Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Cisco Security Appliance Command Line Configuration GuideFor the Cisco ASA 5500 Series and Cisco PIX 500 Series

Software Version 7.2

Customer Order Number: N/A, Online onlyText Part Number: OL-10088-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Security Appliance Command Line Configuration Guide Copyright 2008 Cisco Systems, Inc. All rights reserved.

OL-10088-02

C H A P T E R 2 Getting Started 2-1

Getting Started with You

Factory Default ConfigurRestoring the Factor

C O N T E N T S

About This Guide xxxv

Document Objectives xxxv

Audience xxxv

Related Documentation xxxvi

Document Organization xxxvi

Document Conventions xxxix

Obtaining Documentation and Submitting a Service Request xxxix

1-xl

P A R T 1 Getting Started and General Information

C H A P T E R 1 Introduction to the Security Appliance 1-1

Firewall Functional Overview 1-1Security Policy Overview 1-2

Permitting or Denying Traffic with Access Lists 1-2Applying NAT 1-2Using AAA for Through Traffic 1-2Applying HTTP, HTTPS, or FTP Filtering 1-3Applying Application Inspection 1-3Sending Traffic to the Advanced Inspection and Prevention Security Services Module 1-3Sending Traffic to the Content Security and Control Security Services Module 1-3Applying QoS Policies 1-3Applying Connection Limits and TCP Normalization 1-3

Firewall Mode Overview 1-3Stateful Inspection Overview 1-4

VPN Functional Overview 1-5

Intrusion Prevention Services Functional Overview 1-5

Security Context Overview 1-6iiiCisco Security Appliance Command Line Configuration Guide

r Platform Model 2-1

ations 2-1y Default Configuration 2-2

Contents

ASA 5505 Default Configuration 2-2ASA 5510 and Higher Default Configuration 2-3PIX 515/515E Default Configuration 2-4

Accessing the Command-Line Interface 2-4

Setting Transparent or Routed Firewall Mode 2-5

Working with the Configuration 2-6Saving Configuration Changes 2-6

Saving Configuration Changes in Single Context Mode 2-7Saving Configuration Changes in Multiple Context Mode 2-7

Copying the Startup Configuration to the Running Configuration 2-8Viewing the Configuration 2-8Clearing and Removing Configuration Settings 2-9Creating Text Configuration Files Offline 2-9

C H A P T E R 3 Enabling Multiple Context Mode 3-1

Security Context Overview 3-1Common Uses for Security Contexts 3-1Unsupported Features 3-2Context Configuration Files 3-2

Context Configurations 3-2System Configuration 3-2Admin Context Configuration 3-2

How the Security Appliance Classifies Packets 3-3Valid Classifier Criteria 3-3Invalid Classifier Criteria 3-4Classification Examples 3-5

Cascading Security Contexts 3-8Management Access to Security Contexts 3-9

System Administrator Access 3-9Context Administrator Access 3-10

Enabling or Disabling Multiple Context Mode 3-10Backing Up the Single Mode Configuration 3-10Enabling Multiple Context Mode 3-10Restoring Single Context Mode 3-11

C H A P T E R 4 Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 4-1

Interface Overview 4-1ivCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Understanding ASA 5505 Ports and Interfaces 4-2

Contents

Maximum Active VLAN Interfaces for Your License 4-2Default Interface Configuration 4-4VLAN MAC Addresses 4-4Power Over Ethernet 4-4Monitoring Traffic Using SPAN 4-4Security Level Overview 4-5

Configuring VLAN Interfaces 4-5

Configuring Switch Ports as Access Ports 4-9

Configuring a Switch Port as a Trunk Port 4-11

Allowing Communication Between VLAN Interfaces on the Same Security Level 4-13

C H A P T E R 5 Configuring Ethernet Settings and Subinterfaces 5-1

Configuring and Enabling RJ-45 Interfaces 5-1

Configuring and Enabling Fiber Interfaces 5-3

Configuring and Enabling VLAN Subinterfaces and 802.1Q Trunking 5-3

C H A P T E R 6 Adding and Managing Security Contexts 6-1

Configuring Resource Management 6-1Classes and Class Members Overview 6-1

Resource Limits 6-2Default Class 6-3Class Members 6-4

Configuring a Class 6-4

Configuring a Security Context 6-7

Automatically Assigning MAC Addresses to Context Interfaces 6-11

Changing Between Contexts and the System Execution Space 6-11

Managing Security Contexts 6-12Removing a Security Context 6-12Changing the Admin Context 6-13Changing the Security Context URL 6-13Reloading a Security Context 6-14

Reloading by Clearing the Configuration 6-14Reloading by Removing and Re-adding the Context 6-15

Monitoring Security Contexts 6-15Viewing Context Information 6-15Viewing Resource Allocation 6-16Viewing Resource Usage 6-19vCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Monitoring SYN Attacks in Contexts 6-20

Contents

C H A P T E R 7 Configuring Interface Parameters 7-1

Security Level Overview 7-1

Configuring the Interface 7-2

Allowing Communication Between Interfaces on the Same Security Level 7-6

C H A P T E R 8 Configuring Basic Settings 8-1

Changing the Login Password 8-1

Changing the Enable Password 8-1

Setting the Hostname 8-2

Setting the Domain Name 8-2

Setting the Date and Time 8-2Setting the Time Zone and Daylight Saving Time Date Range 8-3Setting the Date and Time Using an NTP Server 8-4Setting the Date and Time Manually 8-5

Setting the Management IP Address for a Transparent Firewall 8-5

C H A P T E R 9 Configuring IP Routing 9-1

How Routing Behaves Within the ASA Security Appliance 9-1Egress Interface Selection Process 9-1Next Hop Selection Process 9-2

Configuring Static and Default Routes 9-2Configuring a Static Route 9-3Configuring a Default Route 9-4Configuring Static Route Tracking 9-5

Defining Route Maps 9-7

Configuring OSPF 9-8OSPF Overview 9-9Enabling OSPF 9-10Redistributing Routes Into OSPF 9-10Configuring OSPF Interface Parameters 9-11Configuring OSPF Area Parameters 9-13Configuring OSPF NSSA 9-14Configuring Route Summarization Between OSPF Areas 9-15Configuring Route Summarization When Redistributing Routes into OSPF 9-16Defining Static OSPF Neighbors 9-16Generating a Default Route 9-17Configuring Route Calculation Timers 9-17viCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Logging Neighbors Going Up or Down 9-18

Contents

Displaying OSPF Update Packet Pacing 9-19Monitoring OSPF 9-19Restarting the OSPF Process 9-20

Configuring RIP 9-20Enabling and Configuring RIP 9-20Redistributing Routes into the RIP Routing Process 9-22Configuring RIP Send/Receive Version on an Interface 9-22Enabling RIP Authentication 9-23Monitoring RIP 9-23

The Routing Table 9-24Displaying the Routing Table 9-24How the Routing Table is Populated 9-24

Backup Routes 9-26How Forwarding Decisions are Made 9-26

Dynamic Routing and Failover 9-26

C H A P T E R 10 Configuring DHCP, DDNS, and WCCP Services 10-1

Configuring a DHCP Server 10-1Enabling the DHCP Server 10-2Configuring DHCP Options 10-3Using Cisco IP Phones with a DHCP Server 10-4

Configuring DHCP Relay Services 10-5

Configuring Dynamic DNS 10-6Example 1: Client Updates Both A and PTR RRs for Static IP Addresses 10-7Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration 10-7Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs. 10-8Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR 10-8Example 5: Client Updates A RR; Server Updates PTR RR 10-9

Configuring Web Cache Services Using WCCP 10-9WCCP Feature Support 10-9WCCP Interaction With Other Features 10-10Enabling WCCP Redirection 10-10

C H A P T E R 11 Configuring Multicast Routing 11-13

Multicast Routing Overview 11-13viiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Enabling Multicast Routing 11-14

Contents

Configuring IGMP Features 11-14Disabling IGMP on an Interface 11-15Configuring Group Membership 11-15Configuring a Statically Joined Group 11-15Controlling Access to Multicast Groups 11-15Limiting the Number of IGMP States on an Interface 11-16Modifying the Query Interval and Query Timeout 11-16Changing the Query Response Time 11-17Changing the IGMP Version 11-17

Configuring Stub Multicast Routing 11-17

Configuring a Static Multicast Route 11-17

Configuring PIM Features 11-18Disabling PIM on an Interface 11-18Configuring a Static Rendezvous Point Address 11-19Configuring the Designated Router Priority 11-19Filtering PIM Register Messages 11-19Configuring PIM Message Intervals 11-20Configuring a Multicast Boundary 11-20Filtering PIM Neighbors 11-20Supporting Mixed Bidirectional/Sparse-Mode PIM Networks 11-21

For More Information about Multicast Routing 11-22

C H A P T E R 12 Configuring IPv6 12-1

IPv6-enabled Commands 12-1

Configuring IPv6 12-2Configuring IPv6 on an Interface 12-3Configuring a Dual IP Stack on an Interface 12-4Enforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses 12-4Configuring IPv6 Duplicate Address Detection 12-4Configuring IPv6 Default and Static Routes 12-5Configuring IPv6 Access Lists 12-6Configuring IPv6 Neighbor Discovery 12-7

Configuring Neighbor Solicitation Messages 12-7Configuring Router Advertisement Messages 12-9Multicast Listener Discovery Support 12-11

Configuring a Static IPv6 Neighbor 12-11

Verifying the IPv6 Configuration 12-11The show ipv6 interface Command 12-12viiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

The show ipv6 route Command 12-12

Contents

The show ipv6 mld traffic Command 12-13

C H A P T E R 13 Configuring AAA Servers and the Local Database 13-1

AAA Overview 13-1About Authentication 13-1About Authorization 13-2About Accounting 13-2

AAA Server and Local Database Support 13-2Summary of Support 13-3RADIUS Server Support 13-3

Authentication Methods 13-4Attribute Support 13-4RADIUS Authorization Functions 13-4

TACACS+ Server Support 13-4SDI Server Support 13-4

SDI Version Support 13-5Two-step Authentication Process 13-5SDI Primary and Replica Servers 13-5

NT Server Support 13-5Kerberos Server Support 13-5LDAP Server Support 13-6

Authentication with LDAP 13-6Authorization with LDAP for VPN 13-7LDAP Attribute Mapping 13-8

SSO Support for WebVPN with HTTP Forms 13-9Local Database Support 13-9

User Profiles 13-10Fallback Support 13-10

Configuring the Local Database 13-10

Identifying AAA Server Groups and Servers 13-12

Using Certificates and User Login Credentials 13-15Using User Login Credentials 13-15Using certificates 13-16

Supporting a Zone Labs Integrity Server 13-16Overview of Integrity Server and Security Appliance Interaction 13-17Configuring Integrity Server Support 13-17

C H A P T E R 14 Configuring Failover 14-1ixCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Understanding Failover 14-1

Contents

Failover System Requirements 14-2Hardware Requirements 14-2Software Requirements 14-2License Requirements 14-2

The Failover and Stateful Failover Links 14-3Failover Link 14-3Stateful Failover Link 14-5

Active/Active and Active/Standby Failover 14-6Active/Standby Failover 14-6Active/Active Failover 14-10Determining Which Type of Failover to Use 14-15

Regular and Stateful Failover 14-15Regular Failover 14-16Stateful Failover 14-16

Failover Health Monitoring 14-16Unit Health Monitoring 14-17Interface Monitoring 14-17

Failover Feature/Platform Matrix 14-18Failover Times by Platform 14-18

Configuring Failover 14-19Failover Configuration Limitations 14-19Configuring Active/Standby Failover 14-19

Prerequisites 14-20Configuring Cable-Based Active/Standby Failover (PIX Security Appliance Only) 14-20Configuring LAN-Based Active/Standby Failover 14-21Configuring Optional Active/Standby Failover Settings 14-25

Configuring Active/Active Failover 14-27Prerequisites 14-27Configuring Cable-Based Active/Active Failover (PIX security appliance) 14-27Configuring LAN-Based Active/Active Failover 14-29Configuring Optional Active/Active Failover Settings 14-33

Configuring Unit Health Monitoring 14-39Configuring Failover Communication Authentication/Encryption 14-39Verifying the Failover Configuration 14-40

Using the show failover Command 14-40Viewing Monitored Interfaces 14-48Displaying the Failover Commands in the Running Configuration 14-48Testing the Failover Functionality 14-49

Controlling and Monitoring Failover 14-49xCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Forcing Failover 14-49

Contents

Disabling Failover 14-50Restoring a Failed Unit or Failover Group 14-50Monitoring Failover 14-50

Failover System Messages 14-51Debug Messages 14-51SNMP 14-51

P A R T 2 Configuring the Firewall

C H A P T E R 15 Firewall Mode Overview 15-1

Routed Mode Overview 15-1IP Routing Support 15-1Network Address Translation 15-2How Data Moves Through the Security Appliance in Routed Firewall Mode 15-3

An Inside User Visits a Web Server 15-3An Outside User Visits a Web Server on the DMZ 15-4An Inside User Visits a Web Server on the DMZ 15-6An Outside User Attempts to Access an Inside Host 15-7A DMZ User Attempts to Access an Inside Host 15-8

Transparent Mode Overview 15-8Transparent Firewall Network 15-9Allowing Layer 3 Traffic 15-9Allowed MAC Addresses 15-9Passing Traffic Not Allowed in Routed Mode 15-9MAC Address Lookups 15-10Using the Transparent Firewall in Your Network 15-10Transparent Firewall Guidelines 15-10Unsupported Features in Transparent Mode 15-11How Data Moves Through the Transparent Firewall 15-13

An Inside User Visits a Web Server 15-14An Outside User Visits a Web Server on the Inside Network 15-15An Outside User Attempts to Access an Inside Host 15-16

C H A P T E R 16 Identifying Traffic with Access Lists 16-1

Access List Overview 16-1Access List Types 16-2Access Control Entry Order 16-2Access Control Implicit Deny 16-3xiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

IP Addresses Used for Access Lists When You Use NAT 16-3

Contents

Adding an Extended Access List 16-5Extended Access List Overview 16-5Allowing Broadcast and Multicast Traffic through the Transparent Firewall 16-6Adding an Extended ACE 16-6

Adding an EtherType Access List 16-8EtherType Access List Overview 16-8

Supported EtherTypes 16-8Implicit Permit of IP and ARPs Only 16-9Implicit and Explicit Deny ACE at the End of an Access List 16-9IPv6 Unsupported 16-9Using Extended and EtherType Access Lists on the Same Interface 16-9Allowing MPLS 16-9

Adding an EtherType ACE 16-10

Adding a Standard Access List 16-11

Adding a Webtype Access List 16-11

Simplifying Access Lists with Object Grouping 16-11How Object Grouping Works 16-12Adding Object Groups 16-12

Adding a Protocol Object Group 16-13Adding a Network Object Group 16-13Adding a Service Object Group 16-14Adding an ICMP Type Object Group 16-15

Nesting Object Groups 16-15Using Object Groups with an Access List 16-16Displaying Object Groups 16-17Removing Object Groups 16-17

Adding Remarks to Access Lists 16-18

Scheduling Extended Access List Activation 16-18Adding a Time Range 16-18Applying the Time Range to an ACE 16-19

Logging Access List Activity 16-20Access List Logging Overview 16-20Configuring Logging for an Access Control Entry 16-21Managing Deny Flows 16-22

C H A P T E R 17 Applying NAT 17-1

NAT Overview 17-1Introduction to NAT 17-2xiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

NAT Control 17-3

Contents

NAT Types 17-5Dynamic NAT 17-5PAT 17-7Static NAT 17-7Static PAT 17-8Bypassing NAT When NAT Control is Enabled 17-9

Policy NAT 17-9NAT and Same Security Level Interfaces 17-13Order of NAT Commands Used to Match Real Addresses 17-14Mapped Address Guidelines 17-14DNS and NAT 17-14

Configuring NAT Control 17-16

Using Dynamic NAT and PAT 17-17Dynamic NAT and PAT Implementation 17-17Configuring Dynamic NAT or PAT 17-23

Using Static NAT 17-26

Using Static PAT 17-27

Bypassing NAT 17-29Configuring Identity NAT 17-30Configuring Static Identity NAT 17-30Configuring NAT Exemption 17-32

NAT Examples 17-33Overlapping Networks 17-34Redirecting Ports 17-35

C H A P T E R 18 Permitting or Denying Network Access 18-1

Inbound and Outbound Access List Overview 18-1

Applying an Access List to an Interface 18-2

C H A P T E R 19 Applying AAA for Network Access 19-1

AAA Performance 19-1

Configuring Authentication for Network Access 19-1Authentication Overview 19-2

One-Time Authentication 19-2Applications Required to Receive an Authentication Challenge 19-2Security Appliance Authentication Prompts 19-2Static PAT and HTTP 19-3xiiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Enabling Network Access Authentication 19-3

Contents

Enabling Secure Authentication of Web Clients 19-5Authenticating Directly with the Security Appliance 19-6

Enabling Direct Authentication Using HTTP and HTTPS 19-6Enabling Direct Authentication Using Telnet 19-6

Configuring Authorization for Network Access 19-6Configuring TACACS+ Authorization 19-7Configuring RADIUS Authorization 19-8

Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-9Configuring a RADIUS Server to Download Per-User Access Control List Names 19-12

Configuring Accounting for Network Access 19-13

Using MAC Addresses to Exempt Traffic from Authentication and Authorization 19-14

C H A P T E R 20 Applying Filtering Services 20-1

Filtering Overview 20-1

Filtering ActiveX Objects 20-2ActiveX Filtering Overview 20-2Enabling ActiveX Filtering 20-2

Filtering Java Applets 20-3

Filtering URLs and FTP Requests with an External Server 20-4URL Filtering Overview 20-4Identifying the Filtering Server 20-4Buffering the Content Server Response 20-6Caching Server Addresses 20-6Filtering HTTP URLs 20-7

Configuring HTTP Filtering 20-7Enabling Filtering of Long HTTP URLs 20-7Truncating Long HTTP URLs 20-7Exempting Traffic from Filtering 20-8

Filtering HTTPS URLs 20-8Filtering FTP Requests 20-9

Viewing Filtering Statistics and Configuration 20-9Viewing Filtering Server Statistics 20-10Viewing Buffer Configuration and Statistics 20-11Viewing Caching Statistics 20-11Viewing Filtering Performance Statistics 20-11Viewing Filtering Configuration 20-12xivCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Contents

C H A P T E R 21 Using Modular Policy Framework 21-1

Modular Policy Framework Overview 21-1Modular Policy Framework Features 21-1Modular Policy Framework Configuration Overview 21-2Default Global Policy 21-3

Identifying Traffic (Layer 3/4 Class Map) 21-4Default Class Maps 21-4Creating a Layer 3/4 Class Map for Through Traffic 21-5Creating a Layer 3/4 Class Map for Management Traffic 21-7

Configuring Special Actions for Application Inspections (Inspection Policy Map) 21-7Inspection Policy Map Overview 21-8Defining Actions in an Inspection Policy Map 21-8Identifying Traffic in an Inspection Class Map 21-11Creating a Regular Expression 21-12Creating a Regular Expression Class Map 21-14

Defining Actions (Layer 3/4 Policy Map) 21-15Layer 3/4 Policy Map Overview 21-15

Policy Map Guidelines 21-16Supported Feature Types 21-16Hierarchical Policy Maps 21-16Feature Directionality 21-17Feature Matching Guidelines within a Policy Map 21-17Feature Matching Guidelines for multiple Policy Maps 21-18Order in Which Multiple Feature Actions are Applied 21-18

Default Layer 3/4 Policy Map 21-18Adding a Layer 3/4 Policy Map 21-19

Applying Actions to an Interface (Service Policy) 21-21

Modular Policy Framework Examples 21-21Applying Inspection and QoS Policing to HTTP Traffic 21-22Applying Inspection to HTTP Traffic Globally 21-22Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 21-23Applying Inspection to HTTP Traffic with NAT 21-24

C H A P T E R 22 Managing AIP SSM and CSC SSM 22-1

Managing the AIP SSM 22-1About the AIP SSM 22-1Getting Started with the AIP SSM 22-2Diverting Traffic to the AIP SSM 22-2xvCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Sessioning to the AIP SSM and Running Setup 22-4

Contents

Managing the CSC SSM 22-5About the CSC SSM 22-5Getting Started with the CSC SSM 22-7Determining What Traffic to Scan 22-9Limiting Connections Through the CSC SSM 22-11Diverting Traffic to the CSC SSM 22-11

Checking SSM Status 22-13

Transferring an Image onto an SSM 22-14

C H A P T E R 23 Preventing Network Attacks 23-1

Configuring TCP Normalization 23-1TCP Normalization Overview 23-1Enabling the TCP Normalizer 23-2

Configuring Connection Limits and Timeouts 23-6Connection Limit Overview 23-7

TCP Intercept Overview 23-7Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 23-7Dead Connection Detection (DCD) Overview 23-7TCP Sequence Randomization Overview 23-8

Enabling Connection Limits and Timeouts 23-8

Preventing IP Spoofing 23-10

Configuring the Fragment Size 23-11

Blocking Unwanted Connections 23-11

Configuring IP Audit for Basic IPS Support 23-12

C H A P T E R 24 Configuring QoS 24-1

QoS Overview 24-1Supported QoS Features 24-2What is a Token Bucket? 24-2Policing Overview 24-3Priority Queueing Overview 24-3Traffic Shaping Overview 24-4How QoS Features Interact 24-4DSCP and DiffServ Preservation 24-5

Creating the Standard Priority Queue for an Interface 24-5Determining the Queue and TX Ring Limits 24-6Configuring the Priority Queue 24-7xviCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Identifying Traffic for QoS Using Class Maps 24-8

Contents

Creating a QoS Class Map 24-8QoS Class Map Examples 24-8

Creating a Policy for Standard Priority Queueing and/or Policing 24-9

Creating a Policy for Traffic Shaping and Hierarchical Priority Queueing 24-11

Viewing QoS Statistics 24-13Viewing QoS Police Statistics 24-13Viewing QoS Standard Priority Statistics 24-14Viewing QoS Shaping Statistics 24-14Viewing QoS Standard Priority Queue Statistics 24-15

C H A P T E R 25 Configuring Application Layer Protocol Inspection 25-1

Inspection Engine Overview 25-2When to Use Application Protocol Inspection 25-2Inspection Limitations 25-2Default Inspection Policy 25-3

Configuring Application Inspection 25-5

CTIQBE Inspection 25-9CTIQBE Inspection Overview 25-9Limitations and Restrictions 25-10Verifying and Monitoring CTIQBE Inspection 25-10

DCERPC Inspection 25-11DCERPC Overview 25-11Configuring a DCERPC Inspection Policy Map for Additional Inspection Control 25-12

DNS Inspection 25-13How DNS Application Inspection Works 25-13How DNS Rewrite Works 25-14Configuring DNS Rewrite 25-15

Using the Static Command for DNS Rewrite 25-15Using the Alias Command for DNS Rewrite 25-16Configuring DNS Rewrite with Two NAT Zones 25-16DNS Rewrite with Three NAT Zones 25-17Configuring DNS Rewrite with Three NAT Zones 25-19

Verifying and Monitoring DNS Inspection 25-20Configuring a DNS Inspection Policy Map for Additional Inspection Control 25-20

ESMTP Inspection 25-23Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 25-24

FTP Inspection 25-26FTP Inspection Overview 25-27xviiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Contents

Using the strict Option 25-27Configuring an FTP Inspection Policy Map for Additional Inspection Control 25-28Verifying and Monitoring FTP Inspection 25-31

GTP Inspection 25-32GTP Inspection Overview 25-32Configuring a GTP Inspection Policy Map for Additional Inspection Control 25-33Verifying and Monitoring GTP Inspection 25-37

H.323 Inspection 25-38H.323 Inspection Overview 25-38How H.323 Works 25-38Limitations and Restrictions 25-39Configuring an H.323 Inspection Policy Map for Additional Inspection Control 25-40Configuring H.323 and H.225 Timeout Values 25-42Verifying and Monitoring H.323 Inspection 25-43

Monitoring H.225 Sessions 25-43Monitoring H.245 Sessions 25-43Monitoring H.323 RAS Sessions 25-44

HTTP Inspection 25-44HTTP Inspection Overview 25-44Configuring an HTTP Inspection Policy Map for Additional Inspection Control 25-45

Instant Messaging Inspection 25-49IM Inspection Overview 25-49Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control 25-49

ICMP Inspection 25-52

ICMP Error Inspection 25-52

ILS Inspection 25-53

IPSec Pass Through Inspection 25-54IPSec Pass Through Inspection Overview 25-54Configuring an IPSec Pass Through Inspection Policy Map for Additional Inspection Control 25-54

MGCP Inspection 25-56MGCP Inspection Overview 25-56Configuring an MGCP Inspection Policy Map for Additional Inspection Control 25-58Configuring MGCP Timeout Values 25-59Verifying and Monitoring MGCP Inspection 25-59

NetBIOS Inspection 25-60Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control 25-60

PPTP Inspection 25-62xviiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

RADIUS Accounting Inspection 25-62

Contents

Configuring a RADIUS Inspection Policy Map for Additional Inspection Control 25-63

RSH Inspection 25-63

RTSP Inspection 25-63RTSP Inspection Overview 25-63Using RealPlayer 25-64Restrictions and Limitations 25-64

SIP Inspection 25-65SIP Inspection Overview 25-65SIP Instant Messaging 25-65Configuring a SIP Inspection Policy Map for Additional Inspection Control 25-66Configuring SIP Timeout Values 25-70Verifying and Monitoring SIP Inspection 25-70

Skinny (SCCP) Inspection 25-71SCCP Inspection Overview 25-71Supporting Cisco IP Phones 25-71Restrictions and Limitations 25-72Verifying and Monitoring SCCP Inspection 25-72Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control 25-73

SMTP and Extended SMTP Inspection 25-74

SNMP Inspection 25-76

SQL*Net Inspection 25-76

Sun RPC Inspection 25-77Sun RPC Inspection Overview 25-77Managing Sun RPC Services 25-77Verifying and Monitoring Sun RPC Inspection 25-78

TFTP Inspection 25-79

XDMCP Inspection 25-80

C H A P T E R 26 Configuring ARP Inspection and Bridging Parameters 26-1

Configuring ARP Inspection 26-1ARP Inspection Overview 26-1Adding a Static ARP Entry 26-2Enabling ARP Inspection 26-2

Customizing the MAC Address Table 26-3MAC Address Table Overview 26-3Adding a Static MAC Address 26-3Setting the MAC Address Timeout 26-4xixCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Disabling MAC Address Learning 26-4

Contents

Viewing the MAC Address Table 26-4

P A R T 3 Configuring VPN

C H A P T E R 27 Configuring IPsec and ISAKMP 27-1

Tunneling Overview 27-1

IPsec Overview 27-2

Configuring ISAKMP 27-2ISAKMP Overview 27-2Configuring ISAKMP Policies 27-5Enabling ISAKMP on the Outside Interface 27-6Disabling ISAKMP in Aggressive Mode 27-6Determining an ID Method for ISAKMP Peers 27-6Enabling IPsec over NAT-T 27-7

Using NAT-T 27-7Enabling IPsec over TCP 27-8Waiting for Active Sessions to Terminate Before Rebooting 27-9Alerting Peers Before Disconnecting 27-9

Configuring Certificate Group Matching 27-9Creating a Certificate Group Matching Rule and Policy 27-10Using the Tunnel-group-map default-group Command 27-11

Configuring IPsec 27-11Understanding IPsec Tunnels 27-11Understanding Transform Sets 27-12Defining Crypto Maps 27-12Applying Crypto Maps to Interfaces 27-20Using Interface Access Lists 27-20Changing IPsec SA Lifetimes 27-22Creating a Basic IPsec Configuration 27-22Using Dynamic Crypto Maps 27-24Providing Site-to-Site Redundancy 27-26Viewing an IPsec Configuration 27-26

Clearing Security Associations 27-27

Clearing Crypto Map Configurations 27-27

Supporting the Nokia VPN Client 27-28

C H A P T E R 28 Configuring L2TP over IPSec 28-1xxCisco Security Appliance Command Line Configuration Guide

OL-10088-02

L2TP Overview 28-1

Contents

IPSec Transport and Tunnel Modes 28-2

Configuring L2TP over IPSec Connections 28-2Tunnel Group Switching 28-5

Viewing L2TP over IPSec Connection Information 28-5Using L2TP Debug Commands 28-7Enabling IPSec Debug 28-7Getting Additional Information 28-8

C H A P T E R 29 Setting General IPSec VPN Parameters 29-1

Configuring VPNs in Single, Routed Mode 29-1

Configuring IPSec to Bypass ACLs 29-1

Permitting Intra-Interface Traffic 29-2NAT Considerations for Intra-Interface Traffic 29-3

Setting Maximum Active IPSec VPN Sessions 29-3

Using Client Update to Ensure Acceptable Client Revision Levels 29-3

Understanding Load Balancing 29-5Implementing Load Balancing 29-6Prerequisites 29-6Eligible Platforms 29-7Eligible Clients 29-7VPN Load-Balancing Cluster Configurations 29-7Some Typical Mixed Cluster Scenarios 29-8

Scenario 1: Mixed Cluster with No WebVPN Connections 29-8Scenario 2: Mixed Cluster Handling WebVPN Connections 29-8

Configuring Load Balancing 29-9Configuring the Public and Private Interfaces for Load Balancing 29-9Configuring the Load Balancing Cluster Attributes 29-10

Configuring VPN Session Limits 29-11

C H A P T E R 30 Configuring Tunnel Groups, Group Policies, and Users 30-1

Overview of Tunnel Groups, Group Policies, and Users 30-1

Tunnel Groups 30-2General Tunnel-Group Connection Parameters 30-2IPSec Tunnel-Group Connection Parameters 30-3WebVPN Tunnel-Group Connection Parameters 30-4

Configuring Tunnel Groups 30-5Maximum Tunnel Groups 30-5xxiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Default IPSec Remote Access Tunnel Group Configuration 30-5

Contents

Configuring IPSec Tunnel-Group General Attributes 30-6Configuring IPSec Remote-Access Tunnel Groups 30-6

Specifying a Name and Type for the IPSec Remote Access Tunnel Group 30-6Configuring IPSec Remote-Access Tunnel Group General Attributes 30-7Configuring IPSec Remote-Access Tunnel Group IPSec Attributes 30-10Configuring IPSec Remote-Access Tunnel Group PPP Attributes 30-12

Configuring LAN-to-LAN Tunnel Groups 30-13Default LAN-to-LAN Tunnel Group Configuration 30-13Specifying a Name and Type for a LAN-to-LAN Tunnel Group 30-14Configuring LAN-to-LAN Tunnel Group General Attributes 30-14Configuring LAN-to-LAN IPSec Attributes 30-15

Configuring WebVPN Tunnel Groups 30-17Specifying a Name and Type for a WebVPN Tunnel Group 30-17Configuring WebVPN Tunnel-Group General Attributes 30-17Configuring WebVPN Tunnel-Group WebVPN Attributes 30-20

Customizing Login Windows for WebVPN Users 30-23Configuring Microsoft Active Directory Settings for Password Management 30-24

Using Active Directory to Force the User to Change Password at Next Logon 30-25Using Active Directory to Specify Maximum Password Age 30-27Using Active Directory to Override an Account Disabled AAA Indicator 30-28Using Active Directory to Enforce Minimum Password Length 30-29Using Active Directory to Enforce Password Complexity 30-30

Group Policies 30-31Default Group Policy 30-32Configuring Group Policies 30-34

Configuring an External Group Policy 30-34Configuring an Internal Group Policy 30-35Configuring Group Policy Attributes 30-35Configuring WINS and DNS Servers 30-35Configuring VPN-Specific Attributes 30-36Configuring Security Attributes 30-39Configuring the Banner Message 30-41Configuring IPSec-UDP Attributes 30-41Configuring Split-Tunneling Attributes 30-42Configuring Domain Attributes for Tunneling 30-43Configuring Attributes for VPN Hardware Clients 30-45Configuring Backup Server Attributes 30-48Configuring Microsoft Internet Explorer Client Parameters 30-49Configuring Network Admission Control Parameters 30-51xxiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Configuring Address Pools 30-54

Contents

Configuring Firewall Policies 30-55Configuring Client Access Rules 30-58Configuring Group-Policy WebVPN Attributes 30-59

Configuring User Attributes 30-70Viewing the Username Configuration 30-71Configuring Attributes for Specific Users 30-71

Setting a User Password and Privilege Level 30-71Configuring User Attributes 30-72Configuring VPN User Attributes 30-72Configuring WebVPN for Specific Users 30-76

C H A P T E R 31 Configuring IP Addresses for VPNs 31-1

Configuring an IP Address Assignment Method 31-1Configuring Local IP Address Pools 31-2Configuring AAA Addressing 31-2Configuring DHCP Addressing 31-3

C H A P T E R 32 Configuring Remote Access IPSec VPNs 32-1

Summary of the Configuration 32-1

Configuring Interfaces 32-2

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 32-3

Configuring an Address Pool 32-4

Adding a User 32-4

Creating a Transform Set 32-4

Defining a Tunnel Group 32-5

Creating a Dynamic Crypto Map 32-6

Creating a Crypto Map Entry to Use the Dynamic Crypto Map 32-7

C H A P T E R 33 Configuring Network Admission Control 33-1

Uses, Requirements, and Limitations 33-1

Configuring Basic Settings 33-1Specifying the Access Control Server Group 33-2Enabling NAC 33-2Configuring the Default ACL for NAC 33-3Configuring Exemptions from NAC 33-4

Changing Advanced Settings 33-5Changing Clientless Authentication Settings 33-5xxiiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Enabling and Disabling Clientless Authentication 33-5

Contents

Changing the Login Credentials Used for Clientless Authentication 33-6Configuring NAC Session Attributes 33-7Setting the Query-for-Posture-Changes Timer 33-8Setting the Revalidation Timer 33-9

C H A P T E R 34 Configuring Easy VPN Services on the ASA 5505 34-1

Specifying the Client/Server Role of the Cisco ASA 5505 34-1

Specifying the Primary and Secondary Servers 34-2

Specifying the Mode 34-3NEM with Multiple Interfaces 34-3

Configuring Automatic Xauth Authentication 34-4

Configuring IPSec Over TCP 34-4

Comparing Tunneling Options 34-5

Specifying the Tunnel Group or Trustpoint 34-6Specifying the Tunnel Group 34-6Specifying the Trustpoint 34-7

Configuring Split Tunneling 34-7

Configuring Device Pass-Through 34-8

Configuring Remote Management 34-8

Guidelines for Configuring the Easy VPN Server 34-9Group Policy and User Attributes Pushed to the Client 34-9Authentication Options 34-11

C H A P T E R 35 Configuring the PPPoE Client 35-1

PPPoE Client Overview 35-1

Configuring the PPPoE Client Username and Password 35-2

Enabling PPPoE 35-3

Using PPPoE with a Fixed IP Address 35-3

Monitoring and Debugging the PPPoE Client 35-4

Clearing the Configuration 35-5

Using Related Commands 35-5

C H A P T E R 36 Configuring LAN-to-LAN IPsec VPNs 36-1

Summary of the Configuration 36-1

Configuring Interfaces 36-2

Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface 36-2xxivCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Creating a Transform Set 36-4

Contents

Configuring an ACL 36-4

Defining a Tunnel Group 36-5

Creating a Crypto Map and Applying It To an Interface 36-6Applying Crypto Maps to Interfaces 36-7

C H A P T E R 37 Configuring WebVPN 37-1

Getting Started with WebVPN 37-1Observing WebVPN Security Precautions 37-2Understanding Features Not Supported for WebVPN 37-2Using SSL to Access the Central Site 37-3

Using HTTPS for WebVPN Sessions 37-3Configuring WebVPN and ASDM on the Same Interface 37-3Setting WebVPN HTTP/HTTPS Proxy 37-4Configuring SSL/TLS Encryption Protocols 37-4

Authenticating with Digital Certificates 37-5Enabling Cookies on Browsers for WebVPN 37-5Managing Passwords 37-5Using Single Sign-on with WebVPN 37-6

Configuring SSO with HTTP Basic or NTLM Authentication 37-6Configuring SSO Authentication Using SiteMinder 37-7Configuring SSO with the HTTP Form Protocol 37-9

Authenticating with Digital Certificates 37-15

Creating and Applying WebVPN Policies 37-15Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode 37-16Assigning Lists to Group Policies and Users in Group-Policy or User Mode 37-16Enabling Features for Group Policies and Users 37-16Assigning Users to Group Policies 37-16

Using the Security Appliance Authentication Server 37-16Using a RADIUS Server 37-16

Configuring WebVPN Tunnel Group Attributes 37-17

Configuring WebVPN Group Policy and User Attributes 37-17

Configuring Application Access 37-18Downloading the Port-Forwarding Applet Automatically 37-18Closing Application Access to Prevent hosts File Errors 37-18Recovering from hosts File Errors When Using Application Access 37-18

Understanding the hosts File 37-19Stopping Application Access Improperly 37-19Reconfiguring a hosts File 37-20xxvCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Configuring File Access 37-22

Contents

Configuring Access to Citrix MetaFrame Services 37-24

Using WebVPN with PDAs 37-25

Using E-Mail over WebVPN 37-26Configuring E-mail Proxies 37-26

E-mail Proxy Certificate Authentication 37-27Configuring MAPI 37-27Configuring Web E-mail: MS Outlook Web Access 37-27

Optimizing WebVPN Performance 37-28Configuring Caching 37-28Configuring Content Transformation 37-28

Configuring a Certificate for Signing Rewritten Java Content 37-29Disabling Content Rewrite 37-29Using Proxy Bypass 37-29Configuring Application Profile Customization Framework 37-30APCF Syntax 37-30APCF Example 37-32

WebVPN End User Setup 37-32Defining the End User Interface 37-32

Viewing the WebVPN Home Page 37-33Viewing the WebVPN Application Access Panel 37-33Viewing the Floating Toolbar 37-34

Customizing WebVPN Pages 37-35Using Cascading Style Sheet Parameters 37-35Customizing the WebVPN Login Page 37-36Customizing the WebVPN Logout Page 37-37Customizing the WebVPN Home Page 37-38Customizing the Application Access Window 37-40Customizing the Prompt Dialogs 37-41Applying Customizations to Tunnel Groups, Groups and Users 37-42

Requiring Usernames and Passwords 37-43Communicating Security Tips 37-44Configuring Remote Systems to Use WebVPN Features 37-44

Capturing WebVPN Data 37-50Creating a Capture File 37-51Using a Browser to Display Capture Data 37-51

C H A P T E R 38 Configuring SSL VPN Client 38-1

Installing SVC 38-1xxviCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Platform Requirements 38-1

Contents

Installing the SVC Software 38-2

Enabling SVC 38-3

Enabling Permanent SVC Installation 38-4

Enabling Rekey 38-5

Enabling and Adjusting Dead Peer Detection 38-5

Enabling Keepalive 38-6

Using SVC Compression 38-6

Viewing SVC Sessions 38-7

Logging Off SVC Sessions 38-8

Updating SVCs 38-8

C H A P T E R 39 Configuring Certificates 39-1

Public Key Cryptography 39-1About Public Key Cryptography 39-1Certificate Scalability 39-2About Key Pairs 39-2About Trustpoints 39-3About Revocation Checking 39-3

About CRLs 39-3About OCSP 39-4

Supported CA Servers 39-5

Certificate Configuration 39-5Preparing for Certificates 39-5Configuring Key Pairs 39-6

Generating Key Pairs 39-6Removing Key Pairs 39-7

Configuring Trustpoints 39-7Obtaining Certificates 39-9

Obtaining Certificates with SCEP 39-9Obtaining Certificates Manually 39-11

Configuring CRLs for a Trustpoint 39-13Exporting and Importing Trustpoints 39-14

Exporting a Trustpoint Configuration 39-15Importing a Trustpoint Configuration 39-15

Configuring CA Certificate Map Rules 39-15

P A R T 4 System AdministrationxxviiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Contents

C H A P T E R 40 Managing System Access 40-1

Allowing Telnet Access 40-1

Allowing SSH Access 40-2Configuring SSH Access 40-2Using an SSH Client 40-3

Allowing HTTPS Access for ASDM 40-3

Configuring ASDM and WebVPN on the Same Interface 40-4

Configuring AAA for System Administrators 40-5Configuring Authentication for CLI Access 40-5Configuring Authentication To Access Privileged EXEC Mode 40-6

Configuring Authentication for the Enable Command 40-6Authenticating Users Using the Login Command 40-6

Configuring Command Authorization 40-7Command Authorization Overview 40-7Configuring Local Command Authorization 40-8Configuring TACACS+ Command Authorization 40-11

Configuring Command Accounting 40-14Viewing the Current Logged-In User 40-14Recovering from a Lockout 40-15

Configuring a Login Banner 40-16

C H A P T E R 41 Managing Software, Licenses, and Configurations 41-1

Managing Licenses 41-1Obtaining an Activation Key 41-1Entering a New Activation Key 41-2

Viewing Files in Flash Memory 41-2

Retrieving Files from Flash Memory 41-3

Downloading Software or Configuration Files to Flash Memory 41-3Downloading a File to a Specific Location 41-4Downloading a File to the Startup or Running Configuration 41-4

Configuring the Application Image and ASDM Image to Boot 41-5

Configuring the File to Boot as the Startup Configuration 41-6

Performing Zero Downtime Upgrades for Failover Pairs 41-6Upgrading an Active/Standby Failover Configuration 41-7Upgrading and Active/Active Failover Configuration 41-8

Backing Up Configuration Files 41-8Backing up the Single Mode Configuration or Multiple Mode System Configuration 41-9xxviiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Backing Up a Context Configuration in Flash Memory 41-9

Contents

Backing Up a Context Configuration within a Context 41-9Copying the Configuration from the Terminal Display 41-10

Configuring Auto Update Support 41-10Configuring Communication with an Auto Update Server 41-10Configuring Client Updates as an Auto Update Server 41-12Viewing Auto Update Status 41-13

C H A P T E R 42 Monitoring the Security Appliance 42-1

Using SNMP 42-1SNMP Overview 42-1Enabling SNMP 42-3

Configuring and Managing Logs 42-5Logging Overview 42-5

Logging in Multiple Context Mode 42-5Enabling and Disabling Logging 42-6

Enabling Logging to All Configured Output Destinations 42-6Disabling Logging to All Configured Output Destinations 42-6Viewing the Log Configuration 42-6

Configuring Log Output Destinations 42-7Sending System Log Messages to a Syslog Server 42-7Sending System Log Messages to the Console Port 42-8Sending System Log Messages to an E-mail Address 42-9Sending System Log Messages to ASDM 42-10Sending System Log Messages to a Telnet or SSH Session 42-11Sending System Log Messages to the Log Buffer 42-12

Filtering System Log Messages 42-14Message Filtering Overview 42-15Filtering System Log Messages by Class 42-15Filtering System Log Messages with Custom Message Lists 42-17

Customizing the Log Configuration 42-18Customizing the Log Configuration 42-18

Configuring the Logging Queue 42-19Including the Date and Time in System Log Messages 42-19Including the Device ID in System Log Messages 42-19Generating System Log Messages in EMBLEM Format 42-20Disabling a System Log Message 42-20Changing the Severity Level of a System Log Message 42-21Changing the Amount of Internal Flash Memory Available for Logs 42-22xxixCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Understanding System Log Messages 42-23

Contents

System Log Message Format 42-23Severity Levels 42-23

C H A P T E R 43 Troubleshooting the Security Appliance 43-1

Testing Your Configuration 43-1Enabling ICMP Debug Messages and System Messages 43-1Pinging Security Appliance Interfaces 43-2Pinging Through the Security Appliance 43-4Disabling the Test Configuration 43-5Traceroute 43-6Packet Tracer 43-6

Reloading the Security Appliance 43-6

Performing Password Recovery 43-7Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance 43-7Password Recovery for the PIX 500 Series Security Appliance 43-8Disabling Password Recovery 43-9Resetting the Password on the SSM Hardware Module 43-10

Other Troubleshooting Tools 43-10Viewing Debug Messages 43-11Capturing Packets 43-11Viewing the Crash Dump 43-11

Common Problems 43-11

P A R T 2 Reference

Supported Platforms and Feature Licenses A-1

Security Services Module Support A-9

VPN Specifications A-10Cisco VPN Client Support A-11Cisco Secure Desktop Support A-11Site-to-Site VPN Compatibility A-11Cryptographic Standards A-12

Example 1: Multiple Mode Firewall With Outside Access B-1Example 1: System Configuration B-2Example 1: Admin Context Configuration B-4Example 1: Customer A Context Configuration B-4Example 1: Customer B Context Configuration B-4Example 1: Customer C Context Configuration B-5xxxCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Example 2: Single Mode Firewall Using Same Security Level B-6

Contents

Example 3: Shared Resources for Multiple Contexts B-8Example 3: System Configuration B-9

Example 3: Admin Context Configuration B-9Example 3: Department 1 Context Configuration B-10Example 3: Department 2 Context Configuration B-11

Example 4: Multiple Mode, Transparent Firewall with Outside Access B-12Example 4: System Configuration B-13Example 4: Admin Context Configuration B-14Example 4: Customer A Context Configuration B-15Example 4: Customer B Context Configuration B-15Example 4: Customer C Context Configuration B-16

Example 5: WebVPN Configuration B-16

Example 6: IPv6 Configuration B-18

Example 7: Cable-Based Active/Standby Failover (Routed Mode) B-20

Example 8: LAN-Based Active/Standby Failover (Routed Mode) B-21Example 8: Primary Unit Configuration B-21Example 8: Secondary Unit Configuration B-22

Example 9: LAN-Based Active/Active Failover (Routed Mode) B-22Example 9: Primary Unit Configuration B-23

Example 9: Primary System Configuration B-23Example 9: Primary admin Context Configuration B-24Example 9: Primary ctx1 Context Configuration B-25

Example 9: Secondary Unit Configuration B-25

Example 10: Cable-Based Active/Standby Failover (Transparent Mode) B-26

Example 11: LAN-Based Active/Standby Failover (Transparent Mode) B-27Example 11: Primary Unit Configuration B-27Example 11: Secondary Unit Configuration B-28

Example 12: LAN-Based Active/Active Failover (Transparent Mode) B-28Example 12: Primary Unit Configuration B-29

Example 12: Primary System Configuration B-29Example 12: Primary admin Context Configuration B-30Example 12: Primary ctx1 Context Configuration B-31

Example 12: Secondary Unit Configuration B-31

Example 13: Dual ISP Support Using Static Route Tracking B-31

Example 14: ASA 5505 Base License B-33

Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup B-35Example 15: Primary Unit Configuration B-35xxxiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Example 15: Secondary Unit Configuration B-37

Contents

Example 16: Network Traffic Diversion B-37Inspecting All Traffic with the AIP SSM B-43Inspecting Specific Traffic with the AIP SSM B-44Verifying the Recording of Alert Events B-45Troubleshooting the Configuration B-47

Firewall Mode and Security Context Mode C-1

Command Modes and Prompts C-2

Syntax Formatting C-3

Abbreviating Commands C-3

Command-Line Editing C-3

Command Completion C-4

Command Help C-4

Filtering show Command Output C-4

Command Output Paging C-5

Adding Comments C-6

Text Configuration Files C-6How Commands Correspond with Lines in the Text File C-6Command-Specific Configuration Mode Commands C-6Automatic Text Entries C-7Line Order C-7Commands Not Included in the Text Configuration C-7Passwords C-7Multiple Security Context Files C-7

IPv4 Addresses and Subnet Masks D-1Classes D-1Private Networks D-2Subnet Masks D-2

Determining the Subnet Mask D-3Determining the Address to Use with the Subnet Mask D-3

IPv6 Addresses D-5IPv6 Address Format D-5IPv6 Address Types D-6

Unicast Addresses D-6Multicast Address D-8Anycast Address D-9Required Addresses D-10

IPv6 Address Prefixes D-10xxxiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Protocols and Applications D-11

Contents

TCP and UDP Ports D-11

Local Ports and Protocols D-14

ICMP Types D-15

Selecting LDAP, RADIUS, or Local Authentication and Authorization E-1

Understanding Policy Enforcement of Permissions and Attributes E-2

Configuring an External LDAP Server E-2Reviewing the LDAP Directory Structure and Configuration Procedure E-3Organizing the Security Appliance LDAP Schema E-3

Searching the Hierarchy E-4Binding the Security Appliance to the LDAP Server E-5

Defining the Security Appliance LDAP Schema E-5Cisco -AV-Pair Attribute Syntax E-14Example Security Appliance Authorization Schema E-15

Loading the Schema in the LDAP Server E-18Defining User Permissions E-18

Example User File E-18Reviewing Examples of Active Directory Configurations E-19

Example 1: Configuring LDAP Authorization with Microsoft Active Directory (ASA/PIX) E-19Example 2: Configuring LDAP Authentication with Microsoft Active Directory E-20Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory E-22

Configuring an External RADIUS Server E-24Reviewing the RADIUS Configuration Procedure E-24Security Appliance RADIUS Authorization Attributes E-25Security Appliance TACACS+ Attributes E-32

G L O S S A R Y

I N D E XxxxiiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

Contents xxxivCisco Security Appliance Command Line Configuration Guide

OL-10088-02

About This Guide

This preface introduce the Cisco Security Appliance Command Line Configuration Guide, and includes the following sections: Document Objectives, page xxxv Audience, page xxxv Related Documentation, page xxxvi Document Organization, page xxxvi Document Conventions, page xxxix , page xxxix

Document ObjectivesThe purpose of this guide is to help you configure the security appliance using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.You can also configure and monitor the security appliance by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see: http://www.cisco.com/univercd/cc/td/doc/product/netsec/secmgmt/asdm/index.htmThis guide applies to the Cisco PIX 500 series security appliances (PIX 515E, PIX 525, and PIX 535) and the Cisco ASA 5500 series security appliances (ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550). Throughout this guide, the term security appliance applies generically to all supported models, unless specified otherwise. The PIX 501, PIX 506E, and PIX 520 security appliances are not supported.

AudiencexxxvCisco Security Appliance Command Line Configuration Guide

OL-10088-02

This guide is for network managers who perform any of the following tasks: Manage network security Install and configure firewalls/security appliances

Configure VPNs Configure intrusion detection software

About This Guide Related DocumentationFor more information, refer to the following documentation: Cisco PIX Security Appliance Release Notes Cisco ASDM Release Notes Cisco PIX 515E Quick Start Guide Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 Migrating to ASA for VPN 3000 Series Concentrator Administrators Cisco Security Appliance Command Reference Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco Security Appliance Logging Configuration and System Log Messages Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators

Document OrganizationThis guide includes the chapters and appendixes described in Table 1.

Table 1 Document Organization

Chapter/Appendix Definition

Part 1: Getting Started and General Information

Chapter 1, Introduction to the Security Appliance

Provides a high-level overview of the security appliance.

Chapter 2, Getting Started Describes how to access the command-line interface, configure the firewall mode, and work with the configuration.

Chapter 3, Enabling Multiple Context Mode

Describes how to use security contexts and enable multiple context mode.

Chapter 4, Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Describes how to configure switch ports and VLAN interfaces for the ASA 5505 adaptive security appliance.

Chapter 5, Configuring Ethernet Settings and Subinterfaces

Describes how to configure Ethernet settings for physical interfaces and add subinterfaces.

Chapter 6, Adding and Managing Security Contexts

Describes how to configure multiple security contexts on the security appliance.

Chapter 7, Configuring Interface Parameters

Describes how to configure each interface and subinterface for a name, security, level, and IP address.

Chapter 8, Configuring Basic Settings

Describes how to configure basic settings that are typically required for a functioning configuration.

Chapter 9, Configuring IP Routing

Describes how to configure IP routing.xxxviCisco Security Appliance Command Line Configuration Guide

OL-10088-02

About This GuideChapter 10, Configuring DHCP, DDNS, and WCCP Services

Describes how to configure the DHCP server and DHCP relay.

Chapter 11, Configuring Multicast Routing

Describes how to configure multicast routing.

Chapter 12, Configuring IPv6 Describes how to enable and configure IPv6.Chapter 13, Configuring AAA Servers and the Local Database

Describes how to configure AAA servers and the local database.

Chapter 14, Configuring Failover

Describes the failover feature, which lets you configure two security appliances so that one will take over operation if the other one fails.

Part 2: Configuring the Firewall

Chapter 15, Firewall Mode Overview

Describes in detail the two operation modes of the security appliance, routed and transparent mode, and how data is handled differently with each mode.

Chapter 16, Identifying Traffic with Access Lists

Describes how to identify traffic with access lists.

Chapter 17, Applying NAT Describes how address translation is performed.Chapter 18, Permitting or Denying Network Access

Describes how to control network access through the security appliance using access lists.

Chapter 19, Applying AAA for Network Access

Describes how to enable AAA for network access.

Chapter 20, Applying Filtering Services

Describes ways to filter web traffic to reduce security risks or prevent inappropriate use.

Chapter 21, Using Modular Policy Framework

Describes how to use the Modular Policy Framework to create security policies for TCP, general connection settings, inspection, and QoS.

Chapter 22, Managing AIP SSM and CSC SSM

Describes how to configure the security appliance to send traffic to an AIP SSM or a CSC SSM, how to check the status of an SSM, and how to update the software image on an intelligent SSM.

Chapter 23, Preventing Network Attacks

Describes how to configure protection features to intercept and respond to network attacks.

Chapter 24, Configuring QoS Describes how to configure the network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP routed networks.

Chapter 25, Configuring Application Layer Protocol Inspection

Describes how to use and configure application inspection.

Chapter 26, Configuring ARP Inspection and Bridging Parameters

Describes how to enable ARP inspection and how to customize bridging operations.

Part 3: Configuring VPN

Chapter 27, Configuring IPsec and ISAKMP

Describes how to configure ISAKMP and IPSec tunneling to build and manage VPN tunnels, or secure connections between remote users and a private corporate network.

Table 1 Document Organization (continued)

Chapter/Appendix DefinitionxxxviiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

About This Guide Chapter 28, Configuring L2TP over IPSec

Describes how to configure IPSec over L2TP on the security appliance.

Chapter 29, Setting General IPSec VPN Parameters

Describes miscellaneous VPN configuration procedures.

Chapter 30, Configuring Tunnel Groups, Group Policies, and Users

Describes how to configure VPN tunnel groups, group policies, and users.

Chapter 31, Configuring IP Addresses for VPNs

Describes how to configure IP addresses in your private network addressing scheme, which let the client function as a tunnel endpoint.

Chapter 32, Configuring Remote Access IPSec VPNs

Describes how to configure a remote access VPN connection.

Chapter 33, Configuring Network Admission Control

Describes how to configure Network Admission Control (NAC).

Chapter 34, Configuring Easy VPN Services on the ASA 5505

Describes how to configure Easy VPN on the ASA 5505 adaptive security appliance.

Chapter 35, Configuring the PPPoE Client

Describes how to configure the PPPoE client provided with the security appliance.

Chapter 36, Configuring LAN-to-LAN IPsec VPNs

Describes how to build a LAN-to-LAN VPN connection.

Chapter 37, Configuring WebVPN

Describes how to establish a secure, remote-access VPN tunnel to a security appliance using a web browser.

Chapter 38, Configuring SSL VPN Client

Describes how to install and configure the SSL VPN Client.

Chapter 39, Configuring Certificates

Describes how to configure a digital certificates, which contains information that identifies a user or device. Such information can include a name, serial number, company, department, or IP address. A digital certificate also contains a copy of the public key for the user or device.

Part 4: System Administration

Chapter 40, Managing System Access

Describes how to access the security appliance for system management through Telnet, SSH, and HTTPS.

Chapter 41, Managing Software, Licenses, and Configurations

Describes how to enter license keys and download software and configurations files.

Chapter 42, Monitoring the Security Appliance

Describes how to monitor the security appliance.

Chapter 43, Troubleshooting the Security Appliance

Describes how to troubleshoot the security appliance.

Part 4: Reference

Appendix A, Feature Licenses and Specifications

Describes the feature licenses and specifications.

Appendix B, Sample Configurations

Describes a number of common ways to implement the security appliance.

Table 1 Document Organization (continued)

Chapter/Appendix DefinitionxxxviiiCisco Security Appliance Command Line Configuration Guide

OL-10088-02

About This GuideDocument ConventionsCommand descriptions use these conventions: Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Vertical bars ( | ) separate alternative, mutually exclusive elements. Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply values.Examples use these conventions: Examples depict screen displays and the command line in screen font. Information you need to enter in examples is shown in boldface screen font. Variables for which you must supply a value are shown in italic screen font.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.htmlSubscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Appendix C, Using the Command-Line Interface

Describes how to use the CLI to configure the the security appliance.

Appendix D, Addresses, Protocols, and Ports

Provides a quick reference for IP addresses, protocols, and applications.

Appendix E, Configuring an External Server for Authorization and Authentication

Provides information about configuring LDAP and RADIUS authorization servers.

Glossary Provides a handy reference for commonly-used terms and acronyms.Index Provides an index for the guide.

Table 1 Document Organization (continued)

Chapter/Appendix DefinitionxxxixCisco Security Appliance Command Line Configuration Guide

OL-10088-02

About This Guide xlCisco Security Appliance Command Line Configuration Guide

OL-10088-02

P A R T 1

Getting Started and General Information

Cisco SecOL-10088-02

coordinating with an external URL filtering server.When discussing networks connected to a firewalinside network is protected and behind the firewallaccess to outside users. Because the security applsecurity policies, including many inside interfacesdesired, these terms are used in a general sense onl, the outside network is in front of the firewall, the , and a DMZ, while behind the firewall, allows limited iance lets you configure many interfaces with varied , many DMZs, and even many outside interfaces if C H A P T E R

1Introduction to the Security Appliance

The security appliance combines advanced stateful firewall and VPN concentrator functionality in one device, and for some models, an integrated intrusion prevention module called the AIP SSM or an integrated content security and control module called the CSC SSM. The security appliance includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPSec and WebVPN support, and many more features. See Appendix A, Feature Licenses and Specifications, for a list of supported platforms and features. For a list of new features, see the Cisco ASA 5500 Series Release Notes or the Cisco PIX Security Appliance Release Notes.

Note The Cisco PIX 501 and PIX 506E security appliances are not supported.

This chapter includes the following sections: Firewall Functional Overview, page 1-1 VPN Functional Overview, page 1-5 Intrusion Prevention Services Functional Overview, page 1-5 Security Context Overview, page 1-6

Firewall Functional OverviewFirewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by 1-1urity Appliance Command Line Configuration Guide

ly.

Chapter 1 Introduction to the Security Appliance Firewall Functional OverviewThis section includes the following topics: Security Policy Overview, page 1-2 Firewall Mode Overview, page 1-3 Stateful Inspection Overview, page 1-4

Security Policy OverviewA security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the security appliance allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy. This section includes the following topics: Permitting or Denying Traffic with Access Lists, page 1-2

Applying NAT, page 1-2 Using AAA for Through Traffic, page 1-2 Applying HTTP, HTTPS, or FTP Filtering, page 1-3 Applying Application Inspection, page 1-3 Sending Traffic to the Advanced Inspection and Prevention Security Services Module, page 1-3 Sending Traffic to the Content Security and Control Security Services Module, page 1-3 Applying QoS Policies, page 1-3 Applying Connection Limits and TCP Normalization, page 1-3

Permitting or Denying Traffic with Access Lists

You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside. For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

Applying NAT

Some of the benefits of NAT include the following: You can use private addresses on your inside networks. Private addresses are not routable on the

Internet.

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

NAT can resolve IP routing problems by supporting overlapping IP addresses.

Using AAA for Through Traffic

You can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server.1-2Cisco Security Appliance Command Line Configuration Guide

OL-10088-02

Chapter 1 Introduction to the Security Appliance Firewall Functional OverviewApplying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet. We recommend that you use the security appliance in conjunction with a separate server running one of the following Internet filtering products: Websense Enterprise Secure Computing SmartFilter

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection.

Sending Traffic to the Advanced Inspection and Prevention Security Services Module

If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM for inspection.

Sending Traffic to the Content Security and Control Security Services Module

If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it.

Applying QoS Policies

Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.

Firewall Mode OverviewThe security appliance runs in two different firewall modes: Routed Transparent 1-3Cisco Security Appliance Command Line Configuration Guide

OL-10088-02

Chapter 1 Introduction to the Security Appliance Firewall Functional OverviewIn routed mode, the security appliance is considered to be a router hop in the network.In transparent mode, the security appliance acts like a bump in the wire, or a stealth firewall, and is not considered a router hop. The security appliance connects to the same network on its inside and outside interfaces.You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list.

Stateful Inspection OverviewAll traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.A stateful firewall like the security appliance, however, takes into consideration the state of a packet: Is this a new connection?

If it is a new connection, the security appliance has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path.The session management path is responsible for the following tasks: Performing the access list checks

Performing route lookups Allocating NAT translations (xlates) Establishing sessions in the fast path

Note The session management path and the fast path make up the accelerated security path.

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

Is this an established connection?If the connection is already established, the security appliance does not need to re-check packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks: IP checksum verification

Session lookup TCP sequence number check NAT translations based on existing sessions Layer 3 and Layer 4 header adjustments1-4Cisco Security Appliance Command Line Configuration Guide

OL-10088-02

Chapter 1 Introduction to the Security Appliance VPN Functional OverviewFor UDP or other connectionless protocols, the security appliance creates connection state information so that it can also use the fast path.Data packets for protocols that require Layer 7 inspection can also go through the fast path.

Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

VPN Functional OverviewA VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The security appliance invokes various standard protocols to accomplish these functions.The security appliance performs the following functions:

Establishes tunnels Negotiates tunnel parameters Authenticates users

Assigns user addresses Encrypts and decrypts data Manages security keys

Manages data transfer across the tunnel Manages data transfer inbound and outbound as a tunnel endpoint or router The security appliance invokes various standard protocols to accomplish these functions.

Intrusion Prevention Services Functional OverviewThe Cisco ASA 5500 series adaptive security appliance supports the AIP SSM, an intrusion prevention services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When the system detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. Other legitimate connections continue to operate independently without interruption. For more information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.1-5Cisco Security Appliance Command Line Configuration Guide

OL-10088-02

Chapter 1 Introduction to the Security Appliance Security Context OverviewSecurity Context OverviewYou can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts.

Note You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only.1-6Cisco Security Appliance Command Line Configuration Guide

OL-10088-02

Cisco SecOL-10088-02

appliances.For the PIX 515/515E and the ASA 5510 and highconfiguration configures an interface for managemyou can then complete your configuration.For the ASA 5505 adaptive security appliance, theand NAT so that the security appliance is ready toer security appliances, the factory default ent so you can connect to it using ASDM, with which

factory default configuration configures interfaces C H A P T E R

2Getting Started

This chapter describes how to access the command-line interface, configure the firewall mode, and work with the configuration. This chapter includes the following sections: Getting Started with Your Platform Model, page 2-1 Factory Default Configurations, page 2-1 Accessing the Command-Line Interface, page 2-4 Setting Transparent or Routed Firewall Mode, page 2-5 Working with the Configuration, page 2-6

Getting Started with Your Platform ModelThis guide applies to multiple security appliance platforms and models: the PIX 500 series security appliances and the ASA 5500 series adaptive security appliances. There are some hardware differences between the PIX and the ASA security appliance. Moreover, the ASA 5505 includes a built-in switch, and requires some special configuration. For these hardware-based differences, the platforms or models supported are noted directly in each section.Some models do not support all features covered in this guide. For example, the ASA 5505 adaptive security appliance does not support security contexts. This guide might not list each supported model when discussing a feature. To determine the features that are supported for your model before you start your configuration, see the Supported Platforms and Feature Licenses section on page A-1 for a detailed list of the features supported for each model.

Factory Default ConfigurationsThe factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security 2-1urity Appliance Command Line Configuration Guide

use in your network immediately.

Chapter 2 Getting Started Factory Default ConfigurationsThe factory default configuration is available only for routed firewall mode and single context mode. See Chapter 3, Enabling Multiple Context Mode, for more information about multiple context mode. See the Setting Transparent or Routed Firewall Mode section on page 2-5 for more information about routed and transparent firewall mode.This section includes the following topics: Restoring the Factory Default Configuration, page 2-2 ASA 5505 Default Configuration, page 2-2 ASA 5510 and Higher Default Configuration, page 2-3 PIX 515/515E Default Configuration, page 2-4

Restoring the Factory Default ConfigurationTo restore the factory default configuration, enter the following command:hostname(config)# configure factory-default [ip_address [mask]]

If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 192.168