Cisco FirePOWER ASA 5500 series

To Next Page

To Previous Page

16-4

Cisco Security Appliance Command Line Configuration Guide

OL-10088-01

Chapter 16 Identifying Traffic with Access Lists

Access List Overview

If you want to allow an outside host to access an inside host, you can apply an inbound access list on the

outside interface. You need to specify the translated address of the inside host in the access list because

that address is the address that can be used on the outside network (see Figure 16-2).

Figure 16-2 IP Addresses in Access Lists: NAT used for Destination Addresses

See the following commands for this example:

hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host

209.165.201.5

hostname(config)# access-group OUTSIDE in interface outside

209.165.200.225

Inside

Outside

Static NAT

209.165.201.510.1.1.34

ACL

Permit from 209.165.200.225 to 209.165.201.5

104636

Main Page

Default Chapter4
- Table of Contents4
- About this Guide33
- Related Documentation34
- Document Conventions37
- Documentation Feedback38
- Intrusion Prevention Services Functional Overview49
- Security Context Overview50
Chapter 2 Getting Started51
- Getting Started with Your Platform Model51
- Factory Default Configurations51
- Accessing the Command-Line Interface54
- Setting Transparent or Routed Firewall Mode55
- Working with the Configuration56
Chapter 3 Enabling Multiple Context Mode62
- Security Context Overview62
- Enabling or Disabling Multiple Context Mode70
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance73
- Interface Overview73
- Configuring VLAN Interfaces77
- Configuring Switch Ports as Access Ports81
- Configuring a Switch Port as a Trunk Port83
- Allowing Communication between VLAN Interfaces on the same Security Level85
Chapter 5 Configuring Ethernet Settings and Subinterfaces87
- Configuring and Enabling RJ-45 Interfaces87
- Configuring and Enabling Fiber Interfaces88
- Configuring and Enabling Subinterfaces89
Chapter 6 Adding and Managing Security Contexts92
- Configuring Resource Management92
- Configuring a Security Context97
- Automatically Assigning MAC Addresses to Context Interfaces101
- Changing between Contexts and the System Execution Space101
- Managing Security Contexts102
Chapter 7 Configuring Interface Parameters113
- Security Level Overview113
- Configuring the Interface114
- Allowing Communication between Interfaces on the same Security Level118
- Changing the Login Password119
- Changing the Enable Password119
- Setting the Hostname120
- Setting the Domain Name120
- Setting the Date and Time120
Chapter 8 Configuring Basic Setting120
- Setting the Time Zone and Daylight Saving Time Date Range121
- Setting the Date and Time Using an NTP Server122
- Setting the Date and Time Manually122
- Setting the Management IP Address for a Transparent Firewall123
Chapter 9 Configuring IP Routing125
- Configuring Static and Default Routes125
- Defining Route Maps130
- Configuring OSPF131
- Configuring RIP143
- The Routing Table146
CHAPTER 10 Configuring DHCP, DDNS, and WCCP Services151
- Configuring a DHCP Server151
- Configuring DHCP Relay Services155
- Configuring Dynamic DNS156
- Configuring Web Cache Services Using WCCP159
Configuring Multicast Routing163
- Multicast Routing Overview163
- Enabling Multicast Routing164
- Configuring Stub Multicast Routing167
- Configuring a Static Multicast Route167
  - Disabling PIM on an Interface168
- Configuring PIM Features168
- For more Information about Multicast Routing171
Chapter 12 Configuring Ipv6173
- Ipv6-Enabled Commands173
- Verifying the Ipv6 Configuration183
  - The Show Ipv6 Interface Command183
  - The Show Ipv6 Route Command184
Configuring AAA Servers and the Local Database185
- AAA Overview185
- AAA Server and Local Database Support186
- Configuring the Local Database194
- Identifying AAA Server Groups and Servers196
- Using Certificates and User Login Credentials199
  - Using User Login Credentials199
  - Using Certificates200
- Supporting a Zone Labs Integrity Server200
  - Overview of Integrity Server and Security Appliance Interaction201
  - Configuring Integrity Server Support201
- Understanding Failover203
Chapter 14 Configuring Failover204
- The Failover and Stateful Failover Links205
  - Stateful Failover Link207
- Active/Active and Active/Standby Failover208
  - Active/Active Failover211
  - Determining Which Type of Failover to Use216
- Failover Health Monitoring217
  - Interface Monitoring218
- Failover Feature/Platform Matrix219
- Failover Configuration Limitations220
  - Configuring LAN-Based Active/Standby Failover222
  - Configuring Optional Active/Standby Failover Settings225
- Configuring Active/Active Failover228
  - Configuring LAN-Based Active/Active Failover230
  - Configuring Optional Active/Active Failover Settings234
- Configuring Unit Health Monitoring238
- Verifying the Failover Configuration239
  - Viewing Monitored Interfaces247
  - Testing the Failover Functionality248
- Disabling Failover249
  - Failover System Messages250
- Routed Mode Overview253
Chapter 15 Firewall Mode Overview254
- An Inside User Visits a Web Server255
- An Outside User Visits a Web Server on the DMZ256
- An Inside User Visits a Web Server on the DMZ257
- An Outside User Attempts to Access an Inside Host258
- A DMZ User Attempts to Access an Inside Host259
- Transparent Firewall Network260
- MAC Address Lookups261
- Unsupported Features in Transparent Mode262
- How Data Moves through the Transparent Firewall263
CHAPTER 16 Identifying Traffic with Access Lists269
- Access List Overview269
  - Access List Types270
  - C H a P T E R 16 Identifying Traffic with Access Lists271
- Adding an Extended Access List273
  - Allowing Special IP Traffic through the Transparent Firewall274
- Adding an Ethertype Access List276
- Adding a Standard Access List277
- Adding a Webtype Access List278
- Scheduling Extended Access List Activation285
- NAT Overview291
  - Introduction to NAT292
Chapter 17 Applying NAT293
- NAT Types295
  - Static NAT297
  - Bypassing NAT When NAT Control Is Enabled299
- NAT and same Security Level Interfaces302
- Order of NAT Commands Used to Match Real Addresses303
- Configuring NAT Control305
- Using Dynamic NAT and PAT306
  - Configuring Dynamic NAT or PAT312
- Using Static NAT315
- Using Static PAT316
- Bypassing NAT318
  - Configuring Static Identity NAT319
  - Configuring NAT Exemption321
- NAT Examples322
CHAPTER 18 Permitting or Denying Network Access331
- Applying an Access List to an Interface331
- AAA Performance333
Chapter 19 Applying AAA for Network Acces334
- Static PAT and HTTP335
- Enabling Secure Authentication of Web Clients337
- Configuring RADIUS Authorization339
  - Configuring a RADIUS Server to Download Per-User Access Control List Names343
- Configuring Accounting for Network Access344
- Using MAC Addresses to Exempt Traffic from Authentication and Authorization345
CHAPTER 20 Applying Filtering Services 20-1347
- Filtering Overview347
- C H a P T E R 20 Applying Filtering Services348
- Filtering Java Applets349
- Viewing Filtering Statistics and Configuration355
  - Viewing Buffer Configuration and Statistics356
  - Viewing Caching Statistics357
- Modular Policy Framework Overview359
Chapter 21 Using Modular Policy Framework360
- Creating a Layer 3/4 Class Map for through Traffic361
- Creating a Layer 3/4 Class Map for Management Traffic363
- Creating a Regular Expression364
- Creating a Regular Expression Class Map366
- Identifying Traffic in an Inspection Class Map367
- Defining Actions in an Inspection Policy Map368
- Defining Actions Using a Layer 3/4 Policy Map371
  - Default Layer 3/4 Policy Map372
  - Adding a Layer 3/4 Policy Map373
- Applying a Layer 3/4 Policy to an Interface Using a Service Policy375
- Managing the AIP SSM379
Chapter 22 Managing AIP SSM and CSC SSM380
- Sessioning to the AIP SSM and Running Setup382
- Managing the CSC SSM383
- Checking SSM Status391
- Transferring an Image Onto an SSM392
- Configuring TCP Normalization395
Chapter 23 Preventing Network Attack396
- Configuring Connection Limits and Timeouts398
- Preventing IP Spoofing399
- Configuring the Fragment Size400
- Configuring IP Audit for Basic IPS Support401
- Overview403
Chapter 24 Applying Qo Policie404
- Identifying Traffic for Qos406
- Defining a Qos Policy Map407
- Applying Rate Limiting408
- Activating the Service Policy409
- Applying Low Latency Queueing410
  - Reducing Queue Latency411
- Viewing Qos Configuration414
  - Viewing Qos Policy Map Configuration415
- Viewing Qos Statistics416
CHAPTER 25 Configuring Application Layer Protocol Inspection423
- Configuring Application Inspection423
- CTIQBE Inspection427
- Limitations and Restrictions428
- DCERPC Inspection429
  - Configuring a DCERPC Inspection Policy Map for Additional Inspection Control430
- DNS Inspection431
- ESMTP Inspection442
- FTP Inspection443
- GTP Inspection449
  - Configuring a GTP Inspection Policy Map for Additional Inspection Control450
  - Verifying and Monitoring GTP Inspection454
- H.323 Inspection455
- Instant Messaging Inspection465
  - IM Inspection Overview466
- ICMP Inspection469
- MGCP Inspection470
Configuring ARP Inspection495
- C H a P T E R 26 Configuring ARP Inspection and Bridging Parameters496
- Customizing the MAC Address Table497
- Setting the MAC Address Timeout498
- Tunneling Overview503
Chapter 27 Configuring Ipsec and ISAKMP504
- Configuring ISAKMP Policies507
- Enabling ISAKMP on the Outside Interface508
- Enabling Ipsec over NAT-T509
- Enabling Ipsec over TCP510
- Waiting for Active Sessions to Terminate before Rebooting511
- Creating a Certificate Group Matching Rule and Policy512
- Using the Tunnel-Group-Map Default-Group Command513
- Understanding Transform Sets514
- Applying Crypto Maps to Interfaces522
- Changing Ipsec SA Lifetimes524
- Using Dynamic Crypto Maps526
- Providing Site-To-Site Redundancy528
- Clearing Security Associations529
- Supporting the Nokia VPN Client530
  - L2TP Overview533
    - Ipsec Transport and Tunnel Modes534
Chapter 28 Configuring L2TP over Ipsec535
- Tunnel Group Switching537
- Using L2TP Debug Commands539
- Enabling Ipsec Debug540
CHAPTER 29 Setting General Ipsec VPN Parameters 29-1543
- Configuring Vpns in Single, Routed Mode543
  - C H a P T E R 29 Setting General Ipsec VPN Parameters544
  - NAT Considerations for Intra-Interface Traffic545
- Understanding Load Balancing547
- Configuring Load Balancing551
Configuring Tunnel Groups559
- Configuring Ipsec Tunnel-Group General Attributes560
  - Configuring Ipsec Remote-Access Tunnel Group Ipsec Attributes564
  - Configuring Ipsec Remote-Access Tunnel Group PPP Attributes566
- Configuring LAN-To-LAN Tunnel Groups567
  - Configuring LAN-To-LAN Tunnel Group General Attributes568
- Configuring Webvpn Tunnel Groups570
  - Configuring Webvpn Tunnel-Group General Attributes571
  - Configuring Webvpn Tunnel-Group Webvpn Attributes574
- Customizing Login Windows for Webvpn Users577
- Configuring Microsoft Active Directory Settings for Password Management578
- Group Policies584
- Configuring User Attributes625
  - Configuring Webvpn for Specific Users629
- Configuring an IP Address Assignment Method643
Chapter 31 Configuring IP Addresse for VPN644
- Configuring DHCP Addressing645
CHAPTER 36 Configuring LAN-To-LAN Ipsec Vpns 36-1647
- Summary of the Configuration647
- C H a P T E R 32 Configuring Remote Access Ipsec Vpns648
- Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface649
CHAPTER 32 Configuring Remote Access Ipsec Vpns650
- Configuring an Address Pool650
- Defining a Tunnel Group651
- Creating a Dynamic Crypto Map652
- Creating a Crypto Map Entry to Use the Dynamic Crypto Map653
CHAPTER 33 Configuring Network Admission Control655
- Uses, Requirements, and Limitations655
- Changing Advanced Settings659
CHAPTER 34 Configuring Easy VPN Services on the ASA 5505666
- Specifying the Client/Server Role of the Cisco ASA 5505666
- Specifying the Primary and Secondary Servers667
- Configuring Automatic Xauth Authentication668
- Comparing Tunneling Options669
- Specifying the Tunnel Group or Trustpoint670
  - Specifying the Trustpoint671
- Configuring Split Tunneling672
- Configuring Remote Management673
  - Group Policy and User Attributes Pushed to the Client674
  - Authentication Options676
- Pppoe Client Overview677
Chapter 35 Configuring the Pppoe Client678
- Enabling Pppoe679
- Monitoring and Debugging the Pppoe Client680
- Clearing the Configuration681
  - Summary of the Configuration683
  - C H a P T E R 36 Configuring LAN-To-LAN Ipsec Vpns684
- Creating a Transform Set686
- Defining a Tunnel Group687
- Creating a Crypto Map and Applying It to an Interface688
  - Applying Crypto Maps to Interfaces689
- Getting Started with Webvpn691
Chapter 37 Configuring Webvpn692
- Using SSL to Access the Central Site693
  - Setting Webvpn HTTP/HTTPS Proxy694
- Enabling Cookies on Browsers for Webvpn695
- Authenticating with Digital Certificates704
- Creating Port Forwarding, URL, and Access Lists in Global Configuration Mode705
- Configuring Webvpn Tunnel Group Attributes706
- Configuring Application Access707
  - Recovering from Hosts File Errors When Using Application Access708
    - Stopping Application Access Improperly709
- Configuring File Access711
- Configuring Access to Citrix Metaframe Services713
- Using Webvpn with Pdas714
- Using E-Mail over Webvpn715
  - E-Mail Proxy Certificate Authentication716
- Optimizing Webvpn Performance717
- Capturing Webvpn Data739
  - Creating a Capture File740
- Installing SVC743
Chapter 38 Configuring SSL VPN Client744
- Enabling SVC745
- Enabling Permanent SVC Installation746
- Enabling Rekey747
- Enabling Keepalive748
- Viewing SVC Sessions749
- Logging off SVC Sessions750
CHAPTER 39 Configuring Certificates 39-1751
- Public Key Cryptography751
- Allowing Telnet Access769
Chapter 40 Managing System Acces770
- Using an SSH Client771
- Configuring AAA for System Administrators772
- Configuring a Login Banner784
CHAPTER 41 Managing Software, Licenses, and Configurations785
- Managing Licenses785
- C H a P T E R 41 Managing Software, Licenses, and Configurations786
- Downloading Software or Configuration Files to Flash Memory787
  - Downloading a File to the Startup or Running Configuration788
- Configuring the Application Image and ASDM Image to Boot789
- Performing Zero Downtime Upgrades for Failover Pairs790
  - Upgrading and Active/Active Failover Configuration791
- Backing up Configuration Files792
CHAPTER 42 Monitoring the Security Appliance799
- Using SNMP799
  - C H a P T E R 42 Monitoring the Security Appliance800
  - Enabling SNMP801
- Configuring and Managing Logs803
CHAPTER 43 Troubleshooting the Security Appliance823
- Testing Your Configuration823
- Other Troubleshooting Tools832
APPENDIX A Feature Licenses and Specifications837
- Supported Platforms and Feature Licenses837
- A P P E N D I X a Feature Licenses and Specifications838
- Security Services Module Support845
- VPN Specifications846
  - Cisco VPN Client Support847
  - Cryptographic Standards848
- Example 1: Multiple Mode Firewall with Outside Access849
Appendix B Sample Configuration850
- Example 1: Admin Context Configuration852
- Example 1: Customer C Context Configuration853
- Example 2: Single Mode Firewall Using same Security Level854
- Example 3: Shared Resources for Multiple Contexts856
  - Example 3: System Configuration857
    - Example 3: Department 1 Context Configuration858
    - Example 3: Department 2 Context Configuration859
- Example 4: Multiple Mode, Transparent Firewall with Outside Access860
- Example 6: Ipv6 Configuration866
- Example 7: Cable-Based Active/Standby Failover (Routed Mode)868
- Example 8: LAN-Based Active/Standby Failover (Routed Mode)869
  - Example 8: Secondary Unit Configuration870
  - Example 9: Primary Unit Configuration871
    - Example 9: Primary Admin Context Configuration872
    - Example 9: Primary Ctx1 Context Configuration873
- Example 10: Cable-Based Active/Standby Failover (Transparent Mode)874
- Example 11: LAN-Based Active/Standby Failover (Transparent Mode)876
  - Example 11: Secondary Unit Configuration877
- Example 12: LAN-Based Active/Active Failover (Transparent Mode)878
  - Example 12: Primary System Configuration879
  - Example 12: Primary Ctx1 Context Configuration880
- Example 14: Dual ISP Support Using Static Route Tracking881
- Example 14: ASA 5505 Base License882
- Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup884
APPENDIX E Configuring an External Server for Authorization and Authentication911
- Selecting LDAP, RADIUS, or Local Authentication and Authorization911
- A P P E N D I X E Configuring an External Server for Authorization and Authentication912
- Reviewing the LDAP Directory Structure and Configuration Procedure913
- Searching the Hierarchy914
- Binding the Security Appliance to the LDAP Server915
- Cisco -AV-Pair Attribute Syntax924
- Example Security Appliance Authorization Schema925
- Loading the Schema in the LDAP Server928
- Reviewing Examples of Active Directory Configurations929
- Example 2: Configuring LDAP Authentication with Microsoft Active Directory930
- Example 3: LDAP Authentication and LDAP Authorization with Microsoft Active Directory932
- Configuring an External RADIUS Server934
- Security Appliance RADIUS Authorization Attributes935

Cisco FirePOWER ASA 5500 series

Table of Contents

Related product manuals