146

46-4 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Single Context Mode or in a Security Contex t – VPN DHCP upd—T unneled DHCP connection information. • *Logical Update Queue Information—Displays th e follo wing statistics: – Recv Q—The status of the receiv e queue.

Page 1147

46-5 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in Sing le C ontext Mo de or in a Security Context Fields • A vailable Graphs for—Lists the ty pes of statistical informa tion av ailable for monitoring. Y ou can choose up to four statistic types to d isplay in one graph wi ndo w .

Page 1148

46-6 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e Monitoring Failover in the System Execution Space Y o u can monitor the failo ver status of t he system and of the indi vidual f ailov er groups in the sy stem context.

Page 1149

46-7 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space • Monitored Interf aces—Displays the number of interfaces whose health you are monitoring for fai love r . • failo ver replicatio n http—Specif ies that HTTP replication i s enabled.

Page 1150

46-8 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e – UDP conn—Dynamic UDP connection information. – ARP tbl—Dynamic ARP table informat ion. – L2BRIDGE tbl— Layer 2 bridge table informatio n (transparent fire wall mode only).

Page 1151

46-9 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 1152

46-10 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e – xmit—Number of tran smitted packets to t he other unit – xerr—Number.

Page 1153

46-11 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the Syste m Execution Space For More Information For more information about failo ver in general, see Understandin g Failo ver .

Page 1154

46-12 Cisco ASDM User Guide OL-16647-01 Chapter 46 Monitoring Failover Monitoring Failover in the System Execution Spac e.

Page 1155

CH A P T E R 47-1 Cisco ASDM User Guide OL-16647-01 47 Monitoring Trend Micro Content Security Note The ASA 5580 does not support th e CSC SSM feature. ASDM lets you monitor the CSC SSM stat isti cs as well as CSC SSM-related features. For an intr oduction to the CSC SSM, see About the CSC SSM .

Page 1156

47-2 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Live Security Events • Sho w Graphs—Click to display a ne w windo w that sho ws a Graph tab and an updated graph with the selected statistics. Clic k the Ta b l e tab to display the same information in tab ular form.

Page 1157

47-3 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micr o Content Security Live Security Events Live Security Events Log The Li ve Log dialog box l ets you vie w real-time secu rity ev ent messages that ar e receiv ed from the CSC SSM.

Page 1158

47-4 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Software Update s For More Information See Managing the CSC SSM Software Updates The Software Updates pane di splays information abou t updates to the CSC SSM software.

Page 1159

47-5 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micr o Content Security Resource Graphs Fields • A vailable Graphs—Lists the components wh ose statistics you can view in a graph. – CSC CPU, CPU Utilization—Displays st atistics for CPU usage on th e CSC SSM.

Page 1160

47-6 Cisco ASDM User Guide OL-16647-01 Chapter 47 Monitoring Trend Micro Content Security Resource Graphs • Remov e—Click to remov e the selected statis t ics type from the Selected Graphs li st. • Sho w Graphs—Click to display a ne w windo w that sho ws a Graph tab and an updated graph with the selected statistics.

Page 1161

P ART 6 Reference.

Page 1162

.

Page 1163

A-1 Cisco ASDM User Guide OL-16647-01 APPENDIX A Feature Licenses This appendix describes feat ure licenses per mode l. This appendi x includes the follo wing sections: • ASA 5505 Feature Lice nses,.

Page 1164

A-2 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses ASA 5510 Feature Licenses ASA 5510 Feature Licenses TLS Proxy for SIP and Skinny Inspectio n Supported Supported Failo ver No support.

Page 1165

A-3 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses ASA 5520 Feature Licenses ASA 5520 Feature Licenses Max. VLANs 50 1 00 Concurrent Fire wal l Conns 2 50 K 130 K Max. Physical Interf aces Unlimited Unlimited Encryption Base (DES) Optional licens e: Str ong (3DES/AES ) Base (DES) Optional license: Str ong ( 3DES/AES) Min.

Page 1166

A-4 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses ASA 5540 Feature Licenses ASA 5540 Feature Licenses ASA 5550 Feature Licenses T able A -4 ASA 5540 A daptive Secur i ty Appliance License F eatur es ASA 5540 Base License Users, concurrent Unlimited Unlimited Security Contexts 2 Optional licenses: 5 10 20 50 VPN Sessions 1 1.

Page 1167

A-5 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses ASA 5580 Feature Licenses ASA 5580 Feature Licenses VPN Load Balancing Supported TLS Proxy for SIP and Skinny Inspectio n Supported Failo v er Activ e/Standb y or Acti ve/Acti v e GTP/GPRS None Optional license: En abled Max.

Page 1168

A-6 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 515/515E Feature Licenses PIX 515/515E Feature Licenses Encryption Base (DES) Optional license: Str ong (3DES/AES) Min.

Page 1169

A-7 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses PIX 525 Feature Licenses PIX 525 Feature Licenses PIX 535 Feature Licenses T able A -8 PIX 525 Secur ity Appliance License Feat ur es PIX 525 R (Restricted) UR (Unrestricted) FO ( Failover) 1 1.

Page 1170

A-8 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 535 Feature Licenses T able A -9 PIX 535 Secur ity Appliance License Featur es PIX 535 R (Restricted) UR (Unrestricted) FO (Failover) 1 1. This license can only be used in a fail over pair with another unit with a UR li cense.

Page 1171

A-9 Cisco ASDM User Guide OL-16647-01 Appendix A Feature Licen ses PIX 535 Feature Licenses.

Page 1172

A-10 Cisco ASDM User Guide OL-16647-01 Appendix A Fe ature Licenses PIX 535 Feature Licenses.

Page 1173

B-1 Cisco ASDM User Guide OL-16647-01 APPENDIX B Troubleshooting This appendix describes ho w to troub leshoot the securi t y appliance, and includes the fo llo wing sections: • T esting Y our Confi.

Page 1174

B-2 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Testing Your Configuration Step 1 T o show ICMP packet information for pi ngs to the security applianc e interf aces, enter the follow.

Page 1175

B-3 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Testing Your Config uration Figur e B-1 Networ k Diagram with Interf aces, Routers, and Hosts Step 2 Ping each se curity appliance interface from the directly connected routers. For transparent mode, ping the manageme nt IP address.

Page 1176

B-4 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Testing Your Configuration Figur e B-3 Ping F ailur e Because of IP Addr essing Problem s Step 3 Ping each security appliance interface f rom a remote host. For transp arent mode, ping the management IP address.

Page 1177

B-5 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Testing Your Config uration hostname(config-cmap)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap-.

Page 1178

B-6 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Reloading the Security Appliance Step 4 (Optional) T o disable the ICMP inspection engine, enter the fol lowing command : hostname(con.

Page 1179

B-7 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Performing Password Recovery Performing Password Recovery This section descri bes how to recov er passwords if you ha v e forgott en them or you are locked out because of AAA settings, and ho w to disabl e password recovery for e xtra securi ty .

Page 1180

B-8 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Performing Passwor d Recovery Step 11 When prompted for the passw ord, press Enter . The password is blank.

Page 1181

B-9 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Performing Password Recovery Y o u can log in with th e default logi n password of “cisco” and the blan k enable password.

Page 1182

B-10 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Using the ROM Monitor to Load a Software Image of the command does not change the setting .

Page 1183

B-11 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Erasing the Flash File System Step 6 Ping the TFTP server by entering the ping server command.

Page 1184

B-12 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Other Troub leshooting Tools Other Troubleshooting Tools The security appliance pro vides other troubleshooting tools that you can use.

Page 1185

B-13 Cisco ASDM User Guide OL-16647-01 Appendix B Troubleshooting Common Problems User's Identity not Preserved Across Contexts If your netw ork will be or ganized int o multiple conte xts, be aw are that, when changin g contexts, the user identity is not preserved.

Page 1186

B-14 Cisco ASDM User Guide OL-16647-01 Appendix B Troublesho oting Common Problems Symptom Traf f ic does not pass betw een two inte rf aces on the same security le v el. Possible Cause Y ou did not enable the feature that allows traff ic to pass between interfaces at the same security le vel.

Page 1187

C-1 Cisco ASDM User Guide OL-16647-01 APPENDIX C Configuring an External Server for Authorization and Authentication This appendix descr ibes how to confi gure an e xte rnal LD AP , RADIUS, or T A CA CS+ serv er to support AAA on the security ap pliance.

Page 1188

C-2 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Understanding Policy Enforcement of Permissions an d Attributes Understanding Po.

Page 1189

C-3 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server Figure C-1 Polic y Enfor cement Flow Configuring an External LDAP Server The VPN 3000 Concen trator and the ASA/PIX 7.

Page 1190

C-4 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Y our LDAP con figur ation should reflect the logical hierarchy o f your or ganization. F or exampl e, suppose an employee at your company , Example Co rporation, is named T erry .

Page 1191

C-5 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server Binding the Security Appliance to the LDAP Ser.

Page 1192

C-6 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er For softw are V ersion 7.0, LDAP attr ibutes incl ude th e cVPN3000 prefix. F or V ersion 7.1 and later , this pref ix was remo ved.

Page 1193

C-7 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server DHCP-Network-Scope Y Y Y String Single IP address DN-Field Y Y Y String Single Possible v alues: UID, OU, O, CN, L, SP , C, EA, T , N, GN, SN, I, GENQ, DNQ, SER, use-en tire-name.

Page 1194

C-8 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er IPSec-Backup-Servers Y Y Y String Singl e .

Page 1195

C-9 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server L2TP-Encryption Y Integer Sing le Bitmap: 1 = .

Page 1196

C-10 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Required-Client-Fire wa ll- Product-Code .

Page 1197

C-11 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server W ebVPN-App ly-A CL-Enable Y Y Integer Single.

Page 1198

C-12 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Cisco-AV-Pair Attribute Syntax The syntax.

Page 1199

C-13 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External LDAP Server For e xample: ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log ip:inacl#2=permit TCP any host 10.

Page 1200

C-14 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal LDAP Serv er Additional Information for using ASDM to Configure LDAP Additional informatio n on using ASDM to conf i gure LD AP is a v ailable o n Cisco.

Page 1201

C-15 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server Configuring an External RADIUS Server This section presents an o ver view of t he RADIUS conf iguration procedure and defines the Cisco RADIUS attrib utes.

Page 1202

C-16 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er T able C-5 Secur ity Appliance Su pport e d RADIUS At tr ibut es and V alues Attribute Name VPN 3000 ASA PIX Attr .

Page 1203

C-17 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server PPTP-Encryption Y 20 Integer Single Bitmap.

Page 1204

C-18 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er PPTP-MPPC-Compression Y 37 Integer Sing.

Page 1205

C-19 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server R e q u i r e d - C l i e n t - F i r e w .

Page 1206

C-20 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er I P S e c - B a c k u p - S e r v e r s.

Page 1207

C-21 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an Exte rnal RADIUS Server W ebVPN-Port-Fo rwarding-Name Y Y 79 String Single String name (exampl e, “Corporate-Apps”).

Page 1208

C-22 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal RADIUS Serv er W ebVPN-Port-Fo rwarding-Enable Y Y 97 .

Page 1209

C-23 Cisco ASDM User Guide OL-16647-01 Appendix C Configuring an External Server for Authorization and Authentic ation Configuring an External TACACS+ Server Configuring an External TACACS+ Server The securit y appliance pro vides support for T A CA CS+ attrib utes.

Page 1210

C-24 Cisco ASDM User Guide OL-16647-01 Appendix C Configur ing an External Server for Au thorization and Authentic ation Configuring an Ex ternal TACACS+ Ser ver Note T o use T ACA CS+ att ributes, mak e sure you ha ve enabled AAA services on the N AS.

Cisco Systems OL-16647-01 manual

Share URL

Similar manuals