Home
Cisco
Firewall
ASA 5525-X
Cisco ASA 5525-X Cli Configuration Guide
4
of 1
of 1 rating
2164 pages
Give review
Manual
Specs
To Next Page
To Next Page
To Previous Page
To Previous Page
Loading...
1-28
Cisco ASA Series CLI Configuration Guide
Chapter
1 Configuring the ASA I
PS Module
Feature History for the
ASA IPS module
1503
1505
Table of Contents
Cisco ASA Series CLI Configuration Guide
1
About This Guide
3
Glossary
5
Index
29
Getting Started with the ASA
61
Introduction to the Cisco ASA
63
ASDM Client Operating System and Browser Requirements
63
Hardware and Software Compatibility
65
VPN Specifications
65
New Features
66
New Features in ASA 9.0(3)/ASDM 7.1(3)
66
New Features in ASA 9.0(2)/ASDM 7.1(2)
66
New Features in ASA 8.4(5)/ASDM 7.0(2)
68
New Features in ASA 9.0(1)/ASDM 7.0(1)
69
How the ASA Services Module Works with the Switch
86
Firewall Functional Overview
88
Security Policy Overview
89
Permitting or Denying Traffic with Access Lists Rules
89
Applying NAT
89
Protecting from IP Fragments
90
Using AAA for Through Traffic
90
Applying HTTP, HTTPS, or FTP Filtering
90
Applying Application Inspection
90
Sending Traffic to the IPS Module
90
Sending Traffic to the Content Security and Control Module
90
Applying QoS Policies
90
Applying Connection Limits and TCP Normalization
91
Enabling Threat Detection
91
Enabling the Botnet Traffic Filter
91
Configuring Cisco Unified Communications
91
Firewall Mode Overview
91
Stateful Inspection Overview
92
VPN Functional Overview
93
Security Context Overview
93
ASA Clustering Overview
94
Configuring the Switch for Use with the ASA Services Module
95
Information About the Switch
95
Guidelines and Limitations
96
Verifying the Module Installation
97
Assigning VLANs to the ASA Services Module
98
Using the MSFC as a Directly Connected Router
99
Information About SVIs
100
Configuring SVIs
102
Configuring the Switch for ASA Failover
103
Assigning VLANs to the Secondary ASA Services Module
104
Adding a Trunk Between a Primary Switch and Secondary Switch
104
Ensuring Compatibility with Transparent Firewall Mode
104
Enabling Autostate Messaging for Rapid Link Failure Detection
104
Resetting the ASA Services Module
105
Monitoring the ASA Services Module
105
Feature History for the Switch for Use with the ASA Services Module
107
Getting Started
109
Accessing the Appliance Command-Line Interface
109
Accessing the ASA Services Module Command-Line Interface
110
Logging Into the ASA Services Module
110
Information About Connection Methods
111
Logging In
112
Logging Out of a Console Session
113
Logging Out
113
Killing an Active Console Connection
113
Logging Out of a Telnet Session
114
Configuring ASDM Access for Appliances
114
Accessing ASDM Using the Factory Default Configuration
114
Accessing ASDM Using a Non-Default Configuration (ASA 5505)
115
Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
117
Configuring ASDM Access for the ASA Services Module
119
Starting ASDM
122
Connecting to ASDM for the First Time
122
Starting ASDM from the ASDM-IDM Launcher
123
Starting ASDM from the Java Web Start Application
124
Using ASDM in Demo Mode
124
Factory Default Configurations
126
Restoring the Factory Default Configuration
126
ASA 5505 Default Configuration
127
ASA 5505 Routed Mode Default Configuration
127
ASA 5505 Transparent Mode Sample Configuration
129
ASA 5510 and Higher Default Configuration
131
Working with the Configuration
131
Saving Configuration Changes
132
Saving Configuration Changes in Single Context Mode
132
Saving Configuration Changes in Multiple Context Mode
132
Copying the Startup Configuration to the Running Configuration
133
Viewing the Configuration
134
Clearing and Removing Configuration Settings
134
Creating Text Configuration Files Offline
135
Applying Configuration Changes to Connections
135
Reloading the ASA
136
Configuring the Transparent or Routed Firewall
137
Information About the Firewall Mode
137
Information About Routed Firewall Mode
137
Information About Transparent Firewall Mode
138
Using the Transparent Firewall in Your Network
138
Bridge Groups
139
Management Interface (ASA 5510 and Higher)
140
Allowing Layer 3 Traffic
140
Allowed MAC Addresses
141
Passing Traffic Not Allowed in Routed Mode
141
Passing Traffic For Routed-Mode Features
141
BPDU Handling
141
MAC Address vs. Route Lookups
142
ARP Inspection
142
MAC Address Table
143
Licensing Requirements for the Firewall Mode
143
Default Settings
143
Guidelines and Limitations
144
Setting the Firewall Mode
145
Configuring ARP Inspection for the Transparent Firewall
146
Task Flow for Configuring ARP Inspection
146
Adding a Static ARP Entry
146
Enabling ARP Inspection
147
Customizing the MAC Address Table for the Transparent Firewall
148
Adding a Static MAC Address
148
Setting the MAC Address Timeout
148
Disabling MAC Address Learning
149
Monitoring the Transparent Firewall
149
Monitoring ARP Inspection
149
Monitoring the MAC Address Table
149
Firewall Mode Examples
150
How Data Moves Through the ASA in Routed Firewall Mode
150
An Inside User Visits a Web Server
151
An Outside User Visits a Web Server on the DMZ
152
An Inside User Visits a Web Server on the DMZ
153
An Outside User Attempts to Access an Inside Host
153
A DMZ User Attempts to Access an Inside Host
155
How Data Moves Through the Transparent Firewall
156
An Inside User Visits a Web Server
157
An Inside User Visits a Web Server Using NAT
158
An Outside User Visits a Web Server on the Inside Network
159
An Outside User Attempts to Access an Inside Host
160
Feature History for the Firewall Mode
161
Managing Feature Licenses
163
Supported Feature Licenses Per Model
163
Licenses Per Model
163
License Notes
180
VPN License and Feature Compatibility
185
Information About Feature Licenses
185
Preinstalled License
186
Permanent License
186
Time-Based Licenses
186
Time-Based License Activation Guidelines
186
How the Time-Based License Timer Works
187
How Permanent and Time-Based Licenses Combine
187
Stacking Time-Based Licenses
188
Time-Based License Expiration
188
Shared AnyConnect Premium Licenses
189
Information About the Shared Licensing Server and Participants
189
Communication Issues Between Participant and Server
190
Information About the Shared Licensing Backup Server
190
Failover and Shared Licenses
191
Maximum Number of Participants
191
Failover or ASA Cluster Licenses
192
Failover License Requirements and Exceptions
192
ASA Cluster License Requirements and Exceptions
192
How Failover or ASA Cluster Licenses Combine
193
Loss of Communication Between Failover or ASA Cluster Units
193
Upgrading Failover Pairs
194
No Payload Encryption Models
194
Licenses FAQ
194
Guidelines and Limitations
195
Configuring Licenses
197
Obtaining an Activation Key
197
Activating or Deactivating Keys
198
Configuring a Shared License
199
Configuring the Shared Licensing Server
199
Configuring the Shared Licensing Backup Server (Optional)
201
Configuring the Shared Licensing Participant
201
Monitoring Licenses
202
Viewing Your Current License
202
Monitoring the Shared License
211
Feature History for Licensing
212
Configuring High Availability and Scalability
219
Configuring Multiple Context Mode
221
Information About Security Contexts
221
Common Uses for Security Contexts
222
Context Configuration Files
222
Context Configurations
222
System Configuration
222
Admin Context Configuration
222
How the ASA Classifies Packets
223
Valid Classifier Criteria
223
Classification Examples
224
Cascading Security Contexts
226
Management Access to Security Contexts
227
System Administrator Access
227
Context Administrator Access
228
Information About Resource Management
228
Resource Classes
228
Resource Limits
228
Default Class
229
Using Oversubscribed Resources
230
Using Unlimited Resources
231
Information About MAC Addresses
231
Default MAC Address
232
Interaction with Manual MAC Addresses
232
Failover MAC Addresses
232
MAC Address Format
232
Licensing Requirements for Multiple Context Mode
233
Prerequisites
234
Guidelines and Limitations
234
Default Settings
235
Configuring Multiple Contexts
235
Task Flow for Configuring Multiple Context Mode
235
Enabling or Disabling Multiple Context Mode
236
Enabling Multiple Context Mode
236
Restoring Single Context Mode
236
Configuring a Class for Resource Management
237
Configuring a Security Context
240
Automatically Assigning MAC Addresses to Context Interfaces
245
Changing Between Contexts and the System Execution Space
245
Managing Security Contexts
246
Removing a Security Context
246
Changing the Admin Context
247
Changing the Security Context URL
247
Reloading a Security Context
248
Reloading by Clearing the Configuration
249
Reloading by Removing and Re-adding the Context
249
Monitoring Security Contexts
249
Viewing Context Information
250
Viewing Resource Allocation
251
Viewing Resource Usage
254
Monitoring SYN Attacks in Contexts
255
Viewing Assigned MAC Addresses
257
Viewing MAC Addresses in the System Configuration
258
Viewing MAC Addresses Within a Context
259
Configuration Examples for Multiple Context Mode
260
Feature History for Multiple Context Mode
261
Configuring a Cluster of ASAs
265
Information About ASA Clustering
265
How the ASA Cluster Fits into Your Network
266
Performance Scaling Factor
266
Cluster Members
266
ASA Hardware and Software Requirements
267
Bootstrap Configuration
267
Master and Slave Unit Roles
267
Master Unit Election
267
ASA Cluster Interfaces
268
Interface Types
268
Interface Type Mode
270
Cluster Control Link
270
Cluster Control Link Traffic Overview
271
Cluster Control Link Network
271
Sizing the Cluster Control Link
271
Cluster Control Link Redundancy
272
Cluster Control Link Latency and Reliability
272
Cluster Control Link Failure
272
High Availability within the ASA Cluster
273
Unit Health Monitoring
273
Interface monitoring
273
Unit or Interface Failure
273
Data Path Connection State Replication
273
Configuration Replication
274
ASA Cluster Management
274
Management Network
274
Management Interface
274
Master Unit Management Vs. Slave Unit Management
275
RSA Key Replication
275
ASDM Connection Certificate IP Address Mismatch
275
Load Balancing Methods
276
Spanned EtherChannel (Recommended)
276
Policy-Based Routing (Routed Firewall Mode Only)
278
Equal-Cost Multi-Path Routing (Routed Firewall Mode Only)
279
How the ASA Cluster Manages Connections
279
Connection Roles
279
New Connection Ownership
280
Sample Data Flow
280
Rebalancing New TCP Connections Across the Cluster
281
ASA Features and Clustering
281
Unsupported Features
281
Centralized Features
282
Features Applied to Individual Units
282
Dynamic Routing
283
Multicast Routing
284
NAT
285
AAA for Network Access
286
Syslog and Netflow
286
SNMP
286
VPN
286
FTP
287
Cisco TrustSec
287
Licensing Requirements for ASA Clustering
287
Prerequisites for ASA Clustering
287
Guidelines and Limitations
288
Default Settings
291
Configuring ASA Clustering
291
Task Flow for ASA Cluster Configuration
291
Cabling the Cluster Units and Configuring Upstream and Downstream Equipment
292
Configuring the Cluster Interface Mode on Each Unit
294
Configuring Interfaces on the Master Unit
295
Configuring Individual Interfaces (Recommended for the Management Interface)
295
Configuring Spanned EtherChannels
297
Configuring the Master Unit Bootstrap Settings
301
Prerequisites
302
Enabling the Cluster Control Link Interface
302
Configuring Basic Bootstrap Settings and Enabling Clustering
304
Configuring Advanced Clustering Settings
306
Examples
307
Configuring Slave Unit Bootstrap Settings
307
Prerequisites
308
Enabling the Cluster Control Link Interface
308
Configuring Bootstrap Settings and Joining the Cluster
309
Examples
311
Managing ASA Cluster Members
311
Becoming an Inactive Member
312
Inactivating a Member
312
Leaving the Cluster
313
Changing the Master Unit
314
Executing a Command Cluster-Wide
315
Monitoring the ASA Cluster
316
Monitoring Commands
316
Related Commands
318
Configuration Examples for ASA Clustering
320
Sample ASA and Switch Configuration
320
ASA Configuration
320
IOS Switch Configuration
322
Firewall on a Stick
323
Traffic Segregation
325
Redundant Interface (PBR or ECMP)
327
Spanned EtherChannel With Backup Links
329
Feature History for ASA Clustering
335
Information About Failover
337
Introduction to Failover and High Availability
337
Failover System Requirements
338
Hardware Requirements
338
Software Requirements
338
License Requirements
338
Failover and Stateful Failover Links
339
Failover Link
339
Stateful Failover Link
340
Failover Interface Speed for Stateful Links
341
Avoiding Interrupted Failover Links
341
Active/Active and Active/Standby Failover
344
Determining Which Type of Failover to Use
344
Stateless (Regular) and Stateful Failover
345
Stateless (Regular) Failover
345
Stateful Failover
346
Intra- and Inter-Chassis Module Placement for the ASA Services Module
347
Intra-Chassis Failover
347
Inter-Chassis Failover
348
Transparent Firewall Mode Requirements
351
Auto Update Server Support in Failover Configurations
352
Auto Update Process Overview
352
Monitoring the Auto Update Process
353
Failover Health Monitoring
354
Unit Health Monitoring
355
Interface Monitoring
355
Failover Times
356
Failover Messages
356
Failover System Messages
356
Debug Messages
357
SNMP
357
Configuring Active/Standby Failover
359
Information About Active/Standby Failover
359
Active/Standby Failover Overview
359
Primary/Secondary Status and Active/Standby Status
360
Device Initialization and Configuration Synchronization
360
Command Replication
361
Failover Triggers
362
Failover Actions
363
Optional Active/Standby Failover Settings
364
Licensing Requirements for Active/Standby Failover
364
Prerequisites for Active/Standby Failover
364
Guidelines and Limitations
364
Configuring Active/Standby Failover
365
Task Flow for Configuring Active/Standby Failover
366
Configuring the Primary Unit
366
Configuring the Secondary Unit
369
Configuring Optional Active/Standby Failover Settings
370
Enabling HTTP Replication with Stateful Failover
371
Disabling and Enabling Interface Monitoring
371
Configuring Failover Criteria
372
Configuring the Unit and Interface Health Poll Times
372
Configuring Virtual MAC Addresses
373
Controlling Failover
374
Forcing Failover
374
Disabling Failover
374
Restoring a Failed Unit
375
Testing the Failover Functionality
375
Monitoring Active/Standby Failover
376
Feature History for Active/Standby Failover
376
Configuring Active/Active Failover
377
Information About Active/Active Failover
377
Active/Active Failover Overview
377
Primary/Secondary Status and Active/Standby Status
378
Device Initialization and Configuration Synchronization
379
Command Replication
379
Failover Triggers
380
Failover Actions
381
Optional Active/Active Failover Settings
383
Licensing Requirements for Active/Active Failover
383
Prerequisites for Active/Active Failover
383
Guidelines and Limitations
384
Configuring Active/Active Failover
385
Task Flow for Configuring Active/Active Failover
385
Configuring the Primary Failover Unit
385
Configuring the Secondary Failover Unit
388
Configuring Optional Active/Active Failover Settings
389
Configuring Failover Group Preemption
389
Enabling HTTP Replication with Stateful Failover
391
Disabling and Enabling Interface Monitoring
391
Configuring Interface Health Monitoring
392
Configuring Failover Criteria
393
Configuring Virtual MAC Addresses
393
Configuring Support for Asymmetrically Routed Packets
395
Remote Command Execution
398
Changing Command Modes
399
Security Considerations
400
Limitations of Remote Command Execution
400
Controlling Failover
400
Forcing Failover
400
Disabling Failover
401
Restoring a Failed Unit or Failover Group
401
Testing the Failover Functionality
401
Monitoring Active/Active Failover
402
Feature History for Active/Active Failover
402
Configuring Interfaces
403
Starting Interface Configuration (ASA 5510 and Higher)
405
Information About Starting ASA 5510 and Higher Interface Configuration
406
Auto-MDI/MDIX Feature
406
Interfaces in Transparent Mode
406
Management Interface
406
Management Interface Overview
406
Management Slot/Port Interface
407
Using Any Interface for Management-Only Traffic
407
Management Interface for Transparent Mode
408
No Support for Redundant Management Interfaces
408
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
408
Redundant Interfaces
409
Redundant Interface MAC Address
409
EtherChannels
409
Channel Group Interfaces
409
Connecting to an EtherChannel on Another Device
409
Link Aggregation Control Protocol
410
Load Balancing
411
EtherChannel MAC Address
412
Licensing Requirements for ASA 5510 and Higher Interfaces
412
Guidelines and Limitations
414
Default Settings
416
Starting Interface Configuration (ASA 5510 and Higher)
417
Task Flow for Starting Interface Configuration
417
Converting In-Use Interfaces to a Redundant or EtherChannel Interface
418
Enabling the Physical Interface and Configuring Ethernet Parameters
427
Configuring a Redundant Interface
430
Configuring a Redundant Interface
430
Changing the Active Interface
432
Configuring an EtherChannel
432
Adding Interfaces to the EtherChannel
432
Customizing the EtherChannel
434
Configuring VLAN Subinterfaces and 802.1Q Trunking
435
Enabling Jumbo Frame Support (Supported Models)
437
Monitoring Interfaces
438
Configuration Examples for ASA 5510 and Higher Interfaces
438
Physical Interface Parameters Example
438
Subinterface Parameters Example
439
Multiple Context Mode Example
439
EtherChannel Example
439
Where to Go Next
439
Feature History for ASA 5510 and Higher Interfaces
440
Starting Interface Configuration (ASA 5505)
443
Information About ASA 5505 Interfaces
443
Understanding ASA 5505 Ports and Interfaces
444
Maximum Active VLAN Interfaces for Your License
444
VLAN MAC Addresses
446
Power over Ethernet
446
Monitoring Traffic Using SPAN
446
Auto-MDI/MDIX Feature
446
Licensing Requirements for ASA 5505 Interfaces
446
Guidelines and Limitations
447
Default Settings
447
Starting ASA 5505 Interface Configuration
448
Task Flow for Starting Interface Configuration
448
Configuring VLAN Interfaces
448
Configuring and Enabling Switch Ports as Access Ports
449
Configuring and Enabling Switch Ports as Trunk Ports
451
Monitoring Interfaces
453
Configuration Examples for ASA 5505 Interfaces
453
Access Port Example
453
Trunk Port Example
454
Where to Go Next
455
Feature History for ASA 5505 Interfaces
455
Completing Interface Configuration (Routed Mode)
457
Information About Completing Interface Configuration in Routed Mode
457
Security Levels
457
Dual IP Stack (IPv4 and IPv6)
458
Licensing Requirements for Completing Interface Configuration in Routed Mode
458
Guidelines and Limitations
461
Default Settings
462
Completing Interface Configuration in Routed Mode
462
Task Flow for Completing Interface Configuration
463
Configuring General Interface Parameters
463
Configuring the MAC Address and MTU
466
Configuring IPv6 Addressing
468
Information About IPv6
469
Configuring a Global IPv6 Address
469
Configuring IPv6 Neighbor Discovery
471
Allowing Same Security Level Communication
472
Turning Off and Turning On Interfaces
474
Monitoring Interfaces
474
Configuration Examples for Interfaces in Routed Mode
474
ASA 5505 Example
474
Feature History for Interfaces in Routed Mode
475
Completing Interface Configuration (Transparent Mode)
477
Information About Completing Interface Configuration in Transparent Mode
477
Bridge Groups in Transparent Mode
478
Security Levels
478
Licensing Requirements for Completing Interface Configuration in Transparent Mode
479
Guidelines and Limitations
481
Default Settings
483
Completing Interface Configuration in Transparent Mode
483
Task Flow for Completing Interface Configuration
484
Configuring Bridge Groups
484
Configuring General Interface Parameters
485
Configuring a Management Interface (ASA 5510 and Higher)
488
Configuring the MAC Address and MTU
489
Configuring IPv6 Addressing
492
Information About IPv6
492
Configuring a Global IPv6 Address
493
Configuring IPv6 Neighbor Discovery
494
Allowing Same Security Level Communication
494
Turning Off and Turning On Interfaces
495
Monitoring Interfaces
495
Configuration Examples for Interfaces in Transparent Mode
496
Feature History for Interfaces in Transparent Mode
497
Configuring Basic Settings
499
Configuring Basic Settings
501
Configuring the Hostname, Domain Name, and Passwords
501
Setting the Login Password
502
Changing the Enable Password
502
Setting the Hostname
503
Setting the Domain Name
503
Feature History for the Hostname, Domain Name, and Passwords
504
Setting the Date and Time
504
Setting the Time Zone and Daylight Saving Time Date Range
505
Setting the Date and Time Using an NTP Server
506
Setting the Date and Time Manually
507
Configuring the Master Passphrase
507
Information About the Master Passphrase
507
Licensing Requirements for the Master Passphrase
508
Guidelines and Limitations
508
Adding or Changing the Master Passphrase
508
Disabling the Master Passphrase
510
Recovering the Master Passphrase
511
Feature History for the Master Passphrase
512
Configuring the DNS Server
512
Performing Password Recovery
513
Recovering Passwords for the ASA
513
Disabling Password Recovery
514
Monitoring DNS Cache
515
Configuring DHCP
517
Information About DHCP
517
Licensing Requirements for DHCP
518
Guidelines and Limitations
518
Configuring a DHCP Server
519
Enabling the DHCP Server
520
Configuring DHCP Options
521
Options that Return an IP Address
521
Options that Return a Text String
521
Options that Return a Hexadecimal Value
521
Using Cisco IP Phones with a DHCP Server
522
Configuring the DHCP Relay Service
524
Additional References
525
RFCs
525
DHCP Monitoring Commands
526
Feature History for DHCP
526
Configuring Dynamic DNS
527
Information About DDNS
527
Licensing Requirements for DDNS
528
Guidelines and Limitations
528
Configuring DDNS
528
Configuration Examples for DDNS
529
Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
529
Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request; FQDN Provided Through Configuration
529
Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server Overrides Client and Updates Both RRs.
530
Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
531
Example 5: Client Updates A RR; Server Updates PTR RR
531
DDNS Monitoring Commands
532
Feature History for DDNS
532
Configuring Objects and Access Lists
533
Configuring Objects
535
Information About Objects
535
Licensing Requirements for Objects
535
Guidelines and Limitations
535
Configuring Objects
536
Configuring Network Objects and Groups
536
Configuring a Network Object
536
Configuring a Network Object Group
537
Configuring Service Objects and Service Groups
539
Configuring a Service Object
539
Configuring a Service Group
540
Configuring a TCP or UDP Port Service Group
542
Configuring an ICMP Group
544
Configuring a Protocol Group
545
Configuring Local User Groups
545
Configuring Security Group Object Groups
547
Configuring Regular Expressions
548
Creating a Regular Expression
548
Creating a Regular Expression Class Map
551
Configuring Time Ranges
552
Monitoring Objects
553
Feature History for Objects
553
Information About Access Lists
555
Access List Types
555
Access Control Entry Order
556
Access Control Implicit Deny
557
IP Addresses Used for Access Lists When You Use NAT
557
Where to Go Next
557
Adding an Extended Access Control List
559
Information About Extended ACLs
559
Access Control Entry Order
559
NAT and ACLs
560
Information About Scheduling Access List Activation
560
Licensing Requirements for Extended ACLs
561
Guidelines and Limitations
561
Default Settings
562
Configuring Extended ACLs
562
Adding an ACE for IP Address or Fully Qualified Domain Name-Based Policy
562
Adding an ACE for TCP or UDP-Based Policy, with Ports
564
Adding an ACE for ICMP-Based Policy, with ICMP Type
565
Adding an ACE for User-Based Policy (Identity Firewall)
565
Adding an ACE for Security Group-Based Policy (TrustSec)
566
Adding Remarks to ACLs
567
Monitoring Extended ACLs
568
Configuration Examples for Extended ACLs
568
Configuration Examples for Extended ACLs (No Objects)
568
Configuration Examples for Extended ACLs (Using Objects)
569
Where to Go Next
570
Feature History for Extended ACLs
570
Adding an EtherType Access List
573
Information About EtherType Access Lists
573
Licensing Requirements for EtherType Access Lists
573
Guidelines and Limitations
574
Default Settings
574
Configuring EtherType Access Lists
574
Task Flow for Configuring EtherType Access Lists
574
Adding EtherType Access Lists
575
Adding Remarks to Access Lists
576
What to Do Next
576
Monitoring EtherType Access Lists
576
Configuration Examples for EtherType Access Lists
577
Feature History for EtherType Access Lists
577
Adding a Standard Access Control List
579
Information About Standard Access Lists
579
Licensing Requirements for Standard Access Lists
579
Guidelines and Limitations
579
Default Settings
580
Adding Standard Access Lists
581
Task Flow for Configuring Extended Access Lists
581
Adding a Standard Access List
581
Adding Remarks to Access Lists
582
What to Do Next
582
Monitoring Access Lists
582
Configuration Examples for Standard Access Lists
582
Feature History for Standard Access Lists
583
Adding a Webtype Access Control List
585
Licensing Requirements for Webtype Access Lists
585
Guidelines and Limitations
585
Default Settings
586
Using Webtype Access Lists
586
Task Flow for Configuring Webtype Access Lists
586
Adding Webtype Access Lists with a URL String
587
Adding Webtype Access Lists with an IP Address
588
Adding Remarks to Access Lists
589
What to Do Next
589
Monitoring Webtype Access Lists
589
Configuration Examples for Webtype Access Lists
589
Feature History for Webtype Access Lists
591
Configuring Logging for Access Lists
593
Configuring Logging for Access Lists
593
Information About Logging Access List Activity
593
Licensing Requirements for Access List Logging
594
Guidelines and Limitations
594
Default Settings
595
Configuring Access List Logging
595
Monitoring Access Lists
596
Configuration Examples for Access List Logging
596
Feature History for Access List Logging
597
Managing Deny Flows
597
Information About Managing Deny Flows
598
Licensing Requirements for Managing Deny Flows
598
Guidelines and Limitations
598
Default Settings
599
Managing Deny Flows
599
Monitoring Deny Flows
599
Feature History for Managing Deny Flows
600
Configuring IP Routing
601
Routing Overview
603
Information About Routing
603
Switching
603
Path Determination
604
Supported Route Types
604
Static Versus Dynamic
605
Single-Path Versus Multipath
605
Flat Versus Hierarchical
605
Link-State Versus Distance Vector
605
How Routing Behaves Within the ASA
606
Egress Interface Selection Process
606
Next Hop Selection Process
606
Supported Internet Protocols for Routing
607
Information About the Routing Table
607
Displaying the Routing Table
608
How the Routing Table Is Populated
608
Administrative Distances for Routes
609
Backup Routes
610
How Forwarding Decisions Are Made
610
Dynamic Routing and Failover
611
Dynamic Routing and Clustering
611
Dynamic Routing in Multiple Context Mode
612
Route Resource Management
613
Disabling Proxy ARPs
613
Configuring Static and Default Routes
615
Information About Static and Default Routes
615
Licensing Requirements for Static and Default Routes
616
Guidelines and Limitations
616
Configuring Static and Default Routes
616
Configuring a Static Route
617
Adding or Editing a Static Route
617
Configuring a Default Static Route
618
Limitations on Configuring a Default Static Route
618
Configuring IPv6 Default and Static Routes
619
Monitoring a Static or Default Route
620
Configuration Examples for Static or Default Routes
622
Feature History for Static and Default Routes
623
Defining Route Maps
625
Information About Route Maps
625
Permit and Deny Clauses
626
Match and Set Clause Values
626
Licensing Requirements for Route Maps
627
Guidelines and Limitations
627
Defining a Route Map
628
Customizing a Route Map
628
Defining a Route to Match a Specific Destination Address
628
Configuring the Metric Values for a Route Action
629
Configuration Example for Route Maps
630
Feature History for Route Maps
631
Configuring OSPF
633
Information About OSPF
633
Implementation Differences Between OSPFv2 and OSPFv3
635
Using Clustering
635
Licensing Requirements for OSPF
635
Guidelines and Limitations
635
Configuring OSPFv2
637
Customizing OSPFv2
638
Redistributing Routes Into OSPFv2
638
Configuring Route Summarization When Redistributing Routes Into OSPFv2
640
Configuring Route Summarization Between OSPFv2 Areas
641
Configuring OSPFv2 Interface Parameters
642
Configuring OSPFv2 Area Parameters
644
Configuring an OSPFv2 NSSA
645
Configuring an IP Address Pool for Clustering (OSPFv2 and OSPFv3)
647
Defining Static OSPFv2 Neighbors
647
Configuring Route Calculation Timers
648
Logging Neighbors Going Up or Down
648
Configuring OSPFv3
649
Enabling OSPFv3
650
Configuring OSPFv3 Interface Parameters
651
Configuring OSPFv3 Router Parameters
656
Configuring OSPFv3 Area Parameters
658
Configuring OSPFv3 Passive Interfaces
661
Configuring OSPFv3 Administrative Distance
661
Configuring OSPFv3 Timers
662
Defining Static OSPFv3 Neighbors
665
Resetting OSPFv3 Default Parameters
667
Sending Syslog Messages
668
Suppressing Syslog Messages
668
Calculating Summary Route Costs
669
Generating a Default External Route into an OSPFv3 Routing Domain
669
Configuring an IPv6 Summary Prefix
670
Redistributing IPv6 Routes
671
Removing the OSPF Configuration
673
Configuration Example for OSPFv2
673
Configuration Examples for OSPFv3
674
Monitoring OSPF
676
Additional References
678
RFCs
678
Feature History for OSPF
679
Configuring EIGRP
681
Information About EIGRP
681
Using Clustering
682
Licensing Requirements for EIGRP
682
Guidelines and Limitations
683
Configuring EIGRP
683
Enabling EIGRP
684
Enabling EIGRP Stub Routing
684
Customizing EIGRP
685
Defining a Network for an EIGRP Routing Process
686
Configuring Interfaces for EIGRP
687
Configuring Passive Interfaces
688
Configuring the Summary Aggregate Addresses on Interfaces
689
Changing the Interface Delay Value
690
Enabling EIGRP Authentication on an Interface
690
Defining an EIGRP Neighbor
692
Redistributing Routes Into EIGRP
692
Filtering Networks in EIGRP
694
Customizing the EIGRP Hello Interval and Hold Time
695
Disabling Automatic Route Summarization
696
Configuring Default Information in EIGRP
696
Disabling EIGRP Split Horizon
697
Restarting the EIGRP Process
698
Monitoring EIGRP
698
Configuration Example for EIGRP
699
Feature History for EIGRP
700
Configuring RIP
701
Information About RIP
701
Routing Update Process
702
RIP Routing Metric
702
RIP Stability Features
702
RIP Timers
702
Using Clustering
703
Licensing Requirements for RIP
703
Guidelines and Limitations
703
Configuring RIP
704
Enabling RIP
704
Customizing RIP
704
Configuring the RIP Version
705
Configuring Interfaces for RIP
706
Configuring the RIP Send and Receive Version on an Interface
706
Configuring Route Summarization
707
Filtering Networks in RIP
708
Redistributing Routes into the RIP Routing Process
708
Enabling RIP Authentication
709
. Restarting the RIP Process
710
Monitoring RIP
711
Configuration Example for RIP
711
Feature History for RIP
712
Configuring Multicast Routing
713
Information About Multicast Routing
713
Stub Multicast Routing
714
PIM Multicast Routing
714
Multicast Group Concept
714
Multicast Addresses
714
Clustering
714
Licensing Requirements for Multicast Routing
715
Guidelines and Limitations
715
Enabling Multicast Routing
715
Customizing Multicast Routing
716
Configuring Stub Multicast Routing and Forwarding IGMP Messages
716
Configuring a Static Multicast Route
717
Configuring IGMP Features
717
Disabling IGMP on an Interface
718
Configuring IGMP Group Membership
719
Configuring a Statically Joined IGMP Group
719
Controlling Access to Multicast Groups
720
Limiting the Number of IGMP States on an Interface
720
Modifying the Query Messages to Multicast Groups
720
Changing the IGMP Version
721
Configuring PIM Features
722
Enabling and Disabling PIM on an Interface
722
Configuring a Static Rendezvous Point Address
723
Configuring the Designated Router Priority
723
Configuring and Filtering PIM Register Messages
724
Configuring PIM Message Intervals
724
Filtering PIM Neighbors
724
Configuring a Bidirectional Neighbor Filter
725
Configuring a Multicast Boundary
726
Configuration Example for Multicast Routing
727
Additional References
727
Related Documents
728
RFCs
728
Feature History for Multicast Routing
728
Configuring IPv6 Neighbor Discovery
729
Information About IPv6 Neighbor Discovery
729
Neighbor Solicitation Messages
730
Neighbor Reachable Time
730
Duplicate Address Detection
730
Router Advertisement Messages
731
Static IPv6 Neighbors
732
Licensing Requirements for IPv6 Neighbor Discovery
732
Prerequisites for IPv6 Neighbor Discovery
732
Guidelines and Limitations
732
Default Settings for IPv6 Neighbor Discovery
734
Configuring IPv6 Neighbor Discovery
734
Entering Interface Configuration Mode
734
Configuring the Neighbor Solicitation Message Interval
735
Configuring the Neighbor Reachable Time
736
Configuring the Router Advertisement Transmission Interval
736
Configuring the Router Lifetime Value
737
Configuring DAD Settings
737
Suppressing Router Advertisement Messages
738
Configuring Address Config Flags for IPv6 DHCP Relay
739
Configuring the IPv6 Prefix in Router Advertisements
740
Configuring a Static IPv6 Neighbor
741
Monitoring IPv6 Neighbor Discovery
742
Additional References
742
Related Documents for IPv6 Prefixes
743
RFCs for IPv6 Prefixes and Documentation
743
Feature History for IPv6 Neighbor Discovery
743
Configuring Network Address Translation
745
Information About NAT
747
Why Use NAT?
747
NAT Terminology
748
NAT Types
749
NAT Types Overview
749
Static NAT
749
Information About Static NAT
749
Information About Static NAT with Port Translation
750
Information About One-to-Many Static NAT
751
Information About Other Mapping Scenarios (Not Recommended)
752
Dynamic NAT
753
Information About Dynamic NAT
753
Dynamic NAT Disadvantages and Advantages
754
Dynamic PAT
754
Information About Dynamic PAT
754
Per-Session PAT vs. Multi-Session PAT
755
Dynamic PAT Disadvantages and Advantages
755
Identity NAT
756
NAT in Routed and Transparent Mode
756
NAT in Routed Mode
757
NAT in Transparent Mode
757
NAT and IPv6
759
How NAT is Implemented
759
Main Differences Between Network Object NAT and Twice NAT
759
Information About Network Object NAT
760
Information About Twice NAT
760
NAT Rule Order
764
NAT Interfaces
765
Routing NAT Packets
765
Mapped Addresses and Routing
765
Transparent Mode Routing Requirements for Remote Networks
767
Determining the Egress Interface
768
NAT for VPN
768
NAT and Remote Access VPN
769
NAT and Site-to-Site VPN
770
NAT and VPN Management Access
772
Troubleshooting NAT and VPN
774
DNS and NAT
774
Where to Go Next
779
Configuring Network Object NAT
781
Information About Network Object NAT
781
Licensing Requirements for Network Object NAT
782
Prerequisites for Network Object NAT
782
Guidelines and Limitations
782
Default Settings
783
Configuring Network Object NAT
783
Adding Network Objects for Mapped Addresses
784
Configuring Dynamic NAT
785
Configuring Dynamic PAT (Hide)
787
Configuring Static NAT or Static NAT-with-Port-Translation
791
Configuring Identity NAT
794
Configuring Per-Session PAT Rules
796
Monitoring Network Object NAT
797
Configuration Examples for Network Object NAT
798
Providing Access to an Inside Web Server (Static NAT)
799
NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
799
Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)
801
Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
802
DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)
803
DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification)
805
IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification)
806
Feature History for Network Object NAT
808
Configuring Twice NAT
813
Information About Twice NAT
813
Licensing Requirements for Twice NAT
814
Prerequisites for Twice NAT
814
Guidelines and Limitations
814
Default Settings
816
Configuring Twice NAT
816
Adding Network Objects for Real and Mapped Addresses
816
(Optional) Adding Service Objects for Real and Mapped Ports
818
Configuring Dynamic NAT
819
Configuring Dynamic PAT (Hide)
823
Configuring Static NAT or Static NAT-with-Port-Translation
830
Configuring Identity NAT
833
Configuring Per-Session PAT Rules
836
Monitoring Twice NAT
836
Configuration Examples for Twice NAT
836
Different Translation Depending on the Destination (Dynamic PAT)
837
Different Translation Depending on the Destination Address and Port (Dynamic PAT)
838
Feature History for Twice NAT
840
Configuring AAA Servers and the Local Database
845
Configuring AAA Servers and the Local Database
847
Information About AAA
847
Information About Authentication
848
Information About Authorization
848
Information About Accounting
849
Summary of Server Support
849
RADIUS Server Support
850
Authentication Methods
850
Attribute Support
850
RADIUS Authorization Functions
851
TACACS+ Server Support
851
RSA/SDI Server Support
851
RSA/SDI Version Support
851
Two-step Authentication Process
851
RSA/SDI Primary and Replica Servers
852
NT Server Support
852
Kerberos Server Support
852
LDAP Server Support
852
Authentication with LDAP
852
LDAP Server Types
853
HTTP Forms Authentication for Clientless SSL VPN
854
Local Database Support, Including as a Fallback Method
854
How Fallback Works with Multiple Servers in a Group
854
Using Certificates and User Login Credentials
855
Using User Login Credentials
855
Using Certificates
855
Licensing Requirements for AAA Servers
856
Guidelines and Limitations
856
Configuring AAA
856
Task Flow for Configuring AAA
857
Configuring AAA Server Groups
857
Configuring Authorization with LDAP for VPN
864
Configuring LDAP Attribute Maps
866
Adding a User Account to the Local Database
868
Configuring VPN Policy Attributes for a User
875
Authenticating Users with a Public Key for SSH
875
Differentiating User Roles Using AAA
875
Using Local Authentication
876
Using RADIUS Authentication
876
Using LDAP Authentication
876
Using TACACS+ Authentication
877
Monitoring AAA Servers
877
Additional References
879
RFCs
879
Feature History for AAA Servers
879
Configuring the Identity Firewall
881
Information About the Identity Firewall
881
Overview of the Identity Firewall
881
Architecture for Identity Firewall Deployments
882
Features of the Identity Firewall
883
Deployment Scenarios
884
Licensing for the Identity Firewall
887
Guidelines and Limitations
887
Prerequisites
888
Configuring the Identity Firewall
889
Task Flow for Configuring the Identity Firewall
889
Configuring the Active Directory Domain
890
Configuring Active Directory Agents
892
Configuring Identity Options
893
Configuring Identity-Based Security Policy
898
Collecting User Statistics
901
Monitoring the Identity Firewall
901
Monitoring AD Agents
902
Monitoring Groups
902
Monitoring Memory Usage for the Identity Firewall
902
Monitoring Users for the Identity Firewall
903
Feature History for the Identity Firewall
904
Configuring the ASA to Integrate with Cisco TrustSec
905
Information About the ASA Integrated with Cisco TrustSec
905
Information about Cisco TrustSec
905
About SGT and SXP Support in Cisco TrustSec
906
Roles in the Cisco TrustSec Solution
907
Security Group Policy Enforcement
907
How the ASA Enforces Security Group Based Policies
908
About Speaker and Listener Roles on the ASA
909
Features of the ASA-Cisco TrustSec Integration
910
Licensing Requirements when Integrating the ASA with Cisco TrustSec
911
Prerequisites for Integrating the ASA with Cisco TrustSec
912
Guidelines and Limitations
913
Configuring the ASA for Cisco TrustSec Integration
914
Task Flow for Configuring the ASA to Integrate with Cisco TrustSec
915
Configuring the AAA Server for Cisco TrustSec Integration
915
Importing a Protected Access Credential (PAC) File
917
Configuring the Security Exchange Protocol (SXP)
918
Adding an SXP Connection Peer
921
Refreshing Environment Data
923
Configuring the Security Policy
924
Collecting User Statistics
925
Configuration Example
925
Monitoring the ASA Integrated with Cisco TrustSec
926
Displaying the Cisco TrustSec Configuration for the ASA
926
Monitoring SXP Connections
926
Monitoring Environment Data
929
Monitoring Cisco TrustSec IP-SGT Mappings
930
Monitoring the PAC File
934
Feature History for the ASA-Cisco TrustSec Integration
935
Configuring Digital Certificates
937
Information About Digital Certificates
937
Public Key Cryptography
938
Certificate Scalability
938
Key Pairs
938
Trustpoints
939
Certificate Enrollment
939
Proxy for SCEP Requests
939
Revocation Checking
940
Supported CA Servers
940
CRLs
940
OCSP
941
The Local CA
942
Storage for Local CA Files
942
The Local CA Server
942
Licensing Requirements for Digital Certificates
943
Prerequisites for Local Certificates
943
Prerequisites for SCEP Proxy Support
943
Guidelines and Limitations
944
Configuring Digital Certificates
945
Configuring Key Pairs
946
Removing Key Pairs
946
Configuring Trustpoints
947
Configuring CRLs for a Trustpoint
949
Exporting a Trustpoint Configuration
951
Importing a Trustpoint Configuration
952
Configuring CA Certificate Map Rules
953
Obtaining Certificates Manually
954
Obtaining Certificates Automatically with SCEP
956
Configuring Proxy Support for SCEP Requests
957
Enabling the Local CA Server
958
Configuring the Local CA Server
959
Customizing the Local CA Server
961
Debugging the Local CA Server
962
Disabling the Local CA Server
962
Deleting the Local CA Server
962
Configuring Local CA Certificate Characteristics
963
Configuring the Issuer Name
964
Configuring the CA Certificate Lifetime
964
Configuring the User Certificate Lifetime
965
Configuring the CRL Lifetime
966
Configuring the Server Keysize
966
Setting Up External Local CA File Storage
967
Downloading CRLs
969
Storing CRLs
970
Setting Up Enrollment Parameters
971
Adding and Enrolling Users
972
Renewing Users
974
Restoring Users
975
Removing Users
975
Revoking Certificates
976
Maintaining the Local CA Certificate Database
976
Rolling Over Local CA Certificates
976
Archiving the Local CA Server Certificate and Keypair
977
Monitoring Digital Certificates
977
Feature History for Certificate Management
979
Configuring Access Control
981
Configuring Access Rules
983
Information About Access Rules
983
General Information About Rules
984
Implicit Permits
984
Information About Interface Access Rules and Global Access Rules
984
Using Access Rules and EtherType Rules on the Same Interface
984
Implicit Deny
985
Inbound and Outbound Rules
985
Information About Extended Access Rules
986
Access Rules for Returning Traffic
986
Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
987
Management Access Rules
987
Information About EtherType Rules
987
Supported EtherTypes and Other Traffic
988
Access Rules for Returning Traffic
988
Allowing MPLS
988
Licensing Requirements for Access Rules
988
Prerequisites
988
Guidelines and Limitations
989
Default Settings
989
Configuring Access Rules
989
Monitoring Access Rules
991
Configuration Examples for Permitting or Denying Network Access
991
Feature History for Access Rules
992
Configuring Management Access
995
Configuring ASA Access for ASDM, Telnet, or SSH
995
Licensing Requirements for ASA Access for ASDM, Telnet, or SSH
995
Guidelines and Limitations
996
Configuring Telnet Access
997
Using a Telnet Client
997
Configuring SSH Access
998
Using an SSH Client
999
Configuring HTTPS Access for ASDM
1000
Configuring CLI Parameters
1000
Licensing Requirements for CLI Parameters
1001
Guidelines and Limitations
1001
Configuring a Login Banner
1001
Customizing a CLI Prompt
1002
Changing the Console Timeout
1003
Configuring ICMP Access
1004
Information About ICMP Access
1004
Licensing Requirements for ICMP Access
1004
Guidelines and Limitations
1005
Default Settings
1005
Configuring ICMP Access
1006
Configuring Management Access Over a VPN Tunnel
1007
Licensing Requirements for a Management Interface
1007
Guidelines and Limitations
1007
Configuring a Management Interface
1008
Configuring AAA for System Administrators
1008
Information About AAA for System Administrators
1008
Information About Management Authentication
1009
Information About Command Authorization
1010
Licensing Requirements for AAA for System Administrators
1012
Prerequisites
1012
Guidelines and Limitations
1013
Default Settings
1013
Configuring Authentication for CLI and ASDM Access
1014
Configuring Authentication to Access Privileged EXEC Mode (the enable Command)
1014
Configuring Authentication for the enable Command
1015
Authenticating Users with the login Command
1015
Limiting User CLI and ASDM Access with Management Authorization
1016
Configuring Command Authorization
1018
Configuring Local Command Authorization
1018
Viewing Local Command Privilege Levels
1022
Configuring Commands on the TACACS+ Server
1023
Configuring TACACS+ Command Authorization
1024
Configuring Management Access Accounting
1024
Viewing the Currently Logged-In User
1025
Recovering from a Lockout
1026
Feature History for Management Access
1027
Configuring AAA Rules for Network Access
1029
AAA Performance
1029
Licensing Requirements for AAA Rules
1029
Guidelines and Limitations
1030
Configuring Authentication for Network Access
1030
Information About Authentication
1030
One-Time Authentication
1031
Applications Required to Receive an Authentication Challenge
1031
ASA Authentication Prompts
1031
AAA Prompts and Identity Firewall
1032
AAA Rules as a Backup Authentication Method
1033
Static PAT and HTTP
1033
Configuring Network Access Authentication
1035
Enabling Secure Authentication of Web Clients
1038
Authenticating Directly with the ASA
1039
Authenticating HTTP(S) Connections with a Virtual Server
1039
Authenticating Telnet Connections with a Virtual Server
1040
Configuring Authorization for Network Access
1042
Configuring TACACS+ Authorization
1042
Configuring RADIUS Authorization
1045
Configuring a RADIUS Server to Send Downloadable Access Control Lists
1045
Configuring a RADIUS Server to Download Per-User Access Control List Names
1049
Configuring Accounting for Network Access
1049
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
1051
Feature History for AAA Rules
1053
Configuring Web Cache Services Using WCCP
1055
Information About WCCP
1055
Guidelines and Limitations
1055
Licensing Requirements for WCCP
1057
Enabling WCCP Redirection
1057
WCCP Monitoring Commands
1059
Feature History for WCCP
1059
Configuring Service Policies Using the Modular Policy Framework
1061
Configuring a Service Policy Using the Modular Policy Framework
1063
Information About Service Policies
1063
Supported Features
1064
Feature Directionality
1064
Feature Matching Within a Service Policy
1065
Order in Which Multiple Feature Actions are Applied
1066
Incompatibility of Certain Feature Actions
1067
Feature Matching for Multiple Service Policies
1068
Licensing Requirements for Service Policies
1068
Guidelines and Limitations
1068
Default Settings
1070
Default Configuration
1070
Default Class Maps
1071
Task Flows for Configuring Service Policies
1071
Task Flow for Using the Modular Policy Framework
1071
Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
1073
Identifying Traffic (Layer 3/4 Class Maps)
1074
Creating a Layer 3/4 Class Map for Through Traffic
1074
Creating a Layer 3/4 Class Map for Management Traffic
1077
Defining Actions (Layer 3/4 Policy Map)
1077
Applying Actions to an Interface (Service Policy)
1079
Monitoring Modular Policy Framework
1080
Configuration Examples for Modular Policy Framework
1080
Applying Inspection and QoS Policing to HTTP Traffic
1081
Applying Inspection to HTTP Traffic Globally
1081
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
1082
Applying Inspection to HTTP Traffic with NAT
1083
Feature History for Service Policies
1084
Configuring Special Actions for Application Inspections (Inspection Policy Map)
1085
Information About Inspection Policy Maps
1085
Guidelines and Limitations
1086
Default Inspection Policy Maps
1087
Defining Actions in an Inspection Policy Map
1088
Identifying Traffic in an Inspection Class Map
1089
Where to Go Next
1091
Feature History for Inspection Policy Maps
1091
Configuring Application Inspection
1093
Getting Started with Application Layer Protocol Inspection
1095
Information about Application Layer Protocol Inspection
1095
How Inspection Engines Work
1095
When to Use Application Protocol Inspection
1096
Guidelines and Limitations
1097
Default Settings
1098
Configuring Application Layer Protocol Inspection
1101
Configuring Inspection of Basic Internet Protocols
1107
DNS Inspection
1107
Information About DNS Inspection
1108
General Information About DNS
1108
DNS Inspection Actions
1108
Default Settings for DNS Inspection
1108
(Optional) Configuring a DNS Inspection Policy Map and Class Map
1109
Configuring DNS Inspection
1114
Monitoring DNS Inspection
1115
FTP Inspection
1116
FTP Inspection Overview
1116
Using the strict Option
1117
Configuring an FTP Inspection Policy Map for Additional Inspection Control
1118
Verifying and Monitoring FTP Inspection
1121
HTTP Inspection
1121
HTTP Inspection Overview
1121
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
1122
ICMP Inspection
1126
ICMP Error Inspection
1126
Instant Messaging Inspection
1126
IM Inspection Overview
1127
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control
1127
IP Options Inspection
1130
IP Options Inspection Overview
1130
Configuring an IP Options Inspection Policy Map for Additional Inspection Control
1131
IPsec Pass Through Inspection
1131
IPsec Pass Through Inspection Overview
1132
Example for Defining an IPsec Pass Through Parameter Map
1132
IPv6 Inspection
1132
Information about IPv6 Inspection
1133
Default Settings for IPv6 Inspection
1133
(Optional) Configuring an IPv6 Inspection Policy Map
1133
Configuring IPv6 Inspection
1135
NetBIOS Inspection
1136
NetBIOS Inspection Overview
1136
Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control
1136
PPTP Inspection
1138
SMTP and Extended SMTP Inspection
1138
SMTP and ESMTP Inspection Overview
1138
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
1140
TFTP Inspection
1141
Configuring Inspection for Voice and Video Protocols
1143
CTIQBE Inspection
1143
CTIQBE Inspection Overview
1143
Limitations and Restrictions
1144
Verifying and Monitoring CTIQBE Inspection
1144
H.323 Inspection
1145
H.323 Inspection Overview
1146
How H.323 Works
1146
H.239 Support in H.245 Messages
1147
Limitations and Restrictions
1147
Configuring an H.323 Inspection Policy Map for Additional Inspection Control
1148
Configuring H.323 and H.225 Timeout Values
1151
Verifying and Monitoring H.323 Inspection
1151
Monitoring H.225 Sessions
1152
Monitoring H.245 Sessions
1152
Monitoring H.323 RAS Sessions
1153
MGCP Inspection
1153
MGCP Inspection Overview
1153
Configuring an MGCP Inspection Policy Map for Additional Inspection Control
1155
Configuring MGCP Timeout Values
1156
Verifying and Monitoring MGCP Inspection
1156
RTSP Inspection
1157
RTSP Inspection Overview
1157
Using RealPlayer
1157
Restrictions and Limitations
1158
Configuring an RTSP Inspection Policy Map for Additional Inspection Control
1158
SIP Inspection
1160
SIP Inspection Overview
1161
SIP Instant Messaging
1161
Configuring a SIP Inspection Policy Map for Additional Inspection Control
1162
Configuring SIP Timeout Values
1166
Verifying and Monitoring SIP Inspection
1166
Skinny (SCCP) Inspection
1167
SCCP Inspection Overview
1167
Supporting Cisco IP Phones
1168
Restrictions and Limitations
1168
Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control
1169
Verifying and Monitoring SCCP Inspection
1171
Configuring Inspection of Database and Directory Protocols
1173
ILS Inspection
1173
SQL*Net Inspection
1174
Sun RPC Inspection
1175
Sun RPC Inspection Overview
1175
Managing Sun RPC Services
1176
Verifying and Monitoring Sun RPC Inspection
1176
Configuring Inspection for Management Application Protocols
1179
DCERPC Inspection
1179
DCERPC Overview
1179
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
1180
GTP Inspection
1181
GTP Inspection Overview
1181
Configuring a GTP Inspection Policy Map for Additional Inspection Control
1182
Verifying and Monitoring GTP Inspection
1185
RADIUS Accounting Inspection
1186
RADIUS Accounting Inspection Overview
1187
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
1187
RSH Inspection
1188
SNMP Inspection
1188
SNMP Inspection Overview
1188
Configuring an SNMP Inspection Policy Map for Additional Inspection Control
1188
XDMCP Inspection
1189
Configuring Unified Communications
1191
Information About Cisco Unified Communications Proxy Features
1193
Information About the Adaptive Security Appliance in Cisco Unified Communications
1193
TLS Proxy Applications in Cisco Unified Communications
1195
Licensing for Cisco Unified Communications Proxy Features
1196
Configuring the Cisco Phone Proxy
1199
Information About the Cisco Phone Proxy
1199
Phone Proxy Functionality
1199
Supported Cisco UCM and IP Phones for the Phone Proxy
1201
Licensing Requirements for the Phone Proxy
1202
Prerequisites for the Phone Proxy
1204
Media Termination Instance Prerequisites
1204
Certificates from the Cisco UCM
1205
DNS Lookup Prerequisites
1205
Cisco Unified Communications Manager Prerequisites
1205
Access List Rules
1205
NAT and PAT Prerequisites
1206
Prerequisites for IP Phones on Multiple Interfaces
1207
7960 and 7940 IP Phones Support
1207
Cisco IP Communicator Prerequisites
1208
Prerequisites for Rate Limiting TFTP Requests
1209
Rate Limiting Configuration Example
1209
About ICMP Traffic Destined for the Media Termination Address
1209
End-User Phone Provisioning
1210
Ways to Deploy IP Phones to End Users
1210
Phone Proxy Guidelines and Limitations
1210
General Guidelines and Limitations
1211
Media Termination Address Guidelines and Limitations
1212
Configuring the Phone Proxy
1212
Task Flow for Configuring the Phone Proxy in a Non-secure Cisco UCM Cluster
1213
Importing Certificates from the Cisco UCM
1213
Task Flow for Configuring the Phone Proxy in a Mixed-mode Cisco UCM Cluster
1215
Creating Trustpoints and Generating Certificates
1216
Creating the CTL File
1217
Using an Existing CTL File
1218
Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster
1219
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
1219
Creating the Media Termination Instance
1221
Creating the Phone Proxy Instance
1222
Enabling the Phone Proxy with SIP and Skinny Inspection
1224
Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy
1225
Configuring Your Router
1226
Troubleshooting the Phone Proxy
1226
Debugging Information from the Security Appliance
1226
Debugging Information from IP Phones
1230
IP Phone Registration Failure
1231
TFTP Auth Error Displays on IP Phone Console
1231
Configuration File Parsing Error
1232
Configuration File Parsing Error: Unable to Get DNS Response
1232
Non-configuration File Parsing Error
1233
Cisco UCM Does Not Respond to TFTP Request for Configuration File
1233
IP Phone Does Not Respond After the Security Appliance Sends TFTP Data
1234
IP Phone Requesting Unsigned File Error
1235
IP Phone Unable to Download CTL File
1235
IP Phone Registration Failure from Signaling Connections
1236
SSL Handshake Failure
1238
Certificate Validation Errors
1239
Media Termination Address Errors
1239
Audio Problems with IP Phones
1240
Saving SAST Keys
1240
Configuration Examples for the Phone Proxy
1242
Example 1: Nonsecure Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
1242
Example 2: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Publisher
1244
Example 3: Mixed-mode Cisco UCM cluster, Cisco UCM and TFTP Server on Different Servers
1245
Example 4: Mixed-mode Cisco UCM cluster, Primary Cisco UCM, Secondary and TFTP Server on Different Servers
1246
Example 5: LSC Provisioning in Mixed-mode Cisco UCM cluster; Cisco UCM and TFTP Server on Publisher
1248
Example 6: VLAN Transversal
1250
Feature History for the Phone Proxy
1252
Configuring the TLS Proxy for Encrypted Voice Inspection
1253
Information about the TLS Proxy for Encrypted Voice Inspection
1253
Decryption and Inspection of Unified Communications Encrypted Signaling
1254
Supported Cisco UCM and IP Phones for the TLS Proxy
1254
CTL Client Overview
1255
Licensing for the TLS Proxy
1257
Prerequisites for the TLS Proxy for Encrypted Voice Inspection
1259
Configuring the TLS Proxy for Encrypted Voice Inspection
1259
Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection
1260
Creating Trustpoints and Generating Certificates
1261
Creating an Internal CA
1262
Creating a CTL Provider Instance
1263
Creating the TLS Proxy Instance
1264
Enabling the TLS Proxy Instance for Skinny or SIP Inspection
1265
Monitoring the TLS Proxy
1267
Feature History for the TLS Proxy for Encrypted Voice Inspection
1269
Configuring Cisco Mobility Advantage
1271
Information about the Cisco Mobility Advantage Proxy Feature
1271
Cisco Mobility Advantage Proxy Functionality
1271
Mobility Advantage Proxy Deployment Scenarios
1272
Mobility Advantage Proxy Using NAT/PAT
1274
Trust Relationships for Cisco UMA Deployments
1275
Licensing for the Cisco Mobility Advantage Proxy Feature
1276
Configuring Cisco Mobility Advantage
1276
Task Flow for Configuring Cisco Mobility Advantage
1277
Installing the Cisco UMA Server Certificate
1277
Creating the TLS Proxy Instance
1278
Enabling the TLS Proxy for MMP Inspection
1279
Monitoring for Cisco Mobility Advantage
1280
Configuration Examples for Cisco Mobility Advantage
1281
Example 1: Cisco UMC/Cisco UMA Architecture – Security Appliance as Firewall with TLS Proxy and MMP Inspection
1281
Example 2: Cisco UMC/Cisco UMA Architecture – Security Appliance as TLS Proxy Only
1282
Feature History for Cisco Mobility Advantage
1284
Configuring Cisco Unified Presence
1285
Information About Cisco Unified Presence
1285
Architecture for Cisco Unified Presence for SIP Federation Deployments
1285
Trust Relationship in the Presence Federation
1288
Security Certificate Exchange Between Cisco UP and the Security Appliance
1289
XMPP Federation Deployments
1289
Configuration Requirements for XMPP Federation
1290
Licensing for Cisco Unified Presence
1291
Configuring Cisco Unified Presence Proxy for SIP Federation
1293
Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation
1293
Creating Trustpoints and Generating Certificates
1294
Installing Certificates
1294
Creating the TLS Proxy Instance
1296
Enabling the TLS Proxy for SIP Inspection
1297
Monitoring Cisco Unified Presence
1298
Configuration Example for Cisco Unified Presence
1299
Example Configuration for SIP Federation Deployments
1299
Example Access List Configuration for XMPP Federation
1301
Example NAT Configuration for XMPP Federation
1302
Feature History for Cisco Unified Presence
1304
Configuring Cisco Intercompany Media Engine Proxy
1305
Information About Cisco Intercompany Media Engine Proxy
1305
Features of Cisco Intercompany Media Engine Proxy
1305
How the UC-IME Works with the PSTN and the Internet
1306
Tickets and Passwords
1307
Call Fallback to the PSTN
1309
Architecture and Deployment Scenarios for Cisco Intercompany Media Engine
1309
Architecture
1309
Basic Deployment
1310
Off Path Deployment
1311
Licensing for Cisco Intercompany Media Engine
1312
Guidelines and Limitations
1313
Configuring Cisco Intercompany Media Engine Proxy
1315
Troubleshooting Cisco Intercompany Media Engine Proxy
1331
Feature History for Cisco Intercompany Media Engine Proxy
1331
Configuring Connection Settings and QoS
1333
Configuring Connection Settings
1335
Information About Connection Settings
1335
TCP Intercept and Limiting Embryonic Connections
1336
Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility
1336
Dead Connection Detection (DCD)
1336
TCP Sequence Randomization
1337
TCP Normalization
1337
TCP State Bypass
1337
Licensing Requirements for Connection Settings
1338
Guidelines and Limitations
1339
TCP State Bypass Guidelines and Limitations
1339
Default Settings
1339
Configuring Connection Settings
1340
Task Flow For Configuring Configuration Settings (Except Global Timeouts)
1340
Customizing the TCP Normalizer with a TCP Map
1340
Configuring Connection Settings
1344
Monitoring Connection Settings
1348
Monitoring TCP State Bypass
1348
Configuration Examples for Connection Settings
1348
Configuration Examples for Connection Limits and Timeouts
1349
Configuration Examples for TCP State Bypass
1349
Configuration Examples for TCP Normalization
1349
Feature History for Connection Settings
1350
Configuring QoS
1351
Information About QoS
1351
Supported QoS Features
1352
What is a Token Bucket?
1352
Information About Policing
1353
Information About Priority Queuing
1353
Information About Traffic Shaping
1354
How QoS Features Interact
1354
DSCP and DiffServ Preservation
1355
Licensing Requirements for QoS
1355
Guidelines and Limitations
1355
Configuring QoS
1356
Determining the Queue and TX Ring Limits for a Standard Priority Queue
1357
Configuring the Standard Priority Queue for an Interface
1358
Configuring a Service Rule for Standard Priority Queuing and Policing
1359
Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing
1363
(Optional) Configuring the Hierarchical Priority Queuing Policy
1363
Configuring the Service Rule
1364
Monitoring QoS
1366
Viewing QoS Police Statistics
1366
Viewing QoS Standard Priority Statistics
1367
Viewing QoS Shaping Statistics
1367
Viewing QoS Standard Priority Queue Statistics
1368
Feature History for QoS
1369
Troubleshooting Connections and Resources
1371
Testing Your Configuration
1371
Enabling ICMP Debugging Messages and Syslog Messages
1372
Pinging ASA Interfaces
1373
Passing Traffic Through the ASA
1375
Disabling the Test Configuration
1376
Determining Packet Routing with Traceroute
1377
Tracing Packets with Packet Tracer
1377
Monitoring Per-Process CPU Usage
1377
Configuring Advanced Network Protection
1379
Configuring the ASA for Cisco Cloud Web Security
1381
Information About Cisco Cloud Web Security
1382
Redirection of Web Traffic to Cloud Web Security
1382
User Authentication and Cloud Web Security
1382
Authentication Keys
1383
Company Authentication Key
1383
Group Authentication Key
1383
ScanCenter Policy
1384
Directory Groups
1384
Custom Groups
1384
How Groups and the Authentication Key Interoperate
1385
Cloud Web Security Actions
1385
Bypassing Scanning with Whitelists
1385
IPv4 and IPv6 Support
1386
Failover from Primary to Backup Proxy Server
1386
Licensing Requirements for Cisco Cloud Web Security
1386
Prerequisites for Cloud Web Security
1387
Guidelines and Limitations
1387
Default Settings
1388
Configuring Cisco Cloud Web Security
1388
Configuring Communication with the Cloud Web Security Proxy Server
1388
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context
1389
Configuring a Service Policy to Send Traffic to Cloud Web Security
1390
(Optional) Configuring Whitelisted Traffic
1394
(Optional) Configuring the User Identity Monitor
1395
Configuring the Cloud Web Security Policy
1395
Monitoring Cloud Web Security
1396
Configuration Examples for Cisco Cloud Web Security
1397
Single Mode Example
1397
Multiple Mode Example
1398
Whitelist Example
1398
Directory Integration Examples
1399
Configuring the Active Directory Server Using LDAP
1399
Configuring the Active Directory Agent Using RADIUS
1400
Creating the ASA as a Client on the AD Agent Server
1400
Creating a Link Between the AD Agent and DCs
1400
Testing the AD Agent
1400
Configuring the Identity Options on the ASA
1400
Configuring the User Identity Options and Enabling Granular Reporting
1400
Monitoring the Active Directory Groups
1401
Downloading the Entire Active-User Database from the Active Directory Server
1401
Downloading the Database from the AD Agent
1401
Showing a List of Active Users
1401
Cloud Web Security with Identity Firewall Example
1401
Related Documents
1405
Feature History for Cisco Cloud Web Security
1405
Configuring the Botnet Traffic Filter
1407
Information About the Botnet Traffic Filter
1407
Botnet Traffic Filter Address Types
1408
Botnet Traffic Filter Actions for Known Addresses
1408
Botnet Traffic Filter Databases
1408
Information About the Dynamic Database
1408
Information About the Static Database
1409
Information About the DNS Reverse Lookup Cache and DNS Host Cache
1410
How the Botnet Traffic Filter Works
1411
Licensing Requirements for the Botnet Traffic Filter
1412
Prerequisites for the Botnet Traffic Filter
1412
Guidelines and Limitations
1412
Default Settings
1412
Configuring the Botnet Traffic Filter
1413
Task Flow for Configuring the Botnet Traffic Filter
1413
Configuring the Dynamic Database
1414
Adding Entries to the Static Database
1415
Enabling DNS Snooping
1416
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
1418
Blocking Botnet Traffic Manually
1421
Searching the Dynamic Database
1422
Monitoring the Botnet Traffic Filter
1423
Botnet Traffic Filter Syslog Messaging
1423
Botnet Traffic Filter Commands
1423
Configuration Examples for the Botnet Traffic Filter
1425
Recommended Configuration Example
1425
Other Configuration Examples
1426
Where to Go Next
1427
Feature History for the Botnet Traffic Filter
1428
Configuring Threat Detection
1429
Information About Threat Detection
1429
Licensing Requirements for Threat Detection
1429
Configuring Basic Threat Detection Statistics
1430
Information About Basic Threat Detection Statistics
1430
Guidelines and Limitations
1431
Default Settings
1431
Configuring Basic Threat Detection Statistics
1432
Monitoring Basic Threat Detection Statistics
1433
Feature History for Basic Threat Detection Statistics
1434
Configuring Advanced Threat Detection Statistics
1434
Information About Advanced Threat Detection Statistics
1434
Guidelines and Limitations
1434
Default Settings
1435
Configuring Advanced Threat Detection Statistics
1435
Monitoring Advanced Threat Detection Statistics
1437
Feature History for Advanced Threat Detection Statistics
1442
Configuring Scanning Threat Detection
1443
Information About Scanning Threat Detection
1443
Guidelines and Limitations
1444
Default Settings
1444
Configuring Scanning Threat Detection
1445
Monitoring Shunned Hosts, Attackers, and Targets
1445
Feature History for Scanning Threat Detection
1446
Configuration Examples for Threat Detection
1447
Using Protection Tools
1449
Preventing IP Spoofing
1449
Configuring the Fragment Size
1450
Blocking Unwanted Connections
1450
Configuring IP Audit for Basic IPS Support
1451
Configuring IP Audit
1451
IP Audit Signature List
1452
Configuring Filtering Services
1457
Information About Web Traffic Filtering
1457
Configuring ActiveX Filtering
1458
Information About ActiveX Filtering
1458
Licensing Requirements for ActiveX Filtering
1458
Guidelines and Limitations for ActiveX Filtering
1459
Configuring ActiveX Filtering
1459
Configuration Examples for ActiveX Filtering
1459
Feature History for ActiveX Filtering
1460
Configuring Java Applet Filtering
1460
Information About Java Applet Filtering
1460
Licensing Requirements for Java Applet Filtering
1460
Guidelines and Limitations for Java Applet Filtering
1461
Configuring Java Applet Filtering
1461
Configuration Examples for Java Applet Filtering
1461
Feature History for Java Applet Filtering
1462
Filtering URLs and FTP Requests with an External Server
1462
Information About URL Filtering
1462
Licensing Requirements for URL Filtering
1463
Guidelines and Limitations for URL Filtering
1463
Identifying the Filtering Server
1464
Configuring Additional URL Filtering Settings
1466
Buffering the Content Server Response
1466
Caching Server Addresses
1467
Filtering HTTP URLs
1467
Filtering HTTPS URLs
1469
Filtering FTP Requests
1470
Monitoring Filtering Statistics
1471
Feature History for URL Filtering
1473
Configuring Modules
1475
Configuring the ASA IPS Module
1477
Information About the ASA IPS module
1477
How the ASA IPS module Works with the ASA
1478
Operating Modes
1479
Using Virtual Sensors (ASA 5510 and Higher)
1479
Information About Management Access
1480
Licensing Requirements for the ASA IPS module
1481
Guidelines and Limitations
1481
Default Settings
1482
Configuring the ASA IPS module
1483
Task Flow for the ASA IPS Module
1483
Connecting the ASA IPS Management Interface
1484
ASA 5510, ASA 5520, ASA 5540, ASA 5580, ASA 5585-X (Physical Module)
1484
ASA 5512-X through ASA 5555-X (Software Module)
1485
ASA 5505
1486
Sessioning to the Module from the ASA
1487
(ASA 5512-X through ASA 5555-X) Booting the Software Module
1487
Configuring Basic IPS Module Network Settings
1488
(ASA 5510 and Higher) Configuring Basic Network Settings
1489
(ASA 5505) Configuring Basic Network Settings
1489
Configuring the Security Policy on the ASA IPS Module
1491
Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)
1492
Diverting Traffic to the ASA IPS module
1494
Managing the ASA IPS module
1497
Installing and Booting an Image on the Module
1497
Shutting Down the Module
1499
Uninstalling a Software Module Image
1499
Resetting the Password
1499
Reloading or Resetting the Module
1500
Monitoring the ASA IPS module
1501
Configuration Examples for the ASA IPS module
1502
Feature History for the ASA IPS module
1502
Configuring the ASA CX Module
1505
Information About the ASA CX Module
1505
How the ASA CX Module Works with the ASA
1506
Information About ASA CX Management
1506
Initial Configuration
1507
Policy Configuration and Management
1507
Information About Authentication Proxy
1507
Information About VPN and the ASA CX Module
1508
Compatibility with ASA Features
1508
Licensing Requirements for the ASA CX Module
1508
Guidelines and Limitations
1508
Default Settings
1509
Configuring the ASA CX Module
1509
Task Flow for the ASA CX Module
1510
Connecting the ASA CX Management Interface
1511
Configuring the ASA CX Management IP Address
1512
Configuring Basic ASA CX Settings at the ASA CX CLI
1512
Configuring the Security Policy on the ASA CX Module Using PRSM
1514
(Optional) Configuring the Authentication Proxy Port
1515
Redirecting Traffic to the ASA CX Module
1516
Managing the ASA CX Module
1517
Resetting the Password
1517
Reloading or Resetting the Module
1518
Shutting Down the Module
1519
Monitoring the ASA CX Module
1519
Showing Module Status
1519
Showing Module Statistics
1520
Monitoring Module Connections
1521
Capturing Module Traffic
1524
Troubleshooting the ASA CX Module
1524
Debugging the Module
1524
Problems with the Authentication Proxy
1525
Configuration Examples for the ASA CX Module
1526
Feature History for the ASA CX Module
1527
Configuring the ASA CSC Module
1529
Information About the CSC SSM
1529
Determining What Traffic to Scan
1531
Licensing Requirements for the CSC SSM
1533
Prerequisites for the CSC SSM
1533
Guidelines and Limitations
1534
Default Settings
1534
Configuring the CSC SSM
1535
Before Configuring the CSC SSM
1535
Connecting to the CSC SSM
1536
Diverting Traffic to the CSC SSM
1538
Monitoring the CSC SSM
1541
Troubleshooting the CSC Module
1542
Installing an Image on the Module
1542
Resetting the Password
1543
Reloading or Resetting the Module
1544
Shutting Down the Module
1545
Configuration Examples for the CSC SSM
1545
Additional References
1546
Feature History for the CSC SSM
1547
Configuring VPN
1549
Configuring IPsec and ISAKMP
1551
Information About Tunneling, IPsec, and ISAKMP
1551
IPsec Overview
1552
ISAKMP and IKE Overview
1552
Licensing Requirements for Remote Access IPsec VPNs
1553
Guidelines and Limitations
1557
Configuring ISAKMP
1558
Configuring IKEv1 and IKEv2 Policies
1558
Enabling IKE on the Outside Interface
1562
Disabling IKEv1 Aggressive Mode
1563
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
1563
Enabling IPsec over NAT-T
1564
Using NAT-T
1565
Enabling IPsec with IKEv1 over TCP
1565
Waiting for Active Sessions to Terminate Before Rebooting
1566
Alerting Peers Before Disconnecting
1566
Configuring Certificate Group Matching for IKEv1
1566
Creating a Certificate Group Matching Rule and Policy
1567
Using the Tunnel-group-map default-group Command
1568
Configuring IPsec
1568
Understanding IPsec Tunnels
1569
Understanding IKEv1 Transform Sets and IKEv2 Proposals
1569
Defining Crypto Maps
1569
Managing Public Key Infrastructure (PKI) Keys
1577
Configuring the Pool of Cryptographic Cores
1578
Applying Crypto Maps to Interfaces
1579
Using Interface Access Lists
1579
Changing IPsec SA Lifetimes
1581
Creating a Basic IPsec Configuration
1582
Using Dynamic Crypto Maps
1585
Providing Site-to-Site Redundancy
1587
Viewing an IPsec Configuration
1587
Clearing Security Associations
1588
Clearing Crypto Map Configurations
1589
Supporting the Nokia VPN Client
1589
Configuring L2TP over IPsec
1593
Information About L2TP over IPsec/IKEv1
1593
IPsec Transport and Tunnel Modes
1594
Licensing Requirements for L2TP over IPsec
1595
Prerequisites for Configuring L2TP over IPsec
1600
Guidelines and Limitations
1600
Configuring L2TP over IPsec
1601
Configuration Example for L2TP over IPsec Using ASA 8.2.5
1609
Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later
1610
Feature History for L2TP over IPsec
1611
Setting General VPN Parameters
1613
Configuring VPNs in Single, Routed Mode
1613
Configuring IPsec to Bypass ACLs
1613
Permitting Intra-Interface Traffic (Hairpinning)
1614
NAT Considerations for Intra-Interface Traffic
1615
Setting Maximum Active IPsec or SSL VPN Sessions
1615
Using Client Update to Ensure Acceptable IPsec Client Revision Levels
1616
Implementing NAT-Assigned IP to Public IP Connection
1618
Displaying VPN NAT Policies
1619
Understanding Load Balancing
1619
Comparing Load Balancing to Failover
1620
Load Balancing
1620
Failover
1620
Implementing Load Balancing
1621
Prerequisites
1621
Eligible Platforms
1621
Eligible Clients
1621
VPN Load-Balancing Algorithm
1622
VPN Load-Balancing Cluster Configurations
1622
Some Typical Mixed Cluster Scenarios
1623
Scenario 1: Mixed Cluster with No SSL VPN Connections
1623
Scenario 2: Mixed Cluster Handling SSL VPN Connections
1623
Configuring Load Balancing
1624
Configuring the Public and Private Interfaces for Load Balancing
1624
Configuring the Load Balancing Cluster Attributes
1625
Enabling Redirection Using a Fully Qualified Domain Name
1626
Frequently Asked Questions About Load Balancing
1627
IP Address Pool Exhaustion
1627
Unique IP Address Pools
1628
Using Load Balancing and Failover on the Same Device
1628
Load Balancing on Multiple Interfaces
1628
Maximum Simultaneous Sessions for Load Balancing Clusters
1628
Viewing Load Balancing
1628
Configuring VPN Session Limits
1629
Using an Identify Certificate When Negotiating
1630
Configuring the Pool of Cryptographic Cores
1631
Viewing Active VPN Sessions
1632
Viewing Active AnyConnect Sessions by IP Address Type
1632
Viewing Active Clientless SSL VPN Sessions by IP Address Type
1633
Viewing Active Lan to Lan VPN Sessions by IP Address Type
1633
Configuring Connection Profiles, Group Policies, and Users
1635
Overview of Connection Profiles, Group Policies, and Users
1635
Connection Profiles
1636
General Connection Profile Connection Parameters
1637
IPsec Tunnel-Group Connection Parameters
1638
Connection Profile Connection Parameters for SSL VPN Sessions
1639
Configuring Connection Profiles
1640
Maximum Connection Profiles
1640
Default IPsec Remote Access Connection Profile Configuration
1641
Configuring IPsec Tunnel-Group General Attributes
1641
Configuring Remote-Access Connection Profiles
1642
Specifying a Name and Type for the Remote Access Connection Profile
1642
Configuring Remote-Access Connection Profile General Attributes
1642
Configuring Double Authentication
1646
Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes
1648
Configuring IPsec Remote-Access Connection Profile PPP Attributes
1650
Configuring LAN-to-LAN Connection Profiles
1651
Default LAN-to-LAN Connection Profile Configuration
1651
Specifying a Name and Type for a LAN-to-LAN Connection Profile
1651
Configuring LAN-to-LAN Connection Profile General Attributes
1651
Configuring LAN-to-LAN IPsec IKEv1 Attributes
1652
Configuring Connection Profiles for Clientless SSL VPN Sessions
1654
Configuring General Tunnel-Group Attributes for Clientless SSL VPN Sessions
1654
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
1657
Customizing Login Windows for Users of Clientless SSL VPN Sessions
1661
Configuring Microsoft Active Directory Settings for Password Management
1662
Using Active Directory to Force the User to Change Password at Next Logon
1663
Using Active Directory to Specify Maximum Password Age
1664
Using Active Directory to Override an Account Disabled AAA Indicator
1665
Using Active Directory to Enforce Minimum Password Length
1666
Using Active Directory to Enforce Password Complexity
1667
Configuring the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client
1668
AnyConnect Client and RADIUS/SDI Server Interaction
1668
Configuring the Security Appliance to Support RADIUS/SDI Messages
1669
Group Policies
1670
Default Group Policy
1671
Group Policies
1673
Default Group Policy
1674
Configuring Group Policies
1676
Configuring an External Group Policy
1676
Creating an Internal Group Policy
1677
Configuring General Internal Group Policy Attributes
1678
Group Policy Name
1678
Configuring the Group Policy Banner Message
1678
Specifying Address Pools for Remote Access Connections
1678
Assigning an IPv4 Address Pool to an Internal Group Policy
1678
Assigning an IPv6 Address Pool to an Internal Group Policy
1679
Specifying the Tunneling Protocol for the Group Policy
1680
Specifying a VLAN for Remote Access or Applying a Unified Access Control Rule to the Group Policy
1681
Specifying a NAC Policy for a Group Policy
1683
Specifying VPN Access Hours for a Group Policy
1684
Specifying Simultaneous VPN Logins for a Group Policy
1684
Restricting Access to a Specific Connection Profile
1685
Specifying the Maximum VPN Connection Time in a Group Policy
1685
Specifying a VPN Session Idle Timeout for a Group Policy
1686
Configuring WINS and DNS Servers for a Group Policy
1687
Configuring Split-Tunneling Attributes for Group Policies
1688
Differences in Client Split Tunneling Behavior for Traffic within the Subnet
1688
Setting the Split-Tunneling Policy
1688
Specify a Network List for Split-Tunneling
1689
Configuring Domain Attributes for Tunneling
1690
Setting Up a Split Exclusion Policy for Web Security
1692
Configuring Browser Proxy Settings for use with Remote Access Clients
1693
Configuring Group Policy Attributes for AnyConnect Secure Mobility Client Connections
1695
Configuring Group Policy Attributes for IPsec (IKEv1) Clients
1698
Configuring Security Attributes for IPsec (IKEv1) Clients
1698
Configuring IPsec-UDP Attributes for IKEv1 Clients
1699
Configuring Attributes for VPN Hardware Clients
1700
Configuring Backup Server Attributes
1703
Configuring Network Admission Control Parameters
1704
Configuring VPN Client Firewall Policies
1708
Configuring AnyConnect Client Firewall Policies
1708
Supporting a Zone Labs Integrity Server
1709
Overview of the Integrity Server and ASA Interaction
1710
Configuring Integrity Server Support
1710
Setting Client Firewall Parameters
1712
Configuring Client Access Rules
1713
Configuring Group Policy Attributes for Clientless SSL VPN Sessions
1715
Configuring User Attributes
1723
Viewing the Username Configuration
1723
Configuring Attributes for Individual Users
1723
Setting a User Password and Privilege Level
1724
Configuring User Attributes
1724
Configuring VPN User Attributes
1724
Configuring Clientless SSL VPN Access for Specific Users
1729
Configuring IP Addresses for VPNs
1737
Configuring an IP Address Assignment Policy
1737
Configuring IPv4 Address Assignments at the Command Line
1738
Configuring IPv6 Address Assignments at the Command Line
1738
Viewing Address Assignment Methods
1739
Viewing IPv4 Address Assignments from the Command Line
1739
Viewing IPv6 Address Assignments from the Command Line
1739
Configuring Local IP Address Pools
1739
Configuring Local IPv4 Address Pools Using CLI
1740
Configuring Local IPv6 Address Pools Using CLI
1740
Configuring AAA Addressing
1741
Configuring DHCP Addressing
1742
Configuring DHCP Addressing Using the CLI
1742
Configuring Remote Access IPsec VPNs
1745
Information About Remote Access IPsec VPNs
1745
Licensing Requirements for Remote Access IPsec VPNs
1746
Guidelines and Limitations
1750
Configuring Remote Access IPsec VPNs
1751
Configuring Interfaces
1751
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
1752
Configuring an Address Pool
1754
Adding a User
1754
Creating an IKEv1 Transform Set or IKEv2 Proposal
1754
Defining a Tunnel Group
1755
Creating a Dynamic Crypto Map
1756
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
1757
Saving the Security Appliance Configuration
1758
Configuration Examples for Remote Access IPsec VPNs
1758
Feature History for Remote Access VPNs
1759
Configuring Network Admission Control
1761
Information about Network Admission Control
1761
Licensing Requirements
1762
Prerequisites for NAC
1764
Guidelines and Limitations
1764
Viewing the NAC Policies on the Security Appliance
1765
Adding, Accessing, or Removing a NAC Policy
1767
Configuring a NAC Policy
1768
Specifying the Access Control Server Group
1768
Setting the Query-for-Posture-Changes Timer
1769
Setting the Revalidation Timer
1770
Configuring the Default ACL for NAC
1770
Configuring Exemptions from NAC
1771
Assigning a NAC Policy to a Group Policy
1773
Changing Global NAC Framework Settings
1773
Changing Clientless Authentication Settings
1773
Enabling and Disabling Clientless Authentication
1774
Changing the Login Credentials Used for Clientless Authentication
1774
Changing NAC Framework Session Attributes
1775
Configuring Easy VPN Services on the ASA 5505
1779
Specifying the Client/Server Role of the Cisco ASA 5505
1779
Specifying the Primary and Secondary Servers
1780
Specifying the Mode
1781
NEM with Multiple Interfaces
1781
Configuring Automatic Xauth Authentication
1782
Configuring IPsec Over TCP
1782
Comparing Tunneling Options
1783
Specifying the Tunnel Group or Trustpoint
1784
Specifying the Tunnel Group
1785
Specifying the Trustpoint
1785
Configuring Split Tunneling
1786
Configuring Device Pass-Through
1786
Configuring Remote Management
1787
Guidelines for Configuring the Easy VPN Server
1788
Group Policy and User Attributes Pushed to the Client
1788
Authentication Options
1790
Configuring the PPPoE Client
1791
PPPoE Client Overview
1791
Configuring the PPPoE Client Username and Password
1792
Enabling PPPoE
1793
Using PPPoE with a Fixed IP Address
1793
Monitoring and Debugging the PPPoE Client
1794
Clearing the Configuration
1795
Using Related Commands
1795
Configuring LAN-to-LAN IPsec VPNs
1797
Summary of the Configuration
1798
Configuring Site-to-Site VPN in Multi-Context Mode
1798
Configuring Interfaces
1799
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
1800
Configuring ISAKMP Policies for IKEv1 Connections
1800
Configuring ISAKMP Policies for IKEv2 Connections
1801
Creating an IKEv1 Transform Set
1802
Creating an IKEv2 Proposal
1803
Configuring an ACL
1803
Defining a Tunnel Group
1804
Creating a Crypto Map and Applying It To an Interface
1805
Applying Crypto Maps to Interfaces
1807
Configuring Clientless SSL VPN
1809
Information About Clientless SSL VPN
1809
Licensing Requirements
1810
Prerequisites for Clientless SSL VPN
1812
Guidelines and Limitations
1812
Observing Clientless SSL VPN Security Precautions
1813
Disabling URL Entry on the Portal Page
1814
Clientless SSL VPN Server Certificate Verification
1814
Using SSL to Access Internal Servers
1815
Using HTTPS for Clientless SSL VPN Sessions
1815
Configuring Clientless SSL VPN and ASDM Ports
1816
Configuring Support for Proxy Servers
1816
Configuring SSL/TLS Encryption Protocols
1819
Authenticating with Digital Certificates
1819
Configuring Application Profile Customization Framework
1819
Restrictions
1819
APCF Syntax
1820
Managing Passwords
1823
Using Single Sign-on with Clientless SSL VPN
1824
Configuring SSO with HTTP Basic or NTLM Authentication
1825
Configuring SSO Authentication Using SiteMinder
1826
Adding the Cisco Authentication Scheme to SiteMinder
1827
Configuring SSO Authentication Using SAML Browser Post Profile
1828
Configuring the SAML POST SSO Server
1830
Configuring SSO with the HTTP Form Protocol
1831
Gathering HTTP Form Data
1835
Configuring SSO for Plug-ins
1839
Configuring SSO with Macro Substitution
1839
Accessing Virtual Desktop Infrastructure (VDI)
1840
Encoding
1841
Creating and Applying Clientless SSL VPN Policies for Accessing Resources
1843
Assigning Users to Group Policies
1843
Configuring Connection Profile Attributes for Clientless SSL VPN
1843
Configuring Group Policy and User Attributes for Clientless SSL VPN
1844
Configuring Browser Access to Plug-ins
1845
Preparing the Security Appliance for a Plug-in
1847
Installing Plug-ins Redistributed By Cisco
1848
Providing Access to a Citrix XenApp Server
1850
Preparing the Citrix XenApp Server for Clientless SSL VPN Access
1850
Creating and Installing the Citrix Plug-in
1850
Viewing the Plug-ins Installed on the Security Appliance
1852
Microsoft Kerberos Constrained Delegation Solution
1852
Understanding How KCD Works
1853
Authentication Flow with KCD
1853
Before Configuring KCD
1855
Configuring KCD
1856
Showing KCD Status Information
1857
Showing Cached Kerberos Tickets
1857
Clearing Cached Kerberos Tickets
1859
Configuring Application Access
1859
Configuring Smart Tunnel Log OffConfiguring Smart Tunnel Access
1859
About Smart Tunnels
1860
Why Smart Tunnels?
1860
Adding Applications to Be Eligible for Smart Tunnel Access
1862
About Smart Tunnel Lists
1862
Configuring and Applying Smart Tunnel Policy
1863
Configuring and Applying a Smart Tunnel Tunnel Policy
1864
Creating a Smart Tunnel Auto Sign-On Server List
1865
Adding Servers to a Smart Tunnel Auto Sign-on Server List
1867
Automating Smart Tunnel Access
1868
Enabling and Disabling Smart Tunnel Access
1869
Configuring Smart Tunnel Log Off
1870
When Its Parent Process Terminates
1870
With A Notification Icon
1871
Configuring Port Forwarding
1871
Information About Port Forwarding
1872
Configuring DNS for Port Forwarding
1873
Adding Applications to Be Eligible for Port Forwarding
1874
Assigning a Port Forwarding List
1876
Automating Port Forwarding
1876
Enabling and Disabling Port Forwarding
1877
Application Access User Notes
1878
Closing Application Access to Prevent hosts File Errors
1878
Recovering from hosts File Errors When Using Application Access
1878
Understanding the hosts File
1879
Stopping Application Access Improperly
1879
Reconfiguring a Host’s File Automatically Using Clientless SSL VPN
1879
Reconfiguring hosts File Manually
1880
Configuring File Access
1881
CIFS File Access Requirement and Limitation
1882
Adding Support for File Access
1882
Ensuring Clock Accuracy for SharePoint Access
1884
Using Clientless SSL VPN with PDAs
1885
Using E-Mail over Clientless SSL VPN
1885
Configuring E-mail Proxies
1886
Configuring Web E-mail: MS Outlook Web App
1887
Configuring Portal Access Rules
1887
Optimizing Clientless SSL VPN Performance
1888
Configuring Caching
1888
Configuring Content Transformation
1889
Configuring a Certificate for Signing Rewritten Java Content
1889
Disabling Content Rewrite
1890
Using Proxy Bypass
1890
Clientless SSL VPN End User Setup
1891
Defining the End User Interface
1891
Viewing the Clientless SSL VPN Home Page
1892
Viewing the Clientless SSL VPN Application Access Panel
1892
Viewing the Floating Toolbar
1893
Customizing Clientless SSL VPN Pages
1894
Information About Customization
1894
Exporting a Customization Template
1895
Editing the Customization Template
1895
Importing a Customization Object
1901
Applying Customizations to Connection Profiles, Group Policies and Users
1901
Login Screen Advanced Customization
1903
Modifying Your HTML File
1905
Editing the Customization Object
1906
Configuring Browser Access to Client-Server Plug-ins
1907
About Installing Browser Plug-ins
1907
RDP Plug-in ActiveX Debug Quick Reference
1908
Preparing the Security Appliance for a Plug-in
1909
Configuring the ASA to Use the New HTML File
1909
Customizing Help
1911
Customizing a Help File Provided By Cisco
1911
Creating Help Files for Languages Not Provided by Cisco
1912
Importing a Help File to Flash Memory
1913
Exporting a Previously Imported Help File from Flash Memory
1913
Requiring Usernames and Passwords
1914
Communicating Security Tips
1914
Configuring Remote Systems to Use Clientless SSL VPN Features
1914
Starting Clientless SSL VPN
1915
Using the Clientless SSL VPN Floating Toolbar
1915
Browsing the Web
1916
Browsing the Network (File Management)
1916
Using the Remote File Explorer
1917
Using Port Forwarding
1918
Using E-mail Via Port Forwarding
1919
Using E-mail Via Web Access
1920
Using E-mail Via E-mail Proxy
1920
Using Smart Tunnel
1921
Translating the Language of User Messages
1921
Understanding Language Translation
1921
Creating Translation Tables
1922
Referencing the Language in a Customization Object
1924
Changing a Group Policy or User Attributes to Use the Customization Object
1926
Capturing Data
1927
Creating a Capture File
1927
Using a Browser to Display Capture Data
1927
Configuring AnyConnect VPN Client Connections
1929
Information About AnyConnect VPN Client Connections
1929
Licensing Requirements for AnyConnect Connections
1930
Guidelines and Limitations
1938
Remote PC System Requirements
1938
Remote HTTPS Certificates Limitation
1938
Configuring AnyConnect Connections
1938
Configuring the ASA to Web-Deploy the Client
1939
Enabling Permanent Client Installation
1940
Configuring DTLS
1941
Prompting Remote Users
1941
Enabling AnyConnect Client Profile Downloads
1942
Enabling AnyConnect Client Deferred Upgrade
1943
Enabling Additional AnyConnect Client Features
1945
Enabling Start Before Logon
1945
Translating Languages for AnyConnect User Messages
1946
Understanding Language Translation
1946
Creating Translation Tables
1946
Configuring Advanced AnyConnect SSL Features
1948
Enabling Rekey
1948
Enabling and Adjusting Dead Peer Detection
1949
Enabling Keepalive
1949
Using Compression
1950
Adjusting MTU Size
1951
Updating AnyConnect Client Images
1951
Enabling IPv6 VPN Access
1951
Monitoring AnyConnect Connections
1952
Logging Off AnyConnect VPN Sessions
1953
Configuration Examples for Enabling AnyConnect Connections
1954
Feature History for AnyConnect Connections
1955
Configuring AnyConnect Host Scan
1957
Host Scan Dependencies and System Requirements
1957
Dependencies
1957
System Requirements
1958
Licensing
1958
Host Scan Packaging
1958
Installing and Enabling Host Scan on the ASA
1959
Installing or Upgrading Host Scan
1959
Enabling or Disabling a Host Scan
1960
Viewing the Host Scan Version Enabled on the ASA
1960
Uninstalling Host Scan
1961
Assigning AnyConnect Feature Modules to Group Policies
1961
Other Important Documentation Addressing Host Scan
1963
Configuring Logging, SNMP, and Smart Call Home
1965
Configuring Logging
1967
Information About Logging
1967
Logging in Multiple Context Mode
1968
Analyzing Syslog Messages
1968
Syslog Message Format
1969
Severity Levels
1969
Message Classes and Range of Syslog IDs
1970
Filtering Syslog Messages
1970
Using Custom Message Lists
1970
Using Clustering
1971
Licensing Requirements for Logging
1971
Prerequisites for Logging
1971
Guidelines and Limitations
1971
Configuring Logging
1972
Enabling Logging
1973
Configuring an Output Destination
1973
Sending Syslog Messages to an External Syslog Server
1974
Sending Syslog Messages to the Internal Log Buffer
1975
Sending Syslog Messages to an E-mail Address
1976
Sending Syslog Messages to ASDM
1977
Sending Syslog Messages to the Console Port
1977
Sending Syslog Messages to an SNMP Server
1978
Sending Syslog Messages to a Telnet or SSH Session
1978
Creating a Custom Event List
1979
Generating Syslog Messages in EMBLEM Format to a Syslog Server
1980
Generating Syslog Messages in EMBLEM Format to Other Output Destinations
1980
Changing the Amount of Internal Flash Memory Available for Logs
1981
Configuring the Logging Queue
1981
Sending All Syslog Messages in a Class to a Specified Output Destination
1982
Enabling Secure Logging
1982
Including the Device ID in Non-EMBLEM Format Syslog Messages
1983
Including the Date and Time in Syslog Messages
1984
Disabling a Syslog Message
1984
Changing the Severity Level of a Syslog Message
1984
Limiting the Rate of Syslog Message Generation
1985
Monitoring the Logs
1985
Configuration Examples for Logging
1986
Feature History for Logging
1986
Configuring NetFlow Secure Event Logging (NSEL)
1989
Information About NSEL
1989
Using NSEL and Syslog Messages
1990
Using NSEL in Clustering
1991
Licensing Requirements for NSEL
1992
Prerequisites for NSEL
1992
Guidelines and Limitations
1992
Configuring NSEL
1993
Configuring NSEL Collectors
1993
Configuring Flow-Export Actions Through Modular Policy Framework
1993
Configuring Template Timeout Intervals
1995
Delaying Flow-Create Events
1995
Disabling and Reenabling NetFlow-related Syslog Messages
1996
Clearing Runtime Counters
1996
Monitoring NSEL
1997
NSEL Monitoring Commands
1997
Configuration Examples for NSEL
1998
Where to Go Next
1999
Additional References
1999
Related Documents
2000
RFCs
2000
Feature History for NSEL
2000
Configuring SNMP
2003
Information About SNMP
2003
Information About SNMP Terminology
2004
Information About MIBs and Traps
2005
SNMP Object Identifiers
2005
SNMP Physical Vendor Type Values
2007
Supported Tables in MIBs
2013
Supported Traps (Notifications)
2014
SNMP Version 3
2017
SNMP Version 3 Overview
2017
Security Models
2018
SNMP Groups
2018
SNMP Users
2018
SNMP Hosts
2018
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
2018
Licensing Requirements for SNMP
2019
Prerequisites for SNMP
2019
Guidelines and Limitations
2019
Configuring SNMP
2020
Enabling SNMP
2020
Configuring SNMP Traps
2022
Configuring a CPU Usage Threshold
2023
Configuring a Physical Interface Threshold
2023
Using SNMP Version 1 or 2c
2024
Using SNMP Version 3
2025
Troubleshooting Tips
2026
Interface Types and Examples
2027
Monitoring SNMP
2028
SNMP Syslog Messaging
2029
SNMP Monitoring
2029
Configuration Examples for SNMP
2030
Configuration Example for SNMP Versions 1 and 2c
2030
Configuration Example for SNMP Version 3
2030
Where to Go Next
2031
Additional References
2031
RFCs for SNMP Version 3
2031
MIBs
2031
Application Services and Third-Party Tools
2033
Feature History for SNMP
2033
Configuring Anonymous Reporting and Smart Call Home
2037
Information About Anonymous Reporting and Smart Call Home
2037
Information About Anonymous Reporting
2038
What is Sent to Cisco?
2038
DNS Requirement
2039
Anonymous Reporting and Smart Call Home Prompt
2039
Information About Smart Call Home
2040
Licensing Requirements for Anonymous Reporting and Smart Call Home
2040
Prerequisites for Smart Call Home and Anonymous Reporting
2041
Guidelines and Limitations
2041
Configuring Anonymous Reporting and Smart Call Home
2042
Configuring Anonymous Reporting
2042
Configuring Smart Call Home
2043
Enabling Smart Call Home
2043
Declaring and Authenticating a CA Trust Point
2044
Subscribing to Alert Groups
2045
Optional Configuration Procedures
2048
Monitoring Anonymous Reporting and Smart Call Home
2055
Configuration Example for Smart Call Home
2055
Feature History for Anonymous Reporting and Smart Call Home
2056
System Administration
2059
Managing Software and Configurations
2061
Managing Files
2069
Viewing Files in Flash Memory
2069
Deleting Files from Flash Memory
2070
Erasing the Flash File System
2070
Downloading a File
2071
Downloading a File to the Startup or Running Configuration
2072
Configuring the Images and Startup Configuration to Use
2073
Configuring the ASA and ASDM Images to Use
2073
Configuring the File to Boot as the Startup Configuration
2073
Using the ROM Monitor to Load an Image
2074
Using ROM Monitor for the ASA 5500 Series
2074
Using the ROM Monitor for the ASASM
2075
Backing Up Configurations or Other Files
2076
Backing up the Single Mode Configuration or Multiple Mode System Configuration
2077
Backing Up a Context Configuration or Other File in Flash Memory
2077
Backing Up a Context Configuration within a Context
2078
Copying the Configuration from the Terminal Display
2078
Backing Up Additional Files Using the Export and Import Commands
2078
Using a Script to Back Up and Restore Files
2079
Prerequisites
2079
Running the Script
2079
Sample Script
2080
Downgrading Your Software
2085
Information About Activation Key Compatibility
2085
Performing the Downgrade
2085
Configuring Auto Update
2086
Information About Auto Update
2086
Guidelines and Limitations
2087
Configuring Communication with an Auto Update Server
2087
Configuring Client Updates as an Auto Update Server
2089
Viewing Auto Update Status
2090
Troubleshooting
2091
Viewing Debugging Messages
2091
Capturing Packets
2092
Capturing Packets in a Clustering Environment
2094
Guidelines and Limitations
2095
Viewing the Crash Dump
2097
Viewing the Coredump
2097
Reference
2099
Using the Command-Line Interface
2101
Firewall Mode and Security Context Mode
2101
Command Modes and Prompts
2102
Syntax Formatting
2103
Abbreviating Commands
2103
Command-Line Editing
2103
Command Completion
2104
Command Help
2104
Filtering show Command Output
2104
Command Output Paging
2105
Adding Comments
2105
Text Configuration Files
2105
How Commands Correspond with Lines in the Text File
2106
Command-Specific Configuration Mode Commands
2106
Automatic Text Entries
2107
Line Order
2107
Commands Not Included in the Text Configuration
2107
Passwords
2107
Multiple Security Context Files
2107
Supported Character Sets
2108
Addresses, Protocols, and Ports
2109
IPv4 Addresses and Subnet Masks
2109
Classes
2109
Private Networks
2110
Subnet Masks
2110
Determining the Subnet Mask
2111
Determining the Address to Use with the Subnet Mask
2111
IPv6 Addresses
2113
IPv6 Address Format
2113
IPv6 Address Types
2114
Unicast Addresses
2114
Multicast Address
2116
Anycast Address
2117
Required Addresses
2118
IPv6 Address Prefixes
2118
Protocols and Applications
2119
TCP and UDP Ports
2119
Local Ports and Protocols
2122
ICMP Types
2123
Configuring an External Server for Authorization and Authentication
2125
Understanding Policy Enforcement of Permissions and Attributes
2125
Configuring an External LDAP Server
2126
Organizing the ASA for LDAP Operations
2127
Searching the LDAP Hierarchy
2127
Binding the ASA to the LDAP Server
2128
Defining the ASA LDAP Configuration
2129
Supported Cisco Attributes for LDAP Authorization
2129
Cisco AV Pair Attribute Syntax
2137
Cisco AV Pairs ACL Examples
2137
Active Directory/LDAP VPN Remote Access Authorization Examples
2139
User-Based Attributes Policy Enforcement
2140
Placing LDAP Users in a Specific Group Policy
2142
Enforcing Static IP Address Assignment for AnyConnect Tunnels
2144
Enforcing Dial-in Allow or Deny Access
2146
Enforcing Logon Hours and Time-of-Day Rules
2149
Configuring an External RADIUS Server
2150
Reviewing the RADIUS Configuration Procedure
2151
ASA RADIUS Authorization Attributes
2151
ASA IETF RADIUS Authorization Attributes
2161
RADIUS Accounting Disconnect Reason Codes
2161
Configuring an External TACACS+ Server
2162
Other manuals for Cisco ASA 5525-X
Quick Start Guide
14 pages
Configuration Guide
428 pages
Hardware Installation Guide
74 pages
Software Guide
37 pages
4
Based on 1 rating
Ask a question
Give review
Questions and Answers:
Need help?
Do you have a question about the Cisco ASA 5525-X and is the answer not in the manual?
Ask a question
Cisco ASA 5525-X Specifications
General
Maximum Concurrent Sessions
500, 000
Maximum VPN Peers
750
Memory
8 GB
Flash Memory
8 GB
Power Supply
AC
Rack Units
1U
Interfaces
8 x 1Gbps (RJ-45/SFP)
Related product manuals
Cisco ASA 5505
2 pages
Cisco ASA 5580
12 pages
Cisco ASA 5508-X
14 pages
Cisco ASA 5506-X
14 pages
Cisco ASA 5555-X
14 pages
Cisco ASA 5585-X
6 pages
Cisco ASA 5545-X
14 pages
Cisco ASA 5515-X
14 pages
Cisco ASA 5516-X
14 pages
Cisco ASA 5512-X
14 pages
Cisco ASA 55 Series
14 pages
5510 - ASA SSL / IPsec VPN Edition
2164 pages