Cisco NAT 8.3

  • View
    127

  • Download
    5

Embed Size (px)

Text of Cisco NAT 8.3

Cisco ASA 5500 Series Configuration Guide using the CLISoftware Version 8.3

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Customer Order Number: N/A, Online only Text Part Number: OL-20336-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Cisco ASA 5500 Series Configuration Guide using the CLI Copyright 2010 Cisco Systems, Inc. All rights reserved.

C O N T E N T SAbout This Guide Audiencelix lx lx lx lix lix

Document Objectives Related Documentation Document Conventions

Obtaining Documentation, Obtaining Support, and Security Guidelines1

PART

Getting Started and General Information1

CHAPTER

Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance ASA 5500 Model Support Module Support VPN Specifications1-1 1-2 1-1

1-1

New Features 1-2 New Features in Version 8.3(2) New Features in Version 8.3(1)

1-3 1-5

Firewall Functional Overview 1-10 Security Policy Overview 1-11 Permitting or Denying Traffic with Access Lists 1-11 Applying NAT 1-11 Protecting from IP Fragments 1-12 Using AAA for Through Traffic 1-12 Applying HTTP, HTTPS, or FTP Filtering 1-12 Applying Application Inspection 1-12 Sending Traffic to the Advanced Inspection and Prevention Security Services Module Sending Traffic to the Content Security and Control Security Services Module 1-12 Applying QoS Policies 1-13 Applying Connection Limits and TCP Normalization 1-13 Enabling Threat Detection 1-13 Enabling the Botnet Traffic Filter 1-13 Configuring Cisco Unified Communications 1-13 Firewall Mode Overview 1-14 Stateful Inspection Overview 1-14 VPN Functional Overview1-15Cisco ASA 5500 Series Configuration Guide using the CLI OL-20336-01

1-12

iii

Contents

Security Context Overview2

1-15

CHAPTER

Getting Started

2-1

Factory Default Configurations 2-1 Restoring the Factory Default Configuration ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration Accessing the Command-Line Interface2-4

2-2

2-4

Working with the Configuration 2-5 Saving Configuration Changes 2-6 Saving Configuration Changes in Single Context Mode 2-6 Saving Configuration Changes in Multiple Context Mode 2-6 Copying the Startup Configuration to the Running Configuration 2-8 Viewing the Configuration 2-8 Clearing and Removing Configuration Settings 2-9 Creating Text Configuration Files Offline 2-9 Applying Configuration Changes to Connections32-10

CHAPTER

Managing Feature Licenses

3-1

Supported Feature Licenses Per Model 3-1 Licenses Per Model 3-2 License Notes 3-9 VPN License and Feature Compatibility 3-12 Information About Feature Licenses 3-12 Preinstalled License 3-13 Permanent License 3-13 Time-Based Licenses 3-13 Time-Based License Activation Guidelines 3-13 How the Time-Based License Timer Works 3-13 How Permanent and Time-Based Licenses Combine 3-14 Stacking Time-Based Licenses 3-15 Time-Based License Expiration 3-15 Shared SSL VPN Licenses 3-15 Information About the Shared Licensing Server and Participants Communication Issues Between Participant and Server 3-17 Information About the Shared Licensing Backup Server 3-17 Failover and Shared Licenses 3-18 Maximum Number of Participants 3-19 Failover Licenses (8.3(1) and Later) 3-20Cisco ASA 5500 Series Configuration Guide using the CLI

3-16

iv

OL-20336-01

Contents

Failover License Requirements 3-20 How Failover Licenses Combine 3-20 Loss of Communication Between Failover Units Upgrading Failover Pairs 3-21 Licenses FAQ 3-21 Guidelines and Limitations Viewing Your Current License Obtaining an Activation Key Activating or Deactivating Keys3-22 3-24 3-29 3-30

3-21

Configuring a Shared License 3-31 Configuring the Shared Licensing Server 3-32 Configuring the Shared Licensing Backup Server (Optional) Configuring the Shared Licensing Participant 3-34 Monitoring the Shared License 3-35 Feature History for Licensing43-36

3-33

CHAPTER

Configuring the Transparent or Routed Firewall

4-1

Configuring the Firewall Mode 4-1 Information About the Firewall Mode 4-1 Information About Routed Firewall Mode 4-2 Information About Transparent Firewall Mode 4-2 Licensing Requirements for the Firewall Mode 4-4 Default Settings 4-4 Guidelines and Limitations 4-5 Setting the Firewall Mode 4-7 Feature History for Firewall Mode 4-8 Configuring ARP Inspection for the Transparent Firewall 4-8 Information About ARP Inspection 4-8 Licensing Requirements for ARP Inspection 4-9 Default Settings 4-9 Guidelines and Limitations 4-9 Configuring ARP Inspection 4-9 Task Flow for Configuring ARP Inspection 4-10 Adding a Static ARP Entry 4-10 Enabling ARP Inspection 4-11 Monitoring ARP Inspection 4-11 Feature History for ARP Inspection 4-11 Customizing the MAC Address Table for the Transparent Firewall Information About the MAC Address Table 4-124-12

Cisco ASA 5500 Series Configuration Guide using the CLI OL-20336-01

v

Contents

Licensing Requirements for the MAC Address Table Default Settings 4-13 Guidelines and Limitations 4-13 Configuring the MAC Address Table 4-13 Adding a Static MAC Address 4-13 Setting the MAC Address Timeout 4-14 Disabling MAC Address Learning 4-14 Monitoring the MAC Address Table 4-15 Feature History for the MAC Address Table 4-15

4-12

Firewall Mode Examples 4-15 How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server 4-16 An Outside User Visits a Web Server on the DMZ 4-17 An Inside User Visits a Web Server on the DMZ 4-19 An Outside User Attempts to Access an Inside Host 4-20 A DMZ User Attempts to Access an Inside Host 4-21 How Data Moves Through the Transparent Firewall 4-22 An Inside User Visits a Web Server 4-23 An Inside User Visits a Web Server Using NAT 4-24 An Outside User Visits a Web Server on the Inside Network 4-25 An Outside User Attempts to Access an Inside Host 4-262

4-16

PART

Setting up the Adaptive Security Appliance5

CHAPTER

Configuring Multiple Context Mode

5-1

Information About Security Contexts 5-1 Common Uses for Security Contexts 5-2 Context Configuration Files 5-2 Context Configurations 5-2 System Configuration 5-2 Admin Context Configuration 5-2 How the Security Appliance Classifies Packets 5-3 Valid Classifier Criteria 5-3 Classification Examples 5-4 Cascading Security Contexts 5-6 Management Access to Security Contexts 5-7 System Administrator Access 5-7 Context Administrator Access 5-8 Information About Resource Management 5-8

Cisco ASA 5500 Series Configuration Guide using the CLI

vi

OL-20336-01

Contents

Resource Limits 5-8 Default Class 5-9 Class Members 5-10 Information About MAC Addresses 5-11 Default MAC Address 5-11 Interaction with Manual MAC Addresses Failover MAC Addresses 5-11 MAC Address Format 5-11 Licensing Requirements for Multiple Context Mode Guidelines and Limitations Default Settings5-13 5-12

5-11

5-12

Configuring Multiple Contexts 5-13 Task Flow for Configuring Multiple Context Mode 5-13 Enabling or Disabling Multiple Context Mode 5-14 Enabling Multiple Context Mode 5-14 Restoring Single Context Mode 5-14 Configuring a Class for Resource Management 5-15 Configuring a Security Context 5-17 Automatically Assigning MAC Addresses to Context Interfaces Changing Between Contexts and the System Execution Space Managing Security Contexts 5-23 Removing a Security Context 5-24 Changing the Admin Context 5-24 Changing the Security Context URL 5-25 Reloading a Security Context 5-26 Reloading by Clearing the Configuration 5-26 Reloading by Removing and Re-addin

Recommended

View more >