Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

ASDM User Guide: Version 5.2 (1) May 2006

Download as pdf or txt
Download as pdf or txt
You are on page 1of 894

ASDM User Guide

Version 5.2(1) May 2006

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Text Part Number: OL-10106-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and Quick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. ASDM User Guide 2006 Cisco Systems, Inc. All rights reserved.

C ON T E N T S
Preface
xxix xxix xxix

Related Documentation Document Conventions

Obtaining Documentation xxx Cisco.com xxx Product Documentation DVD xxx Ordering Documentation xxxi Documentation Feedback
xxxi

Cisco Product Security Overview xxxi Reporting Security Problems in Cisco Products

xxxii

Obtaining Technical Assistance xxxii Cisco Technical Support & Documentation Website Submitting a Service Request xxxiii Definitions of Service Request Severity xxxiii Obtaining Additional Publications and Information
1
xxxiv

xxxii

CHAPTER

Welcome to ASDM Important Notes

1-1 1-1 1-2

New in This Release

Unsupported Commands 1-2 Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations 1-4 About the ASDM Window 1-4 Menus 1-4 File Menu 1-4 Options Menu 1-7 Tools Menu 1-9 Wizards Menu 1-19 Help Menu 1-19 Toolbar 1-20 Status Bar 1-21 Connection to Device 1-21 Buttons That Appear on Many Panels

1-2 1-3

1-21
ASDM User Guide

OL-10106-01

iii

Contents

About the Help Window 1-22 Header Buttons 1-22 Notes 1-22 Home Page 1-22 Home 1-23 Home > Content Security Tab
2

1-24

CHAPTER

Before You Start

2-1

Factory Default Configurations 2-1 Restoring the Factory Default Configuration ASA 5505 Default Configuration 2-2 ASA 5510 and Higher Default Configuration PIX 515/515E Default Configuration 2-4

2-2

2-3

Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Downloading the ASDM Launcher
2-6

2-4 2-5

Starting ASDM 2-6 Starting ASDM from the ASDM Launcher 2-6 Using ASDM in Demo Mode 2-7 Starting ASDM from a Web Browser 2-8 History Metrics
2-9 2-9

Configuration Overview
3

CHAPTER

Using the Startup Wizard

3-1

Startup Wizard 3-1 Starting Point 3-3 Basic Configuration 3-4 Outside Interface Configuration 3-5 Internet (Outside) VLAN Configuration 3-7 Outside Interface Configuration - PPPoE 3-8 Internet (Outside) VLAN Configuration - PPPoE Inside Interface Configuration 3-11 Business (Inside) VLAN Configuration 3-12 DMZ Interface Configuration 3-14 Home (DMZ) VLAN Configuration 3-15 Switch Port Allocation 3-17 General Interface Configuration 3-18 Static Routes 3-19

3-10

ASDM User Guide

iv

OL-10106-01

Contents

Add/Edit Static Routes 3-19 Route Monitoring Options 3-19 Auto Update Server 3-19 DHCP Server 3-20 Address Translation (NAT/PAT) 3-22 Administrative Access 3-23 Add/Edit Administrative Access Entry 3-24 Easy VPN Remote Configuration 3-25 Management IP Address Configuration 3-28 Other Interfaces Configuration 3-28 Edit Interface 3-29 Startup Wizard Summary 3-30
4

CHAPTER

Configuring Interfaces

4-1 4-1

Security Level Overview

Configuring the Interfaces 4-2 Interfaces (System) 4-2 Add/Edit Interface 4-3 Hardware Properties 4-4 Interfaces (Single Mode and Context) 4-5 Add/Edit Interface > General 4-7 Add/Edit Interface > Advanced 4-9 PPPoE IP Address and Route Settings 4-10 Hardware Properties 4-11
5

CHAPTER

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance 5-13 Interface Overview 5-13 Understanding ASA 5505 Ports and Interfaces 5-14 Maximum Active VLAN Interfaces for Your License 5-14 Default Interface Configuration 5-15 VLAN MAC Addresses 5-16 Power Over Ethernet 5-16 Security Level Overview 5-16 Configuring VLAN Interfaces 5-17 Interfaces > Interfaces 5-17 Add/Edit Interface > General 5-19 Add/Edit Interface > Advanced 5-22 Configuring Switch Ports
5-23

ASDM User Guide OL-10106-01

Contents

Interfaces > Switch Ports Edit Switch Port 5-24


6

5-23

CHAPTER

Global Objects

6-1

Configuring Network Object Groups 6-1 Network Object Groups 6-1 Add/Edit Network Object Group 6-2 Browse Address 6-3 Configuring IP Names 6-4 IP Names 6-4 Add/Edit IP Name 6-5 Configuring Service Groups 6-5 Service Groups 6-6 Add/Edit Service Group 6-7 Browse Service Groups 6-7 Configuring Class Maps 6-8 DNS Class Map 6-8 Add/Edit DNS Traffic Class Map 6-9 Add/Edit DNS Match Criterion 6-10 Manage Regular Expressions 6-11 Manage Regular Expression Class Maps FTP Class Map 6-13 Add/Edit FTP Traffic Class Map 6-13 Add/Edit FTP Match Criterion 6-14 H.323 Class Map 6-16 Add/Edit H.323 Traffic Class Map 6-16 Add/Edit H.323 Match Criterion 6-17 HTTP Class Map 6-18 Add/Edit HTTP Traffic Class Map 6-19 Add/Edit HTTP Match Criterion 6-19 IM Class Map 6-23 Add/Edit IM Traffic Class Map 6-24 Add/Edit IM Match Criterion 6-24 SIP Class Map 6-26 Add/Edit SIP Traffic Class Map 6-27 Add/Edit SIP Match Criterion 6-28 Configuring Inspect Maps 6-30 DCERPC Inspect Map 6-32 Customize Security Level 6-33
ASDM User Guide

6-12

vi

OL-10106-01

Contents

DCERPC Inspect Map Basic/Advanced Viewl 6-34 DNS Inspect Map 6-35 Customize Security Level 6-36 DNS Inspect Map Basic View 6-37 DNS Inspect Map Advanced View 6-38 Add/Edit DNS Inspect 6-40 Manage Class Maps 6-41 ESMTP Inspect Map 6-42 Customize Security Level 6-43 MIME File Type Filtering 6-45 ESMTP Inspect Map Basic View 6-45 ESMTP Inspect Map Advanced View 6-46 Add/Edit ESMTP Inspect 6-47 FTP Inspect Map 6-51 Customize Security Level 6-52 File Type Filtering 6-52 FTP Inspect Map Basic View 6-53 FTP Inspect Map Advanced View 6-53 Add/Edit FTP Map 6-54 GTP Inspect Map 6-56 Customize Security Level 6-57 IMSI Prefix Filtering 6-58 GTP Inspect Map Basic View 6-59 GTP Inspect Map Advanced View 6-60 Add/Edit GTP Map 6-61 H.323 Inspect Map 6-63 Customize Security Level 6-64 Phone Number Filtering 6-65 H.323 Inspect Map Basic View 6-65 H.323 Inspect Map Advanced View 6-66 Add/Edit HSI Group 6-67 Add/Edit H.323 Map 6-68 HTTP Inspect Map 6-69 Customize Security Level 6-70 URI Filtering 6-71 HTTP Inspect Map Basic View 6-72 HTTP Inspect Map Advanced View 6-72 Add/Edit HTTP Map 6-73 Instant Messaging (IM) Inspect Map 6-77 Instant Messaging (IM) Inspect Map View 6-78
ASDM User Guide OL-10106-01

vii

Contents

Add/Edit IM Map 6-79 IPSec Pass Through Inspect Map 6-81 Customize Security Level 6-82 IPSec Pass Through Inspect Map Basic View 6-83 IPSec Pass Through Inspect Map Advanced View 6-84 MGCP Inspect Map 6-84 Gateways and Call Agents 6-85 MGCP Inspect Map View 6-86 Add/Edit MGCP Group 6-87 NetBIOS Inspect Map 6-88 NetBIOS Inspect Map View 6-88 RADIUS Inspect Map 6-89 RADIUS Inspect Map Host 6-89 RADIUS Inspect Map Other 6-90 SCCP (Skinny) Inspect Map 6-91 Customize Security Level 6-92 Message ID Filtering 6-93 SCCP (Skinny) Inspect Map Basic View 6-94 SCCP (Skinny) Inspect Map Advanced View 6-94 Add/Edit Message ID Filter 6-95 SIP Inspect Map 6-96 Customize Security Level 6-98 SIP Inspect Map Basic View 6-99 SIP Inspect Map Advanced View 6-99 Add/Edit SIP Inspect 6-101 SNMP Inspect Map 6-103 Add/Edit SNMP Map 6-104 Configuring Regular Expressions 6-104 Regular Expressions 6-104 Add/Edit Regular Expression 6-105 Build Regular Expression 6-107 Test Regular Expression 6-109 Add/Edit Regular Expression Class Map TCP Maps 6-110 Add/Edit TCP Map
6-111

6-110

Configuring Time Ranges 6-112 Add/Edit Time Range 6-113 Add/Edit Periodic Time Range

6-114

ASDM User Guide

viii

OL-10106-01

Contents

CHAPTER

Configuring Security Contexts

7-1

Security Context Overview 7-1 Common Uses for Security Contexts 7-2 Unsupported Features 7-2 Context Configuration Files 7-2 How the Security Appliance Classifies Packets 7-2 Valid Classifier Criteria 7-3 Invalid Classifier Criteria 7-4 Classification Examples 7-4 Cascading Security Contexts 7-7 Management Access to Security Contexts 7-8 System Administrator Access 7-8 Context Administrator Access 7-9 Enabling or Disabling Multiple Context Mode at the CLI Backing Up the Single Mode Configuration 7-9 Enabling Multiple Context Mode 7-9 Restoring Single Context Mode 7-10 Configuring Resource Classes 7-10 Classes and Class Members Overview Resource Limits 7-11 Default Class 7-12 Class Members 7-13 Adding a Resource Class 7-13 Resource Class 7-13 Add/Edit Resource Class 7-14 Configuring Security Contexts 7-16 Security Contexts 7-16 Add/Edit Context 7-18 Add/Edit Interface Allocation 7-18
8
7-10 7-9

CHAPTER

Configuring Device Properties Management IP


8-1

8-1

Device Administration 8-2 Banner 8-2 Boot Image/Configuration 8-3 Add Boot Image 8-4 Clock 8-4 Console 8-5 Device 8-5
ASDM User Guide OL-10106-01

ix

Contents

FTP Mode 8-6 ICMP Rules 8-7 Add/Edit ICMP Rule 8-8 Management Access 8-9 NTP 8-10 Add/Edit NTP Server Configuration 8-11 Password 8-12 Secure Copy 8-13 SMTP 8-13 SNMP 8-14 Add/Edit SNMP Host Access Entry 8-17 SNMP Trap Configuration 8-18 TFTP Server 8-19 User Accounts 8-21 Add/Edit User Account > Identity Tab 8-22 Add/Edit User Account > VPN Policy Tab 8-23 Add/Edit User Account > WebVPN Tab 8-25 Auto Update 8-29 Set Polling Schedule 8-31 Add/Edit Auto Update Server 8-31 Advanced Auto Update Settings 8-32 Client Update 8-32 Add/Edit Client Update
8-34 8-34

CHAPTER

DHCP and DNS Services

9-1

DHCP Relay 9-1 Edit DHCP Relay Agent Settings 9-2 DHCP Relay - Add/Edit DHCP Server 9-3 DHCP Server 9-4 Edit DHCP Server 9-6 Advanced DHCP Options

9-7

DNS Client 9-9 Add/Edit DNS Server Group

9-9

Dynamic DNS 9-10 Add/Edit Dynamic DNS Update Methods 9-11 Add/Edit Dynamic DNS Interface Settings 9-12

ASDM User Guide

OL-10106-01

Contents

CHAPTER

10

Configuring AAA Servers

10-1

Understanding AAA 10-1 AAA Overview 10-1 Preparing for AAA 10-2 LOCAL Database 10-3 AAA Implementation in ASDM 10-3 AAA for Device Administration 10-3 AAA for Network Access 10-4 AAA for VPN Access 10-4 AAA Setup 10-4 AAA Server Groups 10-4 Add/Edit AAA Server Group 10-6 Edit AAA Local Server Group 10-7 Add/Edit AAA Server 10-7 Test AAA Server 10-12 Auth. Prompt 10-13 LDAP Attribute Map 10-14 Add/Edit LDAP Attribute Map 10-14
11

CHAPTER

Configuring Device Access

11-1

AAA Access 11-1 Authentication Tab 11-1 Authorization Tab 11-2 Command Privileges Setup 11-3 Predefined User Account Command Privilege Setup Accounting Tab 11-5 HTTPS/ASDM 11-6 Add/Edit HTTP Configuration Secure Shell 11-7 Add/Edit SSH Configuration Telnet 11-8 Add/Edit Telnet Configuration
12
11-6

11-4

11-8

11-9

CHAPTER

Failover

12-1

Understanding Failover 12-1 Active/Standby Failover 12-2 Active/Active Failover 12-2 Stateless (Regular) Failover 12-3

ASDM User Guide OL-10106-01

xi

Contents

Stateful Failover

12-3

Configuring Failover with the High Availability and Scalability Wizard 12-4 Accessing and Using the High Availability and Scalability Wizard 12-4 Configuring Active/Active Failover with the High Availability and Scalability Wizard 12-4 Configuring Active/Standby Failover with the High Availability and Scalability Wizard 12-5 Configuring VPN Load Balancing with the High Availability and Scalability Wizard 12-6 Field Information for the High Availability and Scalability Wizard 12-7 Choose the Type of Failover Configuration 12-7 Check Failover Peer Connectivity and Compatibility 12-8 Change Device to Multiple Mode 12-8 Select Failover Communication Media 12-9 Security Context Configuration 12-9 Failover Link Configuration 12-10 State Link Configuration 12-11 Standby Address Configuration 12-11 VPN Cluster Load Balancing Configuration 12-12 Summary 12-14 Field Information for the Failover Panes 12-14 Failover - Single Mode 12-15 Failover: Setup 12-15 Failover: Interfaces (Routed Firewall Mode) 12-17 Failover: Interfaces (Transparent Firewall Mode) 12-19 Failover: Criteria 12-20 Failover: MAC Addresses 12-21 Add/Edit Interface MAC Address 12-22 Failover-Multiple Mode, Security Context 12-23 Failover - Routed 12-23 Failover - Transparent 12-25 Failover-Multiple Mode, System 12-26 Failover > Setup Tab 12-26 Failover > Criteria Tab 12-28 Failover > Active/Active Tab 12-29 Failover > MAC Addresses Tab 12-33
13

CHAPTER

Configuring Logging

13-1

Logging Setup 13-1 Configure FTP Settings 13-2 Configure Logging Flash Usage E-Mail Setup
13-3

13-2

ASDM User Guide

xii

OL-10106-01

Contents

Add/Edit E-Mail Recipient

13-3

Event Lists 13-4 Add/Edit Event List 13-5 Add/Edit Class and Severity Filter 13-7 Add/Edit Syslog Message ID Filter 13-8 Logging Filters 13-9 Edit Logging Filters
13-9

Rate Limit 13-11 Edit Rate Limit for Syslog Logging Level 13-12 Add/Edit Rate Limit for Syslog Message 13-13 Syslog Servers 13-13 Add/Edit Syslog Server 13-14 Specify Filter Interfaces 13-15 Syslog Setup 13-15 Edit Syslog ID Settings 13-16 Advanced Syslog Configuration
14

13-17

CHAPTER

Configuring Dynamic And Static Routing Dynamic Routing 14-1 OSPF 14-1 Setup 14-2 Filtering 14-8 Interface 14-10 Redistribution 14-15 Static Neighbor 14-17 Summary Address 14-18 Virtual Link 14-20 RIP 14-22 Global Setup 14-23 Interface 14-24 Filter Rules 14-26 Route Redistribution 14-27

14-1

Static Routes 14-29 Static Route Tracking 14-30 Configuring Static Route Tracking 14-30 Field Information for Static Routes 14-31 Static Routes 14-31 Add/Edit Static Route 14-32 Route Monitoring Options 14-33
ASDM User Guide OL-10106-01

xiii

Contents

Proxy ARPs
15

14-34

CHAPTER

Configuring Multicast Routing

15-1

IGMP 15-1 Access Group 15-2 Add/Edit Access Group 15-2 Join Group 15-3 Add/Edit IGMP Join Group 15-4 Protocol 15-4 Configure IGMP Parameters 15-5 Static Group 15-6 Add/Edit IGMP Static Group 15-6 Multicast Route 15-7 Add/Edit Multicast Route PIM
15-8 15-8

Protocol 15-9 Edit PIM Protocol 15-9 Rendezvous Points 15-10 Add/Edit Rendezvous Point 15-11 Request Filter 15-12 Request Filter Entry 15-13 Route Tree 15-14
16

CHAPTER

Firewall Mode Overview

16-1

Routed Mode Overview 16-1 IP Routing Support 16-2 Network Address Translation 16-2 How Data Moves Through the Security Appliance in Routed Firewall Mode An Inside User Visits a Web Server 16-4 An Outside User Visits a Web Server on the DMZ 16-5 An Inside User Visits a Web Server on the DMZ 16-6 An Outside User Attempts to Access an Inside Host 16-7 A DMZ User Attempts to Access an Inside Host 16-8 Transparent Mode Overview 16-8 Transparent Firewall Features 16-9 Using the Transparent Firewall in Your Network 16-10 Transparent Firewall Guidelines 16-10 Unsupported Features in Transparent Mode 16-11 How Data Moves Through the Transparent Firewall 16-12
ASDM User Guide

16-3

xiv

OL-10106-01

Contents

An Inside User Visits a Web Server 16-13 An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host 16-15
17

16-14

CHAPTER

Configuring Access Rules

17-1

Access Rules 17-1 Rule Queries 17-3 New/Edit Rule Query 17-4 Add/Edit Access Rule 17-5 Manage Service Groups 17-7 Add/Edit Service Group 17-8 Advanced Access Rule Configuration Log Options 17-9
18

17-8

CHAPTER

Configuring EtherType Rules

18-1 18-1

Ethertype Rules (Transparent Mode Only) Add/Edit EtherType Rule 18-2


19

CHAPTER

Configuring AAA Rules AAA Performance

19-1

19-1

Configuring AAA Rules 19-1 AAA Rules 19-1 Add/Edit Authentication Rule 19-4 Add/Edit Authorization Rule 19-7 Add/Edit Accounting Rule 19-10 Add/Edit MAC Exempt Rule 19-12 Advanced AAA Configuration 19-12 Configuring a RADIUS Server for Authorization 19-13 Configuring a RADIUS Server to Send Downloadable Access Control Lists 19-13 Configuring a RADIUS Server to Download Per-User Access Control List Names 19-17
20

CHAPTER

Configuring Filter Rules

20-1

URL Filtering 20-1 Add/Edit Parameters for Websense URL Filtering 20-3 Add/Edit Parameters for Secure Computing SmartFilter URL Filtering Advanced URL Filtering 20-4 Filter Rules 20-5 Select Source
20-7

20-3

ASDM User Guide OL-10106-01

xv

Contents

Rule Query 20-7 Add/Edit Filter Rule 20-8 Browse Source/Destination Address
21

20-10

CHAPTER

Configuring Service Policy Rules Configuring Service Policy Rules

21-1 21-1

Service Policy Rules 21-1 Service Policy 21-3 Edit Service Policy 21-4 Traffic Classification Criteria 21-4 Default Inspections 21-5 Management Type Traffic Class and Action 21-5 Select RADIUS Accounting Map 21-6 Add RADIUS Accounting Policy Map 21-6 Using Default Inspection Traffic Criteria 21-7 Changing Default Ports for Application Inspection 21-8 Configuring Application Inspection with Multiple Ports 21-9 Source and Destination Address (This dialog is called ACL in other contexts) Destination Port 21-13 RTP Ports 21-13 IP Precedence 21-14 IP DiffServ CodePoints (DSCP) 21-14 Rule Actions > Protocol Inspection Tab 21-15 Select DCERPC Map 21-17 Configure DNS 21-17 Select DNS Map 21-18 Select ESMTP Map 21-18 Select FTP Map 21-19 Select GTP Map 21-19 Select H.323 Map 21-20 Select HTTP Map 21-20 Select IM Map 21-21 Select IPSec-Pass-Thru Map 21-21 Select MGCP Map 21-22 Select NETBIOS Map 21-22 Select SCCP (Skinny) Map 21-23 Select SIP Map 21-23 Select SNMP Map 21-24 Rule Actions > Intrusion Prevention Tab 21-24

21-10

ASDM User Guide

xvi

OL-10106-01

Contents

Rule Actions > CSC Scan Tab 21-25 Rule Actions > Connection Settings Tab 21-26 Rule Actions > QoS Tab 21-27 Edit Class Map 21-28 Edit Rule 21-28 Edit Service Policy Rule > Traffic Classification Tab Tunnel Group 21-31 SUNRPC Server 21-32 Add/Edit SUNRPC Service
22
21-32

21-30

CHAPTER

NAT

22-1 22-1

NAT

Add/Edit Static NAT Rule 22-4 Add/Edit Dynamic NAT Rule 22-5 NAT Options 22-6 Global Pools 22-7 Add/Edit Static Policy NAT Rule 22-9 Add/Edit Dynamic Policy NAT Rule 22-10 Add/Edit NAT Exempt Rule 22-11 Add/Edit Identity NAT Rule 22-12
23

CHAPTER

Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection 23-1 ARP Inspection 23-1 Edit ARP Inspection Entry 23-2 ARP Static Table 23-3 Add/Edit ARP Static Configuration

23-1

23-4

Customizing the MAC Address Table 23-4 MAC Address Table 23-5 Add/Edit MAC Address Entry 23-6 MAC Learning 23-6
24

CHAPTER

Preventing Network Attacks

24-1 24-1

Connection Settings (Transparent Mode Only) Set/Edit Connection Settings 24-2 IP Audit 24-3 IP Audit Policy 24-3 Add/Edit IP Audit Policy Configuration IP Audit Signatures 24-5

24-4

ASDM User Guide OL-10106-01

xvii

Contents

IP Audit Signature List Fragment 24-10 Show Fragment 24-11 Edit Fragment 24-12 Anti-Spoofing
24-12

24-6

TCP Options 24-13 TCP Reset Settings Timeouts


25
24-16

24-15

CHAPTER

Configuring QoS

25-1

Priority Queue 25-1 Edit Priority Queue 25-1 WCCP 25-3 WCCP Service Groups 25-3 Add or Edit WCCP Service Group 25-3 Redirection 25-4 Add or Edit WCCP Redirection 25-4 WCCP 25-5 WCCP Service Groups 25-5 Redirection 25-5
26

CHAPTER

VPN

26-1

VPN Wizard 26-1 VPN Tunnel Type 26-2 Remote Site Peer 26-3 IKE Policy 26-4 IPSec Encryption and Authentication 26-5 Local Hosts and Networks 26-6 Summary 26-7 Remote Access Client 26-8 VPN Client Authentication Method and Tunnel Group Name Client Authentication 26-10 New Authentication Server Group 26-10 User Accounts 26-11 Address Pool 26-12 Attributes Pushed to Client 26-12 Address Translation Exemption 26-13

26-9

ASDM User Guide

xviii

OL-10106-01

Contents

CHAPTER

27

IKE

27-1

Certificate Group Matching 27-1 Policy 27-1 Rules 27-2 Add/Edit Certificate Matching Rule 27-3 Add/Edit Certificate Matching Rule Criterion Global Parameters
27-5

27-3

Policies 27-8 Add/Edit IKE Policy

27-9

IP Address Management 27-10 Assignment 27-11 IP Pools 27-11 Add/Edit IP Pool 27-12 IPSec 27-12 IPSec Rules 27-13 Tunnel Policy (Crypto Map) - Basic 27-15 Tunnel Policy (Crypto Map) - Advanced 27-16 Tunnel Policy (Crypto Map) -Traffic Selection 27-16 Pre-Fragmentation 27-18 Edit IPSec Pre-Fragmentation Policy 27-20 Transform Sets 27-20 Add/Edit Transform Set 27-21 Tunnel Policy 27-22 Add/Edit Tunnel Policy 27-23 Tunnel Policy Advanced Settings 27-24 Load Balancing NAC
28
27-28 27-25

CHAPTER

General

28-1

Client Update 28-1 Edit Client Update Entry Default Tunnel Gateway
28-4

28-3

Group Policy 28-4 Add/Edit External Group Policy 28-6 Add AAA Server Group 28-6 Add/Edit Internal Group Policy > General Tab Browse Time Range 28-8 Add/Edit Time Range 28-9

28-7

ASDM User Guide OL-10106-01

xix

Contents

Add/Edit Recurring Time Range

28-10

ACL Manager 28-11 Standard ACL Tab 28-11 Extended ACL Tab 28-12 Add/Edit/Paste ACE 28-13 Browse Source/Destination Address 28-15 Browse Source/Destination Port 28-15 Add TCP Service Group 28-16 Browse ICMP 28-17 Add ICMP Group 28-17 Browse Other 28-18 Add Protocol Group 28-18 Add/Edit Internal Group Policy > IPSec Tab 28-19 Add/Edit Client Access Rule 28-20 Add/Edit Internal Group Policy > Client Configuration Tab 28-21 Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab 28-21 View/Config Banner 28-22 Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab 28-24 Add/Edit Standard Access List Rule 28-25 Add/Edit Internal Group Policy > Client Firewall Tab 28-26 Add/Edit Internal Group Policy > Hardware Client Tab 28-28 Add/Edit Internal Group Policy > NAC Tab 28-31 Add/Edit Posture Validation Exception 28-32 WebVPN Tab > Functions Tab 28-32 Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab 28-34 Add/Edit Group Policy > WebVPN Tab > Homepage Tab 28-35 Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab 28-36 Add/Edit Port Forwarding List 28-37 Add/Edit Port Forwarding Entry 28-37 Add/Edit Group Policy > WebVPN Tab > Other Tab 28-38 Add/Edit Server and URL List 28-39 Add/Edit Server or URL 28-39 Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab 28-39 Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab 28-41 ACLs 28-42 Tunnel Group 28-43 Add/Edit Tunnel Group > General Tab > Basic Tab
ASDM User Guide

28-23

28-44

xx

OL-10106-01

Contents

Add/Edit Tunnel Group > General Tab > Authentication Tab 28-45 Add/Edit Tunnel Group > General Tab > Authorization Tab 28-46 Add/Edit Tunnel Group > General Tab > Accounting Tab 28-47 Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab 28-48 Add/Edit Tunnel Group > General Tab > Advanced Tab 28-48 Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab 28-49 Add/Edit Tunnel Group > PPP Tab 28-51 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab 28-51 Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab 28-53 Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab 28-55 Add/Edit Tunnel Group > WebVPN Tab > Basic Tab 28-56 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab 28-57 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server 28-58 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab 28-58 Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab 28-60 VPN System Options Easy VPN Remote
28-61 28-61

Zone Labs Integrity Server


28-63

Advanced Easy VPN Properties


29

28-64

CHAPTER

WebVPN

29-1 29-1

WebVPN Security Precautions ACLs 29-2 Add ACL 29-3 Add/Edit ACE 29-3 APCF 29-4 Add/Edit APCF Profile Upload APCF package
29-5

29-5

Auto Signon 29-6 Add/Edit Auto Signon Entry CSD Setup 29-8 Upload Image Cache
29-11 29-9

29-7

Content Rewrite 29-12 Add/Edit Content Rewrite Rule Java Trustpoint Encoding
29-13 29-13

29-12

ASDM User Guide OL-10106-01

xxi

Contents

Add\Edit Encoding

29-15

Port Forwarding 29-16 Add/Edit Port Forwarding List 29-17 Add/Edit Port Forwarding Entry 29-18 Proxies
29-18

Proxy Bypass 29-19 Add/Edit Proxy Bypass Rule

29-20

SSL VPN Client 29-21 Add SSL VPN Client Image 29-22 Add SSL VPN Client Browse Flash Dialog 29-22 Add SSL VPN Client Upload Flash Dialog 29-23 Replace SSL VPN Client Image 29-23 Replace SSL VPN Client Upload Flash Dialog 29-24 SSO Servers 29-24 Add/Edit SSO Server Servers and URLs WebVPN Access
29-27 29-27 29-26

Webpage Customization 29-29 Add/Edit Webpage Customization Object > Select Font 29-30 Add/Edit Webpage Customization Object > Select Foreground Color 29-30 Add/Edit Webpage Customization Object > Select Background Color 29-31 Add/Edit Webpage Customization Object > Page Title Tab 29-32 Add/Edit Webpage Customization Object > Page Title Tab > Upload Logo 29-33 Add/Edit Webpage Customization Object > Login Page Tab > Login Box Tab 29-33 Add/Edit Webpage Customization Object > Login Page Tab > Login Prompts Tab 29-35 Add/Edit Webpage Customization Object > Login Page Tab > Login Buttons Tab 29-36 Add/Edit Webpage Customization Object > Logout Page Tab 29-37 Add/Edit Webpage Customization Object > Home Page Tab > Border Color Tab 29-38 Add/Edit Webpage Customization Object > Home Page Tab > Web Applications Tab 29-39 Add/Edit Webpage Customization Object > Home Page Tab > Application Access Tab 29-40 Add/Edit Webpage Customization Object > Home Page Tab > Browse Network Tab 29-41 Add/Edit Webpage Customization Object > Home Page Tab > Web Bookmarks Tab 29-42 Add/Edit Webpage Customization Object > Home Page Tab > File Bookmarks Tab 29-43 Add/Edit Webpage Customization Object > Application Access Window Tab 29-44 Add/Edit Webpage Customization Object > Prompt Dialog Tab 29-45 Add/Edit Webpage Customization Object > Quick Style Configuration 29-46
30

CHAPTER

WebVPN End User Set-up

30-1 30-1

Requiring Usernames and Passwords


ASDM User Guide

xxii

OL-10106-01

Contents

Communicating Security Tips

30-2 30-2

Configuring Remote Systems to Use WebVPN Features Capturing WebVPN Data 30-7 Creating a Capture File 30-8 Using a Browser to Display Capture Data
31

30-8

CHAPTER

E-Mail Proxy

31-1 31-1

Configuring E-Mail Proxy AAA 31-2 POP3S Tab 31-2 IMAP4S Tab 31-4 SMTPS Tab 31-5

Access 31-7 Edit E-Mail Proxy Access Authentication Default Servers Delimiters
32
31-10 31-8 31-9

31-8

CHAPTER

Configuring SSL Settings SSL


32-1

32-1

Edit SSL Trustpoint


33

32-3

CHAPTER

Configuring Certificates Authentication Enrollment


33-2 33-3 33-1

33-1

Import Certificate

Key Pair 33-3 Add Key Pair 33-4 Key Pair Details 33-5 Manage Certificate Add Certificate
33-5 33-6

Trustpoint 33-7 Configuration 33-7 Add/Edit Trustpoint Configuration > Enrollment Settings Tab 33-8 Add/Edit Key Pair 33-9 Certificate Parameters 33-10 Edit DN 33-10 Add/Edit Trustpoint Configuration > Revocation Check Tab 33-11
ASDM User Guide OL-10106-01

xxiii

Contents

Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab 33-12 Add/Edit Static URL 33-12 Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab 33-13 Add/Edit Trustpoint Configuration > OCSP Rules Tab 33-13 Add/Edit Trustpoint OCSP Rule dialog box 33-14 Add/Edit Trustpoint Configuration > Advanced Tab 33-15 Export 33-16 Import 33-17 Authenticating, Enrolling for, and Managing Digital Certificates 33-18 Summary of Configuration Steps 33-18 Generating the Key Pair 33-18 Enrolling for a Certificate Using Automatic Enrollment (SCEP) 33-19 Authenticating to the CA 33-20 Enrolling with the CA 33-20 Enrolling for a Certificate Using Manual Enrollment 33-20 Additional Steps for a Failover Configuration 33-21 Exporting the Certificate to a File or PKCS12 data 33-21 Importing the Certificate onto the Standby Device 33-22 Managing Certificates 33-22
34

CHAPTER

CSD

34-1

CHAPTER

35

Configuring IPS

35-1

CHAPTER

36

Configuring Trend Micro Content Security

36-1

Managing the CSC SSM 36-1 About the CSC SSM 36-1 Getting Started with the CSC SSM 36-3 Determining What Traffic to Scan 36-5 CSC Setup 36-7 Activation/License 36-8 IP Configuration 36-9 Host/Notification Settings 36-10 Management Access Host/Networks Password 36-11 Wizard Setup 36-12 Summary 36-13 Web Mail
ASDM User Guide

36-11

36-14 36-15

xxiv

OL-10106-01

Contents

Mail > SMTP Tab 36-16 Mail > POP3 Tab 36-17 File Transfer Updates
36-18 36-18 36-19

Connecting to CSC/Content Security and Control Password


37

CHAPTER

Monitoring System Log Messages Log Buffer


37-1 37-1 37-3 37-3

37-1

Log Buffer Viewer

Real-time Log Viewer Real-time Log Viewer


38

CHAPTER

Monitoring Trend Micro Content Security Threats


38-1

38-1

Live Security Events 38-2 Live Security Events Viewer Software Updates
38-3

38-2

Resource Graphs 38-4 CSC CPU 38-4 CSC Memory 38-5


39

CHAPTER

Monitoring Failover

39-1

Single Context Mode 39-1 Failover 39-1 Status 39-1 Graphs 39-4 Multiple Context Mode 39-5 System 39-6 Failover Group 1 and Failover Group 2
40

39-8

CHAPTER

Monitoring Interfaces ARP Table


40-1

40-1

DHCP 40-2 DHCP Server Table 40-2 DHCP Client Lease Information DHCP Statistics 40-4 MAC Address Table
40-5

40-2

ASDM User Guide OL-10106-01

xxv

Contents

Dynamic ACLs

40-5

Interface Graphs 40-6 Graph/Table 40-8 PPPoE Client


40-9

interface connection 40-9 Track Status for 40-9 Monitoring Statistics for
41

40-10

CHAPTER

Monitoring Routing OSPF LSAs Type 1 Type 2 Type 3 Type 4 Type 5 Type 7 Routes
41-7 41-1 41-1 41-2 41-3 41-3 41-4 41-4

41-1

OSPF Neighbors

41-5

CHAPTER

42

Monitoring VPN

42-1

VPN Connection Graphs 42-1 IPSec Tunnels 42-1 Sessions 42-2 VPN Statistics 42-3 Sessions 42-3 Sessions Details 42-6 Sub-session Details NAC Details Encryption Statistics 42-10 NAC Session Summary 42-10 Protocol Statistics 42-11 Global IKE/IPSec Statistics 42-12 Crypto Statistics 42-12 Compression Statistics 42-13 Cluster Loads 42-14 WebVPN SSO Statistics 42-14
43

42-8

CHAPTER

Monitoring Properties AAA Servers


43-1

43-1

ASDM User Guide

xxvi

OL-10106-01

Contents

CRL

43-2

Connection Graphs 43-2 Xlates 43-2 Perfmon 43-3 DNS Cache


43-4

Device Access 43-5 AAA Local Locked Out Users 43-5 Authenticated Users 43-6 HTTPS/ASDM Sessions 43-6 Secure Shell Sessions 43-7 Telnet Sessions 43-8 IP Audit
43-8 43-11

System Resources Graphs Blocks 43-11 CPU 43-12 Memory 43-12


INDEX

ASDM User Guide OL-10106-01

xxvii

Contents

ASDM User Guide

xxviii

OL-10106-01

Preface
The ASDM User Guide contains the information that is available in the ASDM online help system. This preface contains the following topics:

Related Documentation, page xxix Document Conventions, page xxix Obtaining Documentation, page xxx Documentation Feedback, page xxxi Cisco Product Security Overview, page xxxi Obtaining Technical Assistance, page xxxii Obtaining Additional Publications and Information, page xxxiv

Related Documentation
For more information, refer to the following documentation:

Cisco ASDM Release Notes Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide Cisco ASA 5500 Series Release Notes Cisco Security Appliance Logging Configuration and System Log Messages

Document Conventions
Command descriptions use these conventions:

Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Vertical bars ( | ) separate alternative, mutually exclusive elements. Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply values.

ASDM User Guide OL-10106-01

xxix

Preface Obtaining Documentation

Examples use these conventions:


Examples depict screen displays and the command line in screen font. Information you need to enter in examples is shown in boldface screen font. Variables for which you must supply a value are shown in italic screen font.

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com
You can access the most current Cisco documentation at this URL: http://www.cisco.com/techsupport You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD


Cisco documentation and additional literature are available in the Product Documentation DVD package, which may have shipped with your product. The Product Documentation DVD is updated regularly and may be more current than printed documentation. The Product Documentation DVD is a comprehensive library of technical product documentation on portable media. The DVD enables you to access multiple versions of hardware and software installation, configuration, and command guides for Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available. The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD=) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/

ASDM User Guide

xxx

OL-10106-01

Preface Documentation Feedback

Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.

Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can send comments about Cisco documentation to bug-doc@cisco.com. You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.

Cisco Product Security Overview


Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you can perform these tasks:

Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

ASDM User Guide OL-10106-01

xxxi

Preface Obtaining Technical Assistance

Reporting Security Problems in Cisco Products


Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Emergencies security-alert@cisco.com An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.

Nonemergencies psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:


1 877 228-7302 1 408 525-6532

Tip

We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html The link on this page has the current PGP key ID in use.

Obtaining Technical Assistance


Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Technical Support & Documentation Website


The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do

ASDM User Guide

xxxii

OL-10106-01

Preface Obtaining Technical Assistance

Note

Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request


Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity


To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)Your network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

ASDM User Guide OL-10106-01

xxxiii

Preface Obtaining Additional Publications and Information

Obtaining Additional Publications and Information


Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine or view the digital edition at this URL: http://ciscoiq.texterity.com/ciscoiq/sample/ Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj

Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: http://www.cisco.com/en/US/products/index.html Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html

ASDM User Guide

xxxiv

OL-10106-01

C H A P T E R

Welcome to ASDM
Welcome to ASDM, a browser-based, Java applet used to configure and monitor the software on security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device. For more information about this release, see the following topics:

Important Notes New in This Release Unsupported Commands About the ASDM Window About the Help Window Home Page

Important Notes

CLI Command SupportWith a few exceptions, almost all CLI commands are fully supported by ASDM. For a list of commands ASDM does not support, see Unsupported Commands. Multiple ASDM SessionsASDM allows multiple PCs or workstations to each have one browser session open with the same security appliance software. A single security appliance can support up to 5 concurrent ASDM sessions in single, routed mode. Only one session per browser per PC or workstation is supported for a particular security appliance. In multiple context mode, five concurrent ASDM sessions are supported per context, up to a limit of 32 connections total per security appliance. Security Appliance ReleaseThis release of ASDM requires Version 7.1 and does not run with earlier security appliance releases. CaveatsUse the Bug Toolkit on cisco.com to view current caveat information. You can access Bug Toolkit at: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Changing OS Color SchemesIf you change the color scheme of your operating system while ASDM is running, you should restart ASDM or some ASDM screens might not display correctly.

ASDM User Guide OL-10106-01

1-1

Chapter 1 New in This Release

Welcome to ASDM

New in This Release


See the following topics for more information about the new features in this release:

Enhanced and new inspection engines. See Service Policy Rules, page 21-1 and Global Objects, page 6-1. Sub-second failover and the High Availability and Scalability Wizard. See Failover, page 12-1. Packet Tracer. See Packet Tracer, page 1-11. Expanded VPN and EasyVPN support. See VPN, page 26-1. RIP routing enhancements. See RIP, page 14-22. Static Route Tracking/Dual ISP support. See Static Routes, page 14-29.

Unsupported Commands
ASDM supports almost all commands available for the security appliance, but some commands in an existing configuration are ignored by ASDM. Most of these commands can remain in your configuration; see Show Commands Ignored by ASDM on Device for the ignored commands in your configuration. In the case of the alias command, ASDM enters into Monitor-only mode until you remove the command from your configuration. This section contains the following topics:

Ignored and View-Only Commands Effects of Unsupported Commands Other CLI Limitations

Ignored and View-Only Commands


The following table lists commands that ASDM supports in the configuration when added by the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If it is view-only, then the command appears in the GUI, but you cannot edit it. Unsupported Commands access-list asr-group capture dns-guard established failover timeout ipv6, any IPv6 addresses object-group icmp-type object-group network object-group protocol ASDM Behavior Ignored if not used. Ignored Ignored Ignored Ignored. Ignored. Ignored. View-only. Nested group is view-only. View-only.

ASDM User Guide

1-2

OL-10106-01

Chapter 1

Welcome to ASDM Unsupported Commands

Unsupported Commands object-group service pager pim accept-register route-map prefix-list route-map service-policy global

ASDM Behavior Nested group cannot be added. Ignored. Ignored. Only the list option can be configured using ASDM Ignored if not used in an OSPF area. Ignored. Ignored if it uses a match access-list class. For example:
access-list myacl line 1 extended permit ip any any class-map mycm match access-list mycl policy-map mypm class mycm inspect ftp service-policy mypm global

sysopt nodnsalias sysopt uauth allow-http-cache terminal virtual

Ignored. Ignored. Ignored. Ignored.

Effects of Unsupported Commands

If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available. If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, see Options > Show Commands Ignored by ASDM on Device. If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode. Monitor-only mode allows access to the following functions:
The Monitoring area The CLI tool (Tools > Command Line Interface), which lets you use the CLI commands.

To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco Security Appliance Command Reference for more information.

Note

You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to 3 by your system administrator, which allows Monitor-only mode. For more information, see Configuration > Properties > Device Administration > User Accounts and Configuration > Device Access > AAA Access.

ASDM User Guide OL-10106-01

1-3

Chapter 1 About the ASDM Window

Welcome to ASDM

Other CLI Limitations


ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255

About the ASDM Window


The ASDM Window is designed to provide easy access to the many features that the security appliance supports. The ASDM Window includes the following:

MenusProvides quick access to files, tools, options and help. ToolbarLets you navigate ASDM. From the toolbar you can access the home page, configuration, and monitoring panels. You can also search for features, save the configuration, get help and navigate back and forth between panels. The Home, Configuration, and Monitoring buttons each open a panel with a variety of useful tools. The home page offers much information at a glance. Configuration and monitoring offer a useful category tree along the left side of the frame, for access to more detailed configuration or monitoring information. Status BarShows the time, connection status, user, and privilege level.

Menus
ASDM includes the following menus:

File Menu Options Menu Tools Menu Wizards Menu Help Menu

File Menu
The File menu manages security appliance configurations, and includes the following items:

Refresh ASDM with the Running Configuration on the DeviceLoads a copy of the running configuration to ASDM. Use refresh to make sure ASDM has a current copy of the running configuration. Reset Device to the Factory Default ConfigurationRestores the configuration to the factory default. See Reset Device to the Factory Default Configuration dialog box for more information. Show Running Configuration in New WindowDisplays the current running configuration in a new window. Save Running Configuration to FlashWrites a copy of the running configuration to Flash memory. Save Running Configuration to TFTP ServerStores a copy of the current running configuration file on a TFTP server. See the Save Running Configuration to TFTP Server dialog box for more information.

ASDM User Guide

1-4

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Save Running Configuration to Standby UnitSends a copy of the running configuration file on the primary unit to the running configuration of a failover standby unit. Save Internal Log Buffer to FlashSaves the log buffer to flash memory. PrintPrints the current panel. We recommend landscape page orientation when printing rules. If ASDM is running in Netscape Communicator and the user has not yet granted print privileges to the Java applet, a security dialog appears requesting Print privileges. Click Grant to grant the applet printing privileges. When using Internet Explorer, permission to print is already granted when you originally accepted the signed applet. Clear ASDM CacheClears the local ASDM images. ASDM downloads an image locally when you connect to ASDM. Clear Internal Log BufferClears the system log message buffer. ExitExits ASDM.

Reset Device to the Factory Default Configuration


The default configuration includes the minimum commands required to connect to the security appliance using ASDM. This feature is available only for routed firewall mode; transparent mode does not support IP addresses for interfaces, and setting the interface IP address is one of the actions this feature takes. This feature is also only available in single context mode; a security appliance with a cleared configuration does not have any defined contexts to automatically configure using this feature. This feature clears the current running configuration and then configures several commands. The configured interface depends on your platform. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. The following commands apply to the dedicated management interface, Management 0/0 (for a platform without a dedicated management interface, the interface is Ethernet 1):
interface management 0/0 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

If you set the IP address in this dialog box, then the http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the File > Save Running Configuration to Flash item. This menu item saves the running configuration to the default location for the startup configuration, even if you previously configured the Boot Image/Configuration to set a different location; when the configuration was cleared, this path was also cleared.

ASDM User Guide OL-10106-01

1-5

Chapter 1 About the ASDM Window

Welcome to ASDM

Note

This command also clears the Add Boot Image configuration, if present, along with the rest of the configuration. The Add Boot Image pane lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot.
Fields

Use this address for the Interface_ID interface which will be named as nameManually sets the IP address of the management interface, instead of using the default address, 192.168.1.1. For a platform with a dedicated management interface, the interface is named management. For other platforms, the configured interface is Ethernet 1 and named inside. Management IP AddressSets the management interface IP address. Management subnet maskSets the subnet mask of the interface. If you do not set a mask, the security appliance uses the mask appropriate for the IP address class.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Save Running Configuration to TFTP Server


File > Save Running Configuration to TFTP Server > Save Running Configuration to TFTP Server This dialog box stores a copy of the current running configuration file on a TFTP server.
Fields

TFTP Server IP AddressEnter the IP address of the TFTP server. Configuration File PathEnter path on the TFTP server where the file will be saved.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Enter Log File Name


File > Save Internal Log Buffer to Flash > Enter Log File Name

ASDM User Guide

1-6

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Saves the log buffer to flash memory.


Fields

Use default file nameSaves the log buffer using LOG-YYYY-MM-DD-hhmmss.txt as the file name. Use user-specified file nameSaves the log buffer using a file name that you specify. Field NameEnter the file name for the saved log buffer.

Options Menu
The Options menu lets you set ASDM preferences.

Show Commands Ignored by ASDM on DeviceDisplays unsupported commands that have been ignored by ASDM. See the Show Commands Ignored by ASDM on Device dialog box for more information. PreferencesChanges the behavior of some ASDM functions between sessions using your web browser cookie feature. See the Preferences dialog box for more information.

Show Commands Ignored by ASDM on Device


Options > Show Commands Ignored by ASDM on Device > Show Commands Ignored by ASDM on Device Some commands are unsupported in ASDM. Typically, they are ignored when encountered by ASDM, and are displayed in the list of unparsed commands invoked by Show Commands Ignored by ASDM on Device. ASDM does not change or remove these commands from your configuration. See Unsupported Commands for more information.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Preferences
Options > Preferences > Preferences The Preferences dialog box lets you change the behavior of some ASDM functions between sessions by using your web browser cookie feature.
Fields

General tabSets general preferences.


Preview commands before sending to the device check boxLets you view CLI commands

generated by ASDM.

ASDM User Guide OL-10106-01

1-7

Chapter 1 About the ASDM Window

Welcome to ASDM

Enable Large Fonts (Requires ASDM Restart) check boxIncreases the ASDM icon font size,

after closing ASDM and reconnecting. Not all fonts are affected.
Confirm before exiting from ASDM check boxDisplays a prompt when you try to close

ASDM to confirm that you want to exit. This option is checked by default.

Rules Table tabSets preferences for the Rules Table.


Diplsay settingsLets you change the way rules are displayed in the Rules Table.

Auto expand network and service object groups with specified prefixDisplays the network and service object groups automatically expanded based on the Auto Expand-Prefix. Auto Expand-PrefixSpecifies the prefix of the network and service object groups to automatically expand when displayed. Show members of network and service object groupsSelect to display members of network and service object groups and the group name in the rules table. If the check box is not selected, only the group name is displayed. Limit members toEnter the number of network and service object groups to display. When the object group members are displayed, then display only the first nn members. Show all actions for service policy rulesSelect to display all action in the rules table. When cleared, a summary is displayed. deploying changes to the rules table.

Deployment SettingsLets you configure the behavior the security appliance has when

Issue clear xlate command when deploying access listsCheck to clear the NAT table when deploying a new access lists. This ensures the access lists that are configured on the security appliance are applied to all translated addresses. Show filter panel by defaultDisplays the filter panel by default. Show rule diagram panel by defaultDisplays the rule diagram by default.

Applications Inspections tabSets Application Inspection map options.


Prompt to add inspect map before applying changesEnables a prompt that reminds you the

inspection map has not yet been added.


Make advanced view the default inspect viewSelect to make the advanced view the default

application inspection view.


Ask to make advanced view the default viewEnables a dialog box that asks to make the advanced view the default application inspection view. Clear to disable the prompt.

Syslog Color Settings tabSets the background and text colors for system log messages displayed on the Home page.
Severity columnLists each severity level. Background Color columnShows the background color for messages for each severity level.

To change the color, click the appropriate row. The Pick a Color dialog box appears.
Foreground Color columnShows the foreground (text) color for messages for each severity

level. To change the color, click the appropriate row. The Pick a Color dialog box appears.
Restore Default buttonRestores the default settings of white background and colored text.

Note

Each time a preference is checked or unchecked, the change is written to the .conf file and becomes available for all the other ASDM sessions running on the workstation at the time. Restarting ASDM maintains your preferences.

ASDM User Guide

1-8

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Tools Menu
The Tools menu provides you with troubleshooting tools on ASDM. Here you can upload new software to the ASDM, check connectivity, or issue commands at the command line.

Command Line InterfaceProvides a text-based tool for sending commands to the security appliance and viewing the results. See the Command Line Interface dialog box for more information. Packet TracerLets you trace a packet from a specified source address and interface to a destination. You can specify the protocol and port of any type of data and see the lifespan of a packet with detailed information about actions taken on it. See the Packet Tracer dialog box for more information. PingProvides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. See the Ping dialog box for more information. TracerouteLets you determine the route packets will take to their destination. See the Traceroute dialog box for more information. File ManagementLets you view, move, copy and delete files stored in Flash memory. You can also create a directory in Flash memory. See the File Management dialog box for more information. You can also bring up the File Transfer dialog box to transfer files between various file systems, including TFTP, Flash memory, and your local PC. Upload ASDM Assistant GuideLets you upload an XML file to Flash memory that contains information used in the ASDM Assistant. These files can be downloaded from Cisco.com. Upgrade SoftwareLets you choose a security appliance image, ASDM image, or other image file on your PC, and upload it to Flash memory. See the Upload Image from Local PC dialog box for more information. System ReloadLets you restart the system and reload the saved configuration into memory. See the System Reload dialog box for more information. ASDM Java ConsoleShows the Java console.

Command Line Interface


Tools > Command Line Interface > Command Line Interface The Command Line Interface dialog box provides a text-based tool for sending commands to the security appliance and viewing the results.

Note

Commands entered via the ASDM CLI tool might function differently from commands entered through a terminal connection to the security appliance.

ASDM User Guide OL-10106-01

1-9

Chapter 1 About the ASDM Window

Welcome to ASDM

Command Errors
If an error occurs because you entered an incorrect command, the offending command is skipped and the remaining commands are processed anyway. A message displays in the Response box to let you know what, if any, errors were encountered as well as other pertinent information.

Note

Refer to the Cisco Security Appliance Command Reference for a list of commands. With a few exceptions, almost all CLI commands are fully supported by ASDM.

Interactive Commands
Interactive commands are not supported in the Command Line Interface dialog box. To use these commands in ASDM, use the noconfirm keyword if available, as follows:
crypto key generate rsa modulus 1024 noconfirm

Avoiding Conflicts with Other Administrators


Multiple administrative users can update the running configuration of the security appliance. Before using the ASDM Command Line Interface tool to make configuration changes, check for other active administrative sessions. If more than one user is configuring the security appliance at the same time, the last changes take effect. (Click the Monitoring tab to view other administrative sessions that are currently active on the same security appliance.)

Viewing Configuration Changes in ASDM


If you change the configuration using the Command Line Interface tool, click the Refresh button to view the changes in ASDM.
Prerequisites

The commands you can enter at the Command Line Interface tool depends on your user privileges. See the Authorization Tab. Review your privilege level in the status bar at the bottom of the main ASDM window to ensure you have privileges to execute privileged-level CLI commands.
Fields

CommandSends commands to the security appliance.


Single LineLets you enter single commands, one at a time. The most recent commands

entered are listed, or you can type a new command.


Multiple LineLets you enter multiple command lines. Enable context sensitive help (?)Shows CLI help for a command if you enter a question mark

(?) after it. You do not need to press enter; the help displays as soon as you type a ?. Clearing this check box causes ASDM to escape the question mark character before sending it to the device, allowing you to enter the question mark as part of a text string without causing the command line help to display.

ResponseDisplays the results of the commands you entered in the command box. SendSends all commands to the security appliance. Clear ResponseClears all text displayed in the Response box.

ASDM User Guide

1-10

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Packet Tracer
The packet tracer tool provides packet tracing capabilities for packet sniffing and network fault isolation. The tool provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet tracer tool will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, packet dropped due to bad ip header (reason). In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet tracer tool lets you do the following:

Debug all packet drops in production network. Verify the configuration is working as intended. Show all rules applicable to a packet along with the CLI lines which caused the rule addition. Show a time line of packet changes in a data path. Inject tracer packets into the data path.

Fields

InterfaceSpecifies the source interface for the packet trace. Packet typeSpecifies the protocol type for the packet trace. Available protocol types are icmp, rawip, tcp or udp.
Source IPSpecifies the source address for the packet trace. Source PortSpecifies the source port for the packet trace. Destination IP Specifies the destination address for the packet trace. Destination PortSpecifies the destination port for the packet trace.

Start Starts the packet trace. ClearClears all fields. Show animationCheck to display graphically the packet trace. Information Display AreaDisplays detailed messages about the packet trace.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

1-11

Chapter 1 About the ASDM Window

Welcome to ASDM

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Ping
Tools > Ping > Ping The Ping dialog box provides a useful tool for verifying the configuration and operation of the security appliance and surrounding communications links, as well as basic testing of other network devices. A ping is the network equivalent of sonar for submarines. A ping is sent to an IP address and it returns an echo, or reply. This simple process enables network devices to discover, identify, and test each other. The Ping tool uses ICMP described in RFC-777 and RFC-792. ICMP defines an echo and echo reply transaction between two network devices, which has become known as a ping. The echo (request) packet is sent to the IP address of a network device. The receiving device reverses the source and destination address and sends the packet back as the echo reply.

Using the Ping Tool


Administrators can use the ASDM Ping tool as an interactive diagnostic aid in several ways, for example:

Loopback testing of two interfacesA ping may be initiated from one interface to another on the same security appliance, as an external loopback test to verify basic up status and operation of each interface. Pinging to an security appliance interfaceAn interface on another security appliance may be pinged by the Ping tool or another source to verify that it is up and responding. Pinging through an security appliancePing packets originating from the Ping tool may pass through an intermediate security appliance on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit. Pinging to test questionable operation of a network deviceA ping may be initiated from an security appliance interface to a network device that is suspected to be functioning improperly. If the interface is configured properly and an echo is not received, there may be problems with the device. Pinging to test intermediate communicationsA ping may be initiated from an security appliance interface to a network device which is known to be functioning properly and returning echo requests. If the echo is received, the proper operation of any intermediate devices and physical connectivity is confirmed.

Troubleshooting the Ping Tool


When pings fail to receive an echo, it may be the result of a configuration or operational error in a security appliance, and not always due to NO response from the IP address being pinged. Before using the Ping tool to ping from, to or through an security appliance interface, verify the following: Basic Interface Checks

Verify that interfaces are configured properly in Configuration > Properties > Interfaces.

ASDM User Guide

1-12

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Verify that devices in the intermediate communications path, such as switches or routers, are properly delivering other types of network traffic. Make sure that traffic of other types from known good sources is being passed. Use Monitoring > Interface Graphs.

Pinging from an security appliance interface For basic testing of an interface, a ping may be initiated from an security appliance interface to a network device which, by other means, is known to be functioning properly and returning echoes via the intermediate communications path.

Verify receipt of the ping from the security appliance interface by the known good device. If it is not received, there may be a problem with the transmit hardware or configuration of the interface. If the security appliance interface is configured properly and it does not receive an echo from the known good device, there may be problems with the interface hardware receive function. If a different interface with known good receive capability can receive an echo after pinging the same known good device, the hardware receive problem of the first interface is confirmed.

Pinging to an security appliance interface When attempting to ping to an security appliance interface, verify that pinging response (ICMP echo reply), is enabled for that interface in the Configuration > Properties > Administration > ICMP panel. When pinging is disabled, the security appliance cannot be detected by other devices or software applications, and will not respond to the ASDM Ping tool. Pinging through the security appliance

First, verify that other types of network traffic from known good sources is being passed through through the security appliance. Use Monitoring > Interface Graphs, or an SNMP management station. To enable internal hosts to ping external hosts, ICMP access must be configured correctly for both the inside and outside interfaces in Configuration > Access Rules.

Fields

IP AddressThe destination IP address for the ICMP echo request packets.

Note

If a host name has been assigned in the Configuration>Hosts/Networks>Basic Information>Host Name panel, you can use the host name in place of the IP address. Interface(Optional). The security appliance interface that transmits the echo request packets is specified. If it is not specified, the security appliance checks the routing table to find the destination address and uses the required interface. Ping OutputThe result of the ping. When you click Ping, three attempts are made to ping the IP address, and three results display the following fields:
Reply IP address/Device nameThe IP address of the device pinged or a device name, if

available. The name of the device, if assigned Hosts/Networks, may be displayed, even if NO response is the result.
Response time/timeout (ms)When the ping is transmitted, a millisecond timer starts with a

specified maximum, or timeout value. This is useful for testing the relative response times of different routes or activity levels, for example. Example Ping Output:
Sending 5, 100-byte ICMP Echos to out-pc, timeout is 2 seconds:

ASDM User Guide OL-10106-01

1-13

Chapter 1 About the ASDM Window

Welcome to ASDM

!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

If the ping fails, the output is as follows:


Sending 5, 100-byte ICMP Echos to 10.132.80.101, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)

PingSends an ICMP echo request packet from the specified or default interface to the specified IP address and starts the response timer. Clear ScreenClears the output on the screen from previous ping command attempts.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Traceroute
The Traceroute dialog box provides a useful tool to determine the route packets will take to their destination.
Traceroute Output

The traceroute tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following are the output symbols printed by the traceroute tool: Output Symbol * nn msec !N. !H !P !A ?
Fields

Description No response was received for the probe within the timeout period. For each node, the round-trip time (in milliseconds) for the specified number of probes. ICMP network unreachablee. ICMP host unreachable. ICMP protocol unreachable. ICMP administratively prohibited. Unknown ICMP error.

Hostname or IP addressSpecifies the hostname of the host to which the route is traced. If the hostname is specified, define it with Configuration > Global Objects > IP Names, or configure a DNS server to enable traceroute to resolve the hostname to an IP address. TimeoutSpecifies the amount of time in seconds to wait for a response before the connection times out. The default is three seconds. PortSpecifies the destination port used by the UDP probe messages. The default is 33434. ProbeSpecifies the number of probes to be sent at each TTL level. The default count is 3.

ASDM User Guide

1-14

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Min & Max TTLSpecifies the minimum and maximum time to live values for the first probes. The minimum default is one, but it can be set to a higher value to suppress the display of known hops. The maximum default is 30. The tool terminates when the traceroute packet reaches the destination or when the maximum value is reached. Destination PortSpecifies the destination port used by the UDP probe messages. The default is 33434. Specify Source Interface or IP AddressSpecifies the source interface or IP address for the packet trace. This IP address must be the IP address of one of the interfaces. In transparent mode, it must be the management IP address of the security appliance. Reverse ResolveWhen checked, the output displays the names of hops encountered if name resolution is configured . If left unchecked, the output displays IP addresses. Use ICMPSpecifies the use of ICMP probe packets instead of UDP probe packets. Traceroute OutputDisplays detailed messages about the traceroute. TracerouteStarts the traceroute. ClearClears all fields.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Management
Tools > File Management > File Management Lets you view, move, copy and delete files stored on Flash memory. You can also create a directory in Flash memory. In multiple context mode, this tool is only available in the system.
Fields

FoldersDisplays the folders available in disk.


Flash SpaceShows the size of Flash and how much is available.

TotalShows the total size of Flash memory. AvailableShows how much memory is available.

FilesDisplays information about the files in the selected folder.


PathShows the selected path Filename Size (bytes) Time Modified Status

ASDM User Guide OL-10106-01

1-15

Chapter 1 About the ASDM Window

Welcome to ASDM

ViewDisplays the selected file in your browser. CutCuts the selected file for pasting to another directory. CopyCopies the selected file for pasting to another directory. PastePastes the copied file to the selected destination. DeleteDeletes the selected file from Flash. RenameLets you rename the file. New DirectoryCreates a new directory for storing files. File TransferOpens the File Transfer dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload Image from Local PC


Tools > Upgrade Software > Upload Image from Local PC The Upload Image from Local PC dialog box lets you choose a security appliance image file, ASDM image, or other images on your PC, and upload it to Flash memory.
Fields

Image to uploadSelect which image type to upload. Local File PathEnter the path to the file on your PC.
Browse LocalSelect to browse to the file on your PC.

Flash File System PathEnter the path to copy the file in Flash memory.
Browse LocalSelect to browse to the directory or file in Flash memory.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Transfer
Tools > File Management > File Management > File Transfer

ASDM User Guide

1-16

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

File Transfer lets you copy files to and from your security appliance using HTTPS, TFTP, FTP or by browsing for a local image.
Fields

Source FileSelect the source file to be transferred.


Remote ServerSelect to transfer a file from a remote server.

PathEnter the path to the location of the file, including the IP address of the server. Port/TypeEnter the port number or type (if FTP) of the remote server. Valid FTP types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode.
Flash File SystemSelect to copy the file from Flash memory.

PathEnter the path to the location of the file. Browse FlashSelect to browse to the file location on your security appliance where the file will be copied from.
Local ComputerSelect to copy the file from the local PC.

PathEnter the path to the location of the file. Browse LocalhostBrowses the local PC for the file to be transferred.

Destination FileSelect the destination file to be transferred. Depending on the source destination, the Flash File System or the Remote Server will automatically be selected.
Flash File SystemTransfers the file to Flash memory.

PathEnter the path to the location of the file. Browse FlashSelect to browse to the file location on your security appliance where the file will be transferred.
Remote ServerTransfers a file to a remote server.

PathEnter the path to the location of the file. TypeFor FTP transfers, enter the type. Valid types are: apASCII files in passive mode. anASCII files in non-passive mode. ipBinary image files in passive mode. inBinary image files in non-passive mode.

Transfer FileStarts the file transfer.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

1-17

Chapter 1 About the ASDM Window

Welcome to ASDM

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload ASDM Assistant Guide


Tools > Upload ASDM Assistant Guide Upload ASDM Assistant Gude lets you upload an XML file to flash that contains useful ASDM procedural help about certain tasks. You can obtain these files from Cisco.com. Once loaded the files are available in the Search field in the File Menu.
Fields

File to uploadThe name of the XML file located on your computer, typically obtained from Cisco.com Flash File System PathThe path in the Flash memory where the XML file is loaded. Upload FileStarts the upload.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

System Reload
Tools > System Reload > System Reload System Reload lets you restart the system and reload the saved configuration into memory. The System Reload dialog box lets you choose when the system should be reloaded, whether you should save the running configuration to Flash memory, and send a message to connected users at reload.
Fields

Reload SchedulingLets you configure when the reload will take place.
Configuration StateSelect whether to save the running configuration or not at reload.

Save the Running Configuration at Time of ReloadSelect to save the running configuration at reload. Reload Without Saving the Running ConfigurationSelect to discard configuration changes to the running configuration at reload.

Reload Start TimeLets you select the time of the reload.


NowSelect to perform an immediate reload.

ASDM User Guide

1-18

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Delay byLets you delay the reload by a select amount of time. Enter the time to elapse before

the reload in hours and minutes or minutes.


Schedule atLets you schedule the reload to take place at a specific time and date. Enter the

time of day the reload is to take place, and select the date of the scheduled reload.

Reload MessageEnter a message to be sent to open instances of ASDM at reload. On Reload Failure Force Immediate Reload afterIf the reload fails, the amount of time elapsed in hours and minutes or minutes before a reload is attempted again. Schedule ReloadSchedules the reload as configured. Reload StatusDisplays the status of the reload. Cancel ReloadCancels the scheduled reload. RefreshRefreshes the Reload Status display. DetailsDisplays the details of the scheduled reload.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Wizards Menu
The Wizards menu lets you run a wizard to configure multiple features.

Startup WizardThe ASDM Startup Wizard walks you, step by step, through the initial configuration of your security appliance. As you click through the configuration screens, you will be prompted to enter information about your security appliance. The Startup Wizard will apply these settings, so you should be able to start using your security appliance right away. VPN WizardThe VPN Wizard is a simple way to get a VPN policy configured on your security appliance. High Availability and Scalability WizardUse this wizard to get failover configured on your security appliance.

Help Menu
The Help menu provides links to online Help as well as information about ASDM and security appliance.

Help TopicsOpens a new browser window with help arranged by contents, screen name, and indexed in the left frame. Use these to find help for any topic, or search using the Search tab above. Help for Current ScreenOpens context sensitive help about the screen, panel or dialog box that is currently open. You can also click the question mark help icon for context sensitive help. Release NotesOpens the most current version of the Cisco ASDM Release Notes on the web. The Release Notes contain the latest information about ASDM software and hardware requirements, and the latest information about changes in the software.

ASDM User Guide OL-10106-01

1-19

Chapter 1 About the ASDM Window

Welcome to ASDM

Getting StartedBrings up the Getting Started help topic to help you get started using ASDM. GlossaryContains definitions of terms and acronyms. Feature MatrixOpens the most current version of the Cisco ASDM Release Notes on the web, which includes the latest licensing information. Feature SearchLets you search for a function in ASDM. The Search feature looks through the titles of each panel and presents you with a list of matches, and gives you a hyperlink directly to that panel. If you need to switch quickly between two different panels you found in Search, use the Back and Forward buttons. You can also click the Search icon on the ASDM Toolbar. How do I?Opens the ASDM Assistant, which lets you search downloadable content with from Cisco.com, with details about performing certain tasks. LegendProvides a list of icons found in ASDM and explains what they represent. About Cisco PlatformDisplays an extensive list of information about the security appliance, including software versions, hardware sets, configuration file loaded at startup, and software image loaded at startup. This information is helpful in troubleshooting. About Cisco ASDM 5.2Displays information about ASDM such as the ASDM software version, hostname, privilege level, operating system, browser type, and Java version.

Toolbar
The Toolbar at the top of the ASDM window, below the menus, provides access to the home page, configuration pages, and monitoring pages. It also lets you choose between the system and security contexts in multiple context mode, and provides navigation, and other commonly-used functions.

System/ContextsClick the down arrow to open the context list in a left-hand pane, and the up arrow to restore the context drop-down list. When expanded, click the left arrow to collapse the pane all the way left, and the right arrow to restore the pane. To manage the system, select System from the list. To manage a context, select the context from the list. HomeDisplays the Home page, which lets you view at a glance important information about your security appliance such as the status of your interfaces, the version you are running, licensing information, and performance. See Home Page for more information. In multiple mode, the system does not have a Home page. ConfigurationConfigures the security appliance. Choose a feature button in the left-hand pane to configure that feature. MonitoringMonitors the security appliance. Choose a feature button in the left-hand pane to monitor that feature. BackTakes you back to the last panel of ASDM you visited. ForwardTakes you forward to the last panel of ASDM you visited. SearchLets you search for a function in ASDM. The Search feature looks through the titles of each panel and presents you with a list of matches, and gives you a hyperlink directly to that panel. If you need to switch quickly between two different panels you found in Search, use Back and Forward. RefreshRefreshes ASDM with the current running configuration by selecting. This button does not refresh the graphs in any of the monitoring graphs. SaveSaves the running configuration to the startup configuration. If you have a context that is not write accessible, for example on HTTP, then this button does not save the running configuration. HelpShows context-sensitive help for the screen that is currently open.

ASDM User Guide

1-20

OL-10106-01

Chapter 1

Welcome to ASDM About the ASDM Window

Status Bar
The status bar appears at the bottom of the ASDM window. The areas below appear from left to right on the status bar.

StatusShows the status of the configuration, such as Device configuration loaded successfully. User NameShows the username of the ASDM user. If you logged in without a username, the username is admin. User PrivilegeShows the privilege of the ASDM user. Commands Ignored by ASDMWhen you click the icon, ASDM shows a list of commands from your configuration that ASDM did not process. They will not be removed from the configuration. See Show Commands Ignored by ASDM on Device for more information. Status of Connection to DeviceShows the ASDM connection status to the security appliance. See Connection to Device for more information. Save to Flash NeededShows that you made configuration changes in ASDM, but that you have not yet saved the running configuration to the startup configuration. Refresh NeededShows that you need to refresh the configuration from the security appliance to ASDM because the configuration changed on the security appliance. For example, you made a change to the configuration at the CLI. SSL SecureShows that the connection to ASDM is secure because it uses SSL. TimeShows the time that is set on the switch that contains the security appliance.

Connection to Device
Status Bar > Status of Connection to Device icon > Connection to Device ASDM maintains a constant connection to the security appliance to maintain up-to-date monitoring and home page data. This dialog box shows the status of this connection. When you make a configuration change, ASDM opens a second connection for the duration of the configuration, and then closes it. That connection is not represented by this dialog box.

Buttons That Appear on Many Panels


These buttons appear on many ASDM panels:

ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed. CancelDiscards changes and returns to the previous panel. HelpDisplays help for the selected panel.

ASDM User Guide OL-10106-01

1-21

Chapter 1 About the Help Window

Welcome to ASDM

About the Help Window


This section contains the following topics:

Header Buttons Notes

Header Buttons
Use the header buttons to navigate through the help to find the topic you are looking for.

About ASDMDisplays information about ASDM. SearchLets you search the help topics. Using HelpDescribes the best way to get the most out of online help. GlossaryLists a glossary of terms found in ASDM and networking. ContentsDisplays a table of contents. ScreensLists help files by screen name. IndexProvides an index of help topics found in ASDM online help

Left-Pane TabsHelp navigate the online help.


Right-Pane Help ContentDisplays the help for the selected topic.

Notes
When help is invoked in applet mode and if there is any help page already open, the new help page will appear in the same browser window. If there is no help page already open, then the help page will appear in a new browser window. When help is invoked in application mode and if Netscape is the default browser, each time help is invoked the help page will appear in a new browser window. If IE is the default browser, based on the user setting, the help page may appear either in the last visited browser window or in a new browser window. This behavior of IE can be controlled by using the option Tools > Internet Options > Advanced > Reuse window for launching shortcuts.

Home Page
The ASDM home pane lets you view, at a glance, important information about your security appliance. If you have an SSM installed in your security appliance, an additional tab appears on the home page. The additional tab displays status information about the software on the SSM. For more information about configuring these areas, see the following:

Home Home > Content Security Tab

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

1-22

OL-10106-01

Chapter 1

Welcome to ASDM Home Page

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Home
Home The ASDM home pane lets you view, at a glance, important information about your security appliance, such as the status of your interfaces, the version you are running, licensing information, and performance. Many of the details available on the ASDM home page are available elsewhere in ASDM, but this is a useful and quick way to see how your security appliance is running. Status information on the Home pane is updated every ten seconds.
Fields

Device InformationIncludes two tabs to show device information.


GeneralShows the following information:

Host NameDisplay only. Shows the security appliance hostname. See Device to set the hostname. Platform VersionDisplay only. Shows the security appliance software version. Device UptimeDisplay only. Shows how long the security appliance has been running. ASDM VersionDisplay only. Shows the ASDM version. Device TypeDisplay only. Shows the security appliance model. Firewall ModeDisplay only. Shows the firewall mode, either Routed or Transparent. See Firewall Mode Overview for more information. Context ModeDisplay only. Shows the context mode, either Single or Multiple. See Security Context Overview for more information. Total FlashDisplay only. Shows the total amount of Flash memory (the internal Flash memory plus the external Flash memory card, if available) in MB. Total MemoryDisplay only. Shows the total RAM.
LicenseDisplay only. Shows the level of support for licensed features on the security

appliance.

VPN StatusRouted, single mode only. Shows the following information:


IKE TunnelsDisplay only. Shows the number of connected IKE tunnels. IPSec TunnelsDisplay only. Shows the number of connected IPSec tunnels.

System Resources StatusShows the following CPU and memory usage statistics:
CPUDisplay only. Shows the current percentage of CPU being utilized. CPU Usage (percent)Display only. Shows the CPU usage for the last five minutes. MemoryDisplay only. Shows the current amount of memory being used in MB.

ASDM User Guide OL-10106-01

1-23

Chapter 1 Home Page

Welcome to ASDM

Memory Usage (MB)Display only. Shows the memory usage for the last five minutes in MB.

Interface StatusShows the status of each interface. If you select an interface row, the input and output Kbps shows under the table.
InterfaceDisplay only. Shows the interface name. IP Address/MaskDisplay only. Routed mode only. Shows the IP address and subnet mask of

the interface.
LineDisplay only. Shows the administrative status of the interface. A red icon is displayed if

the line is down, and a green icon is displayed if the line is up.
LinkDisplay only. Shows the link status of the interface. A red icon is displayed if the link is

down, and a green icon is displayed if the link is up.


Current KbpsDisplay only. Shows the current number of kilobits per second that cross the

interface.

Traffic StatusShows graphs for connections per second for all interfaces and for the traffic throughput of the lowest security interface.
Connections per Second UsageDisplay only. Shows the UDP and TCP connections per

second over the last 5 minutes. This graph also shows the current number of connections by type, UDP, TCP, and Total.
Name Interface Traffic Usage (Kbps)Display only. Shows the traffic throughput for the lowest

security interface. If you have multiple interfaces at the same level, then ASDM shows the first interface alphabetically. This graph also shows the current throughput by type, Input Kbps and Output Kbps.

Latest ASDM Syslog MessagesShows the latest system messages generated by the security appliance.
Stop Message DisplayStops logging to ASDM. Resume Message DisplayResumes logging to ASDM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Home > Content Security Tab


Home > Content Security Tab The Content Security tab lets you view important information about the Content Security and Control (CSC) SSM. This panel appears only if a CSC SSM is installed in the security appliance. For an introduction to CSC SSM, see About the CSC SSM.

ASDM User Guide

1-24

OL-10106-01

Chapter 1

Welcome to ASDM Home Page

Note

If you have not completed the Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panels under Home > Content Security. Instead, a dialog box appears and lets you access the Setup Wizard directly from Home > Content Security.
Fields

Device InformationShows the following information: ModelShows the type of SSM installed in your security appliance. Mgmt IPShows the IP address of the management interface for the CSC SSM. VersionShows the CSC SSM software version. Last UpdateShows the date of the last software update obtained from Trend Micro. Daily Node #Shows the number of network devices for which the CSC SSM provided services in the preceding 24 hours. ASDM updates this field at midnight. Base LicenseShows license status for basic features of the CSC SSM, such as anti-virus, anti-spyware, and FTP file blocking features. The date that the license is due to expire appears. If the license has expired, the date of expiry appears. If no license is configured, the field shows Not Available. Plus LicenseShows license status for advanced features of the CSC SSM, such as anti-spam, anti-phishing, email content filtering, and URL blocking and filtering features. The date that the license is due to expire appears. If the license has expired, the date of expiry appears. If no license is configured, the field shows Not Available. Licensed NodesShows the maximum number of network devices for which your CSC SSM is licensed to provide services.

System Resources StatusShows the following CPU and memory usage statistics for the CSC SSM:
CPUShows the current percentage of CPU being utilized. CSC SSM CPU Usage (percent)Shows the CPU usage for the last five minutes. MemoryShows the current amount of memory being used in MB. CSC SSM Memory Usage (MB)Shows the memory usage for the last five minutes in MB.

Threat SummaryShows aggregate data about threats detected by the CSC SSM.
Threat TypeLists four threat types: Virus, Spyware, URL Filtered, and URL Blocked. TodayShows the number of threats detected for each threat type within the past 24 hours. Last 7 DaysShows the number of threats detected for each threat type within the past 7 days. Last 30 DaysShows the number of threats detected for each threat type within the past 30

days.

Email ScanShows graphs for emails scanned and email virus and spyware detected.
Email Scanned CountShows the number of emails scanned, as separate graphs by email

protocol (SMTP or POP3) and as a combined graph for both supported email protocols. The graphs display data in ten-second intervals.
Email Virus and SpywareShows the number of viruses and emails detected in email scans, as

separate graphs by threat type (virus or spyware). The graphs display data in ten-second intervals.

ASDM User Guide OL-10106-01

1-25

Chapter 1 Home Page

Welcome to ASDM

Latest CSC Security EventsShows, in real time, security event messages received from the CSC SSM.
TimeDisplays the time an event occurred. SourceDisplays the IP address or hostname from which the threat came. Threat/FilterDisplays the type of threat or, in the case of a URL filter event, the filter that

triggered the event.


Subject/File/URLDisplays the subject of emails containing a threat, the names of FTP file

containing a threat, or URLs blocked or filtered.


Receiver/HostDisplays the recipient of emails containing a threat or the IP address or

hostname of a node threatened.


SenderDisplays the sender of emails containing a threat. Content ActionDisplays the action taken upon the content of the message or file, such as

delivering the content unaltered, deleting attachments, or cleaning attachments before delivering them.
Msg ActionDisplays the action taken upon the message, such as delivering the message

unchanged, delivering the message after deleting attachments, or not delivering the message.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

1-26

OL-10106-01

C H A P T E R

Before You Start


This section contains the following topics:

Factory Default Configurations Configuring the Security Appliance for ASDM Access Setting Transparent or Routed Firewall Mode at the CLI Downloading the ASDM Launcher Starting ASDM History Metrics Configuration Overview

Factory Default Configurations


The factory default configuration is the configuration applied by Cisco to new security appliances. The factory default configuration is supported on all models except for the PIX 525 and PIX 535 security appliances. For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration configures interfaces and NAT so that the security appliance is ready to use in your network immediately. The factory default configuration is available only for routed firewall mode and single context mode. See Configuring Security Contexts for more information about multiple context mode. See the Firewall Mode Overview for more information about routed and transparent firewall mode. This section includes the following topics:

Restoring the Factory Default Configuration, page 2-2 ASA 5505 Default Configuration, page 2-2 ASA 5510 and Higher Default Configuration, page 2-3 PIX 515/515E Default Configuration, page 2-4

ASDM User Guide OL-10106-01

2-1

Chapter 2 Factory Default Configurations

Before You Start

Restoring the Factory Default Configuration


To restore the factory default configuration, perform the following steps:
Step 1 Step 2 Step 3 Step 4 Step 5

Choose File > Reset Device to the Factory Default Configuration. To change the default IP address to an IP address of your choosing, check Use this address for the <default interface> which will be named as <name> check box. Enter the new IP address in the Management IP Address field. Enter the new subnet mask in the Management Mask field. Click OK.

If you specify the ip_address, then you set the inside or management interface IP address, depending on your model, instead of using the default IP address of 198.168.1.1. The http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify. After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared. See the

Note

This command also clears the boot system command, if present, along with the rest of the configuration. The boot system command lets you boot from a specific image, including an image on the external Flash memory card. The next time you reload the security appliance after restoring the factory configuration, it boots from the first image in internal Flash memory; if you do not have an image in internal Flash memory, the security appliance does not boot. To configure additional settings that are useful for a full configuration, see the setup command.

ASA 5505 Default Configuration


The default factory configuration for the ASA 5505 adaptive security appliance configures the following:

An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. If you did not set the IP address in the configure factory-default command, then the VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP. The default route is also derived from DHCP. All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside with an access list, and outside users are prevented from accessing the inside. The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254.

ASDM User Guide

2-2

OL-10106-01

Chapter 2

Before You Start Factory Default Configurations

The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface Ethernet 0/0 switchport access vlan 2 no shutdown interface Ethernet 0/1 switchport access vlan 1 no shutdown interface Ethernet 0/2 switchport access vlan 1 no shutdown interface Ethernet 0/3 switchport access vlan 1 no shutdown interface Ethernet 0/4 switchport access vlan 1 no shutdown interface Ethernet 0/5 switchport access vlan 1 no shutdown interface Ethernet 0/6 switchport access vlan 1 no shutdown interface Ethernet 0/7 switchport access vlan 1 no shutdown interface vlan2 nameif outside no shutdown ip address dhcp setroute interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdown global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd auto_config outside dhcpd enable inside logging asdm informational

ASA 5510 and Higher Default Configuration


The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following:

The management Management 0/0 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface management 0/0

ASDM User Guide OL-10106-01

2-3

Chapter 2 Configuring the Security Appliance for ASDM Access

Before You Start

ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

PIX 515/515E Default Configuration


The default factory configuration for the PIX 515/515E security appliance configures the following:

The inside Ethernet1 interface. If you did not set the IP address in the configure factory-default command, then the IP address and mask are 192.168.1.1 and 255.255.255.0. The DHCP server is enabled on the security appliance, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.

The configuration consists of the following commands:


interface ethernet 1 ip address 192.168.1.1 255.255.255.0 nameif management security-level 100 no shutdown asdm logging informational 100 asdm history enable http server enable http 192.168.1.0 255.255.255.0 management dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable management

Configuring the Security Appliance for ASDM Access


If you want to use ASDM to configure the security appliance instead of the command-line interface, you can connect to the default management address of 192.168.1.1 (if your security appliance includes a factory default configuration. See the Factory Default Configurations section on page 2-1.). On the ASA 5510 and higher adaptive security appliances, the interface to which you connect with ASDM is Management 0/0. For the ASA 5505 adaptive security appliance, the switch port to which you connect with ASDM is any port, except for Ethernet 0/0. For the PIX 515/515E security appliance, the interface to which you connect with ASDM is Ethernet 1. If you do not have a factory default configuration, see the Cisco Security Appliance Command Line Configuration Guide to access the command-line interface. You can then configure the minimum parameters to access ASDM by entering the setup command.

ASDM User Guide

2-4

OL-10106-01

Chapter 2

Before You Start Setting Transparent or Routed Firewall Mode at the CLI

Setting Transparent or Routed Firewall Mode at the CLI


You can set the security appliance to run in routed firewall mode (the default) or transparent firewall mode. For more information about the firewall mode, see Firewall Mode Overview. For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system execution space. When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. For multiple context mode, the system configuration is erased. This action removes any contexts from running. If you then re-add a context that has an existing configuration that was created for the wrong mode, the context configuration will not work correctly. Be sure to recreate your context configurations for the correct mode before you re-add them, or add new contexts with new paths for the new configurations. If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration. To set the firewall mode, perform the following steps. In multiple context mode, perform these steps in the system execution space.
Step 1

In single context mode or from the system configuration in multiple mode, you can copy the startup configuration or running configuration to an external server or to the local Flash memory using one of the following commands. You can use this backup configuration for reference when creating your new configuration.

To copy to a TFTP server, enter the following command:


hostname# copy {startup-config | running-config} tftp://server[/path]/filename

To copy to a FTP server, enter the following command:


hostname# copy {startup-config | running-config} ftp://[user[:password]@]server[/path]/filename

To copy to local Flash memory, enter the following command:


hostname# copy {startup-config | running-config} {flash:/ | disk0:/ | disk1:/}[path/]filename

Be sure the destination directory exists. If it does not exist, first create the directory using the mkdir command.
Step 2

To change the mode, enter one of the following commands:

To set the mode to transparent, enter the following command:


hostname(config)# firewall transparent

This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.

To set the mode to routed, enter the following command:


hostname(config)# no firewall transparent

ASDM User Guide OL-10106-01

2-5

Chapter 2 Downloading the ASDM Launcher

Before You Start

Downloading the ASDM Launcher


The ASDM Launcher is for Windows only. The ASDM Launcher is an improvement over running ASDM as a Java Applet. The ASDM Launcher avoids double authentication and certificate dialog boxes, launches faster, and caches previously-entered IP addresses and usernames. To download the ASDM launcher, perform the following steps:
Step 1

From a supported web browser on the security appliance network, enter the following URL:
https://interface_ip_address

In transparent firewall mode, enter the management IP address.

Note Step 2

Be sure to enter https, not

http.

Click OK or Yes to all prompts, including the name and password prompt. By default, leave the name and password blank. A page displays with the following buttons:

Download ASDM Launcher and Start ASDM Run ASDM as a Java Applet

Step 3

Click Download ASDM Launcher and Start ASDM. The installer downloads to your PC. Run the installer to install the ASDM Launcher.

Step 4

Starting ASDM
This section describes how to start ASDM according to one of the following methods:

Starting ASDM from the ASDM Launcher, page 2-6 Using ASDM in Demo Mode, page 2-7 Starting ASDM from a Web Browser, page 2-8

Starting ASDM from the ASDM Launcher


The ASDM Launcher is for Windows only. To start ASDM from the ASDM Launcher, perform the following steps:
Step 1

Double-click the Cisco ASDM Launcher shortcut on your desktop, or start it from the Start menu.

ASDM User Guide

2-6

OL-10106-01

Chapter 2

Before You Start Starting ASDM

Step 2

Enter the security appliance IP address or hostname, your username, and your password, and then click OK. If there is a new version of ASDM on the security appliance, the ASDM Launcher automatically downloads it before starting ASDM.

Using ASDM in Demo Mode


ASDM Demo Mode is available as a separately installed application running under Windows. It makes use of the ASDM Launcher and pre-packaged configuration files to let you run ASDM without having a live device available. ASDM Demo Mode lets you:

Perform configuration and select monitoring tasks via ASDM as though you were interacting with a real device. Demonstrate ASDM or security appliance features using the ASDM interface. Perform configuration and monitoring tasks with the Content Security and Control SSM (CSC SSM).

ASDM Demo Mode provides simulated monitoring data, including real-time system log messages. The data shown is randomly generated, but the experience is identical to what you would see when connecting to a real device. ASDM Demo Mode has the following limitations:

Changes made to the configuration will appear in the GUI but are not applied to the configuration file. That is, when you click the Refresh button, it will revert back to the original configuration. The changes are never saved to the configuration file. File/Disk operations are not supported. Monitoring and logging data are simulated. Historical monitoring data is not available. You can only log in as an admin user; you cannot login as a monitor-only or read-only user. Demo Mode does not support the following features:
File menu:

Save Running Configuration to Flash Save Running Configuration to TFTP Server Save Running Configuration to Standby Unit Save Internal Log Buffer to Flash Clear Internal Log Buffer
Tools menu:

Command Line Interface Ping File Management Update Image File Transfer Upload image from Local PC System Reload

ASDM User Guide OL-10106-01

2-7

Chapter 2 Starting ASDM

Before You Start

Toolbar/Status bar > Save Configuration > Interface > Edit Interface > Renew DHCP Lease FailoverConfiguring a standby device

These operations cause a reread of the configuration and therefore will revert it back to the original configuration.
Switching contexts Making changes in the Interface panel NAT panel changes Clock panel changes

To run ASDM in Demo Mode, perform the following steps:


Step 1

If you have not yet installed the Demo Mode application, perform the following steps:
a.

Download the ASDM Demo Mode installer from http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm. The filename is asdm-version-demo.msi. Double-click the installer to install the software.

b. Step 2 Step 3 Step 4 Step 5

Double-click the Cisco ASDM Launcher shortcut on your desktop, or start it from the Start menu. Click the Run in Demo Mode check box. To set the platform, context and firewall modes, and ASDM Version, click the Demo button and make your selections from the Demo Mode area. If you want to use new ASDM images as they come out, you can either download the latest installer, or you can download the normal ASDM images and install them for Demo Mode:
a.

Download the image from http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm. The filename is asdm-version.bin

b.

In the Demo Mode area, click Install ASDM Image. A file browser appears. Find the ASDM image file in the browser.

Step 6

Click OK to launch ASDM Demo Mode. You see a Demo Mode label in the title bar of the window.

Starting ASDM from a Web Browser


To start ASDM from a web browser, perform the following steps:
Step 1

From a supported web browser on the security appliance network, enter the following URL:
https://interface_ip_address

In transparent firewall mode, enter the management IP address.

Note

Be sure to enter https, not

http.

ASDM User Guide

2-8

OL-10106-01

Chapter 2

Before You Start History Metrics

Step 2

Click OK or Yes to all browser prompts, including the name and password prompt. By default, leave the name and password blank. A page displays with the following buttons:

Download ASDM Launcher and Start ASDM Run ASDM as a Java Applet

Step 3 Step 4

Click Run ASDM as a Java Applet. Click OK or Yes to all Java prompts, including the name and password prompt. By default, leave the name and password blank.

History Metrics
Configuration > Properties > History Metrics The History Metrics pane lets you configure the security appliance to keep a history of various statistics, which can be displayed by ASDM on any Graph/Table. If you do not enable history metrics, you can only monitor statistics in real time. Enabling history metrics lets you view statistics graphs from the last 10 minutes, 60 minutes, 12 hours, and 5 days.
Fields

ASDM History MetricsEnables history metrics. Unchecking this check box clears and disables the history metrics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuration Overview
To configure and monitor the security appliance, perform the following steps:
Step 1 Step 2 Step 3

Use the Startup Wizard for initial configuration by clicking Wizards > Startup Wizard. To configure VPN connections, use the VPN Wizard by clicking Wizards > VPN Wizard and completing each screen that appears. Configure advanced features by clicking the Configuration button on the toolbar and then clicking a feature button. Features include:

Configuring InterfacesConfigures basic interface parameters including the IP address, name, security level, and for transparent mode, the bridge group. Security PolicyIncludes access rules, AAA rules, filter rules, and service policy rules.

ASDM User Guide OL-10106-01

2-9

Chapter 2 Configuration Overview

Before You Start

Access RulesPermits or denies IP traffic through the security appliance. For transparent

firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Ethertype Rules (Transparent Mode Only)Permits or denies non-IP traffic through the

security appliance.
AAA RulesRequires authentication and/or authorization for certain types of traffic, for

example, for HTTP. The security appliance also sends accounting information to a RADIUS or TACACS+ server.
Filter RulesPrevents outbound access to specific websites or FTP servers. The security

appliance works with a separate server running either Websense Enterprise or Sentian by N2H2. See Configuration > Properties > URL Filtering to configure the URL filtering server, which must be configured before you add a rule.
Service Policy RulesApplies application inspection, connection limits, and TCP

normalization. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the security appliance to do a deep packet inspection. You can also limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP normalization drops packets that do not appear normal.

NATTranslates addresses used on a protected network to addresses used on the public Internet. This lets you use private addresses, which are not routable on the Internet, on your inside networks. VPNConfigures VPN connections.
VPN WizardRuns the VPN wizard. E-Mail ProxyConfigures e-mail proxies. E-mail proxies extend remote e-mail capability to

WebVPN users.
GeneralSets general VPN configuration parameters. IKEIKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to

build an IPSec security association.


IP Address ManagementSets the IP addresses of clients after they connect through the VPN

tunnel.
IPSecConfigures the IPSec protocol for VPN tunnels. Load BalancingConfigures load balancing for VPN connections. WebVPNConfigures WebVPN. WebVPN lets users establish a secure, remote-access VPN

tunnel to the security appliance using a web browser.


CSD ManagerConfigures the CSC SSM (available for the ASA 5500 series adaptive security appliance). Configuring IPSConfigures the AIP SSM (available for the ASA 5500 series adaptive security appliance). Configuring Dynamic And Static Routing(Single mode only) Configures OSPF, RIP, static, and asymmetric routing. Global ObjectsProvides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. These reusable components, or global objects, include the following:
Hosts/Networks Inspect Maps

ASDM User Guide

2-10

OL-10106-01

Chapter 2

Before You Start Configuration Overview

TCP Maps Time Ranges Step 4

Monitor the security appliance by clicking the Monitoring button on the toolbar and then clicking the feature button. Features include:

Monitoring InterfacesMonitors the ARP table, DHCP, dynamic access list, and interface statistics. Monitoring RoutingMonitors routes, OSPF LSAs, and OSPF neighbors. Monitoring PropertiesMonitors management sessions, AAA servers, failover, CRLs, the DNS cache, and system statistics. Monitoring System Log MessagesMonitors system log messages. Monitoring Failover(For the system in multiple mode) Monitors failover in the system.

ASDM User Guide OL-10106-01

2-11

Chapter 2 Configuration Overview

Before You Start

ASDM User Guide

2-12

OL-10106-01

C H A P T E R

Using the Startup Wizard


Startup Wizard
From Cisco ASDM 5.2 Start Screen Configuration > Properties > Startup Wizard The ASDM Startup Wizard walks you through, step by step, the initial configuration of your security appliance. As you click through the configuration screens, you will be prompted to enter information about your security appliance. The Startup Wizard will apply these settings, so you should be able to start using your security appliance right away. The Startup Wizard defines the following in your configuration:

A hostname for your security appliance. A domain name for your security appliance. An enable password that is used to restrict administrative access to the security appliance through ASDM or the command-line interface. The IP address information of the outside interface on the security appliance. The other interfaces of your security appliance, such as the inside or DMZ interfaces, can be configured from the Startup Wizard. NAT or PAT rules for your security appliance. DHCP settings for the inside interface, such as for use with a DHCP server.

More information about each setting is available by clicking the Help button on the corresponding configuration screen. Before you begin using the Startup Wizard, make sure you have the following information available:

A unique hostname to identify the security appliance on your network. The IP addresses of your outside, inside, and other interfaces. The IP addresses to use for NAT or PAT configuration. The IP address range for the DHCP server. You can access the Startup Wizard from the Cisco ASDM 5.2 Start page by selecting the Run Startup Wizard as a Java Applet button. You can access the Startup Wizard at any time using the Wizards menu in ASDM. The Help button is an icon with a question mark.

Remember:

ASDM User Guide OL-10106-01

3-1

Chapter 3 Startup Wizard

Using the Startup Wizard

On subsequent Startup Wizard pages, you can click Finish to complete the wizard at any time. This sends changes made in the Startup Wizard to the security appliance.

Important Notes

The security appliance can run in two modes:


RoutedIn routed mode, the security appliance acts as a router between connected networks.

Each interface requires an IP address on a different subnet. The security appliance performs NAT between connected networks. In single context mode, the routed firewall supports OSPF and RIP (in passive mode). Multiple context mode supports static routes only. Routed mode supports up to 256 interfaces per context or in single mode, with a maximum of 1000 interfaces divided between all contexts. Each interface is on a different subnet. You can share interfaces between contexts. In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an ACL. The transparent firewall, however, can allow any traffic through using either an extended ACL (for IP traffic) or an EtherType ACL.

Note

We recommend using the advanced routing capabilities of the upstream and downstream routers, such as the MSFC, instead of relying on the security appliance for extensive routing needs.

TransparentIn transparent mode, the security appliance is not seen as a router hop to

connected devices, but acts like a bump in the wire, or a stealth firewall. The security appliance connects the same network on its inside and outside ports, but uses different VLANs on the inside and outside. No dynamic routing protocols or NAT are required. Transparent mode only supports two interfaces, an inside interface and an outside interface. Transparent mode helps simplify the configuration and reduces its visibility to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams. Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended ACL. The only traffic allowed through the transparent firewall without an ACL is ARP traffic. ARP traffic can be controlled by ARP inspection.

Note

The transparent mode security appliance does not pass CDP packets.

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory).

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.

ASDM User Guide

3-2

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

The security appliance can be used as an Easy VPN remote device. However, if the security appliance is configured to function as an Easy VPN remote device, it cannot establish other types of tunnels. For example, the security appliance cannot function simultaneously as both an Easy VPN remote device and as one end of a standard peer-to-peer VPN deployment. There are two modes of operation when using the security appliance as an Easy VPN remote device:
Client Mode Network Extension Mode

When configured in Easy VPN Client Mode, the security appliance does not expose the IP addresses of clients on its inside network. Instead, it uses NAT (Network Address Translation) to translate the IP addresses on the private network to a single, assigned IP address. When thesecurity appliance is configured in Client Mode, you cannot ping or access any device from outside the private network. When configured in Easy VPN Network Extension Mode, the security appliance does not protect the IP addresses of local hosts by substituting a assigned IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.
Fields

Launch Startup WizardLaunches the Startup Wizard.

Note

The Launch Startup Wizard button does not appear if you click Wizards >Startup Wizard on the toolbar. With the exception of this screen, all screens in the Startup Wizard display the following buttons:

BackReturns you to the previous screen (the button is dim in this screen). NextAdvances you to the next screen. FinishSubmits your configuration to the security appliance based upon choices made in this screen (the button is dim in this screen). CancelDiscards any changes without applying them. The Wizard prompts you with the Exit Wizard dialog box when Cancel is clicked. Clicking Exit closes the Wizard, and clicking Cancel again returns you to the Wizard screen. Remember at any time in the Wizard you can click Back to return to the previous screen.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Starting Point
Configuration >Properties >Startup Wizard > Starting Point

ASDM User Guide OL-10106-01

3-3

Chapter 3 Startup Wizard

Using the Startup Wizard

Benefits

The Starting Point screen lets you continue with your existing configuration or reset the configuration to the factory default values. If you check the box Reset configuration to existing defaults, you revert back to the IP address and subnet mask of the default inside interface. If you continue with your existing configuration, you automatically retain your IP address and subnet mask.
Fields

The Starting Point screen displays the Next, Cancel, and Help buttons, in addition to the following:

Modify existing configurationClick to start the wizard with the existing configuration. Reset configuration to factory defaultsClick to start the wizard at the factory default values for the inside interface.
Configure the IP address of the management interfaceCheck this box to configure the IP

address and subnet mask of the management interface. IP AddressLets you enter the IP address of the management interface to configure. Subnet MaskLets you enter the subnet mask of the management interface to configure.

Note

If you reset the configuration to the factory defaults, you cannot undo the change by cancelling the wizard.

Note

The Back and Finish buttons are disabled on this screen.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

This feature is available in the main ASDM application screen: File > Reset Device to the Factory Default Configuration

Basic Configuration
Startup Wizard >Basic Configuration
Benefits

The Basic Configuration screen lets you configure the hostname of your security appliance and the enable password, as well as a domain name for the security appliance. The domain name should be less than 64 characters (maximum 63 characters) alphanumeric and mixed case.

ASDM User Guide

3-4

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

The enable password is used to administer ASDM or to administer the security appliance from the Command Line Interface. The password is case-sensitive and can be up to 16 alphanumeric characters. If you want to change the current password, check Change privileged mode (enabled) password, enter the old password, then enter the new password, and confirm the new password in the fields provided.

Note

If you leave the password field blank, a Password Confirmation screen displays and notifies you that this is a high security risk.
Fields

The Basic Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Host NameLets you enter a hostname for the security appliance. The hostname can be up to 63 alphanumeric characters and mixed case. Note: This field will list either ASA or PIX before Host Name, depending on the platform you are using. Domain NameSpecifies the IPSec domain name the of the security appliance. This can be used later for certificates. There is a 64-character limit on the domain name (maximum 63 characters), and it must be alphanumeric with no special characters or spaces. Privileged Mode (Enable) Password areaLets you restrict administrative access to the security appliance through ASDM or the Command Line Interface.
Change privileged mode (enable) PasswordCheck this box to change the current privileged

mode (enable) password.


Old PasswordLets you enter the old enable password, if one exists. New PasswordLets you enter the new enable password. The password is case-sensitive and

can be up to 16 alphanumeric characters.


Confirm New PasswordLets you reenter the new enable password.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Device Administration > Device Configuration > Properties > Device Administration > Password

Outside Interface Configuration


Startup Wizard > Outside Interface Configuration

ASDM User Guide OL-10106-01

3-5

Chapter 3 Startup Wizard

Using the Startup Wizard

Benefits

The Outside Interface Configuration screen lets you configure your outside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.
Fields

The Outside Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Interface Properties area


InterfaceLets you add a new interface, or select an interface from the drop-down list. Interface NameLets you add a name to a new interface, or displays the name associated with

an existing interface.
Enable interfaceCheck this box to activate the interface in privileged mode. Security LevelDisplays the security level range for the interface from 0 to 100, with 100

assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default.

IP Address area
Use PPPoEClick to obtain an IP address from a PPP over Ethernet (PPPoE) server for the

interface. The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
Use DHCPClick to obtain an IP address from a Dynamic Host Configuration Protocol server

so that IP addresses can be reused when hosts no longer need them.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressClick to manually specify an IP address for the interface:

IP AddressLets you enter an IP address for an outside interface. Subnet MaskLets you enter a subnet mask for an outside interface, or alternatively, choose a selection from the drop-down list.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

3-6

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Internet (Outside) VLAN Configuration


Startup Wizard > Internet (Outside) VLAN Configuration
Benefits

The Internet (Outside) VLAN Configuration screen lets you configure your Internet interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Internet (Outside) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Internet Interface area


Choose an interfaceClick to choose an interface to configure, then select an interface from

the drop-down list.


Create new VLAN interfaceClick to create a new VLAN interface, then enter the new VLAN

number. If the maximum number of interfaces has already been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN. See the Important Notes section for additional information.

Enable interfaceCheck this box to activate the interface in privileged mode. Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area

ASDM User Guide OL-10106-01

3-7

Chapter 3 Startup Wizard

Using the Startup Wizard

Use PPPoEClick to obtain a dynamic IP address from a PPPoE server for an Internet

interface.
Use DHCPClick to obtain an IP address for the Internet interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressClick to specify an IP address for an Internet interface rather

than obtaining one from a PPPoE server or DHCP server: IP AddressLets you enter an IP address for an Internet interface. Subnet MaskLets you enter a subnet mask for an Internet interface, or alternatively, choose a selection from the drop-down list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Outside Interface Configuration - PPPoE


Startup Wizard > Outside Interface Configuration - PPPoE
Benefits

The Outside Interface Configuration - PPPoE screen lets you configure your interface by obtaining an IP address from a PPPoE server. The ASA device is the PPPoE on the specified interface. Before any network layer protocols can be routed, a connection must be opened and negotiated, in this case, using PPPoE authentication.
Fields

The Outside Interface Configuration - PPPoE screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

ASDM User Guide

3-8

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Group NameLets you specify the name of the interfaces.

Note

You must specify a group name in order to proceed.

User Authentication area


PPPoE UsernameLets you specify the PPPoE username for authentication purposes. PPPoE PasswordLets you specify the PPPoE password for authentication purposes. Confirm PPPoE PasswordLets you confirm the PPPoE password.

Authentication Method area The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
PAPCheck this to select the Password Authentication Protocol as the authentication method.

PAP is the simplest authentication protocol. The username and password are sent unencrypted using this method.
CHAPCheck this to select the Challenge Handshake Authentication Protocol method.

CHAP does not prevent unauthorized access; it merely identifies the remote end. Then, the access server determines whether the user is allowed access.
MSCHAPCheck this to select the Microsoft Challenge Handshake Authentication Protocol

authentication for PPP connections between a computer using a Microsoft Screens operating system and an access server.

IP Address area
Obtain IP Address using PPPoEClick to obtain an IP address using a PPPoE server.

The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
Specify an IP addressClick to specify an IP address for an interface rather than obtaining one

from a PPPoE server: IP AddressLets you enter an IP address for an interface. Subnet MaskLets you enter a subnet mask for an interface, or alternatively, choose a selection from the drop-down list.
Obtain default route using PPPoEClick to obtain the default route between the PPPoE server

and the PPPoE client.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

3-9

Chapter 3 Startup Wizard

Using the Startup Wizard

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Internet (Outside) VLAN Configuration - PPPoE


Startup Wizard > Internet (Outside) VAN Configuration - PPPoE
Benefits

The Internet (Outside) VLAN Configuration - PPPoE screen lets you configure your interface by obtaining an IP address from a PPPoE server. The ASA device is the PPPoE on the specified interface. Before any network layer protocols can be routed, a connection must be opened and negotiated, in this case, using PPPoE authentication.
Fields

The Internet (Outside) VLAN Configuration - PPPoE screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Group NameLets you specify the name of the interfaces.

Note

You must specify a group name in order to proceed.

User Authentication area


PPPoE UsernameLets you specify the PPPoE username for authentication purposes. PPPoE PasswordLets you specify the PPPoE password for authentication purposes. Confirm PPPoE PasswordLets you confirm the PPPoE password.

Authentication Method area The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.
PAPCheck this to select the Password Authentication Protocol as the authentication method.

PAP is the simplest authentication protocol. The username and password are sent unencrypted using this method.
CHAPCheck this to select the Challenge Handshake Authentication Protocol method.

CHAP does not prevent unauthorized access; it merely identifies the remote end. Then, the access server determines whether the user is allowed access.
MSCHAPCheck this to select the Microsoft Challenge Handshake Authentication Protocol

authentication for PPP connections between a computer using a Microsoft screens operating system and an access server.

IP Address area
Obtain IP Address using PPPoEClick to obtain an IP address using a PPPoE server.

The default authentication method for PPPoE is Password Authentication Protocol (PAP). You have the option of configuring Challenge Handshake Authentication Protocol (CHAP) or Microsoft CHAP (MSCHAP) manually.

ASDM User Guide

3-10

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Specify an IP addressClick to specify an IP address for an interface rather than obtaining one

from a PPPoE server: IP AddressLets you enter an IP address for an interface. Subnet MaskLets you enter a subnet mask for an interface, or alternatively, choose a selection from the drop-down list.
Obtain default route using PPPoEClick to obtain the default route between the PPPoE server

and the PPPoE client.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Inside Interface Configuration


Startup Wizard > Inside Interface Configuration
Benefits

The Inside Interface Configuration screen lets you configure an inside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.

Note

If VLAN is configured, the screen displays a message that in order to make additional changes, you should go to Configuration > Interfaces.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Inside Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Inside Interface area


Choose an interfaceChoose an interface to configure from the drop-down list.

ASDM User Guide OL-10106-01

3-11

Chapter 3 Startup Wizard

Using the Startup Wizard

Create new VLAN interfaceClick to create a new inside interface Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoEClick to obtain an IP address from a PPPoE server for an inside interface. Use DHCPClick to obtain an IP address for the inside interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for an inside interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for an inside interface. Subnet MaskLets you specify a subnet mask for an inside interface; the list displays a selection of subnet mask IP addresses.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Business (Inside) VLAN Configuration


Startup Wizard > Business (Inside) VLAN Configuration

ASDM User Guide

3-12

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Benefits

The Business (Inside) VLAN Configuration screen lets you configure an inside interface by specifying an IP address, or obtaining one from a PPPoE or a DHCP server.

Note

If VLAN is configured, the screen displays a message that in order to make additional changes, you should go to Configuration > Interfaces.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Business (Inside) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Inside Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceClick to create a new inside interface Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoEClick to obtain an IP address from a PPPoE server for an inside interface. Use DHCPClick to obtain an IP address for the inside interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for an inside interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for an inside interface.

ASDM User Guide OL-10106-01

3-13

Chapter 3 Startup Wizard

Using the Startup Wizard

Subnet MaskLets you specify a subnet mask for an inside interface; the list includes a selection of subnet mask IP addresses.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

DMZ Interface Configuration


Startup Wizard > DMZ Interface Configuration
Benefits

The DMZ Interface Configuration screen lets you configure a work interface. The security appliance supports up to three fully functional named interfaces; in transparent mode, the security appliance supports up to two interfaces. Typically one interface connects to the outside Internet (known as an Internet zone), another connects to a home network (known as a home zone), and the third interface (known as a work interface), operates similarly to a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The DMZ Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Work Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceCheck this box to create a new work interface. Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface.

ASDM User Guide

3-14

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoECheck this box to obtain an IP address from a PPPoE server for a work interface. Use DHCPCheck this box to obtain an IP address for a work interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for a work interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for a work interface. Subnet MaskLets you specify a subnet mask for a work interface; use the drop-down list to select a subnet mask IP address.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Home (DMZ) VLAN Configuration


Startup Wizard > Home (DMZ) VLAN Configuration
Benefits

The Home (DMZ) VLAN Configuration screen lets you configure a work interface.

ASDM User Guide OL-10106-01

3-15

Chapter 3 Startup Wizard

Using the Startup Wizard

The security appliance supports up to three fully functional named interfaces; in transparent mode, the security appliance supports up to two interfaces. Typically one interface connects to the outside Internet (known as an Internet zone), another connects to a home network (known as a home zone), and the third interface (known as a work interface), operates similarly to a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Important Notes

With a full license, the security appliance supports up to five interfaces with a maximum of three interfaces named interface. In restricted mode, the security appliance supports up to three interfaces, and in transparent mode, the security appliance supports up to two interfaces. Once the maximum number of interfaces has been created, or the maximum number of interfaces has already been named, you may not be able to create a new VLAN, and may have to select from an existing VLAN.
Fields

The Home (DMZ) VLAN Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Select Work Interface area


Choose an interfaceChoose an interface to configure from the drop-down list. Create new VLAN interfaceCheck this box to create a new work interface. Enable interfaceCheck this box to activate the interface in privileged mode.

Interface NameLets you specify a name for the interface. Security LevelLets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. IP Address area
Use PPPoECheck this box to obtain an IP address from a PPPoE server for a work interface. Use DHCPCheck this box to obtain an IP address for a work interface from a DHCP server.

Note

DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.

Obtain default route using DHCPCheck this box to obtain an IP address for the default gateway using DHCP.

Note

DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.

Use the following IP addressLets you specify an IP address for a work interface rather than

obtaining one from a PPPoE server or DHCP server: IP AddressLets you specify an IP address for a work interface. Subnet MaskLets you specify a subnet mask for a work interface; use the drop-down list to display a selection of subnet mask IP addresses.

ASDM User Guide

3-16

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Switch Port Allocation


Startup Wizard > Switch Port Allocation
Benefits

The Switch Port Allocation screen lets you allocate switch ports to your outside, inside, and work interface. As VLANs are port-based, you must add the ports to their respective VLANs. By default, all switch ports begin in VLAN1.
Fields

The Switch Port Allocation screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following: Allocate Switch Ports to your Outside Interface (vlanid) area

Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports. Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports. Available PortsLets you select a port to add or remove from the available list of ports. Allocated PortsLets you select a port to add or remove from the allocated list of ports. AddLets you add a port to the available or allocated list of ports. RemoveLets you remove a port from the available or allocated list of ports.

Allocate Switch Ports to your Inside Interface (vlanid) area


Allocate Switch Ports to your Work Interface (vlanid) area


ASDM User Guide OL-10106-01

3-17

Chapter 3 Startup Wizard

Using the Startup Wizard

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Transparent

Single

Context

System

1. Work interface is hidden in transparent mode.

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

General Interface Configuration


Startup Wizard > General Interface Configuration
Benefits

The General Interface Configuration screen lets you enable and restrict traffic between interfaces and between hosts connected to the same interface.
Important Notes

Restricted traffic is not an optional configuration. If you only have a restricted license, you must restrict from one interface to any of the other interfaces. Typically, this is the traffic from the work interface to the inside interface, but any pair can be chosen. The Restrict Traffic area fields are hidden if you have a full license or if the device is in transparent mode.
Fields

The General Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable traffic between two or more interfaces with the same security levelCheck this box to enable traffic between two or more interfaces with the same security level. Enable traffic between two or more hosts connected to the same interfaceCheck this box to enable traffic between two or more hosts connected to the same interface.

Restrict traffic area

Note

Restricted traffic is not an optional configuration. If you only have a restricted license, you must restrict from one interface to any of the other interfaces. These fields are hidden if you have a full license or if the device is in transparent mode.

From interfaceLets you restrict traffic from an interface by selecting an interface from the drop-down menu. To interfaceLets you restrict traffic to an interface by selecting an interface from the drop-down menu.

ASDM User Guide

3-18

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Static Routes
Startup Wizard >Static Routes
Benefits

The Static Routes screen lets you create static routes that will access networks connected to a router on any interface. To enter a default route, set the IP address and mask to 0.0.0.0, or the shortened form of 0. If an IP address from one security appliance interface is used as the gateway IP address, the security appliance will ARP the designated IP address in the packet instead of ARPing the gateway IP address. Leave the Metric at the default of 1 unless you are sure of the number of hops to the gateway router.

Add/Edit Static Routes


Startup Wizard > Static Routes >Add/Edit Static Route
Benefits

The Add/Edit Static Route dialog box lets you add or edit a static route.

Route Monitoring Options


Startup Wizard > Static Routes >Add/Edit Static Route>Route Monitoring Options
Benefits

TheRoute Monitoring Options dialog box lets you set the parameters for monitoring the static route.

Auto Update Server


Startup Wizard > Auto Update Server
Benefits

The Auto Update Server screen allows you to remotely manage the ASA device. This includes automatically updating the ASA configuration, ASA image, and the ASDM image.

ASDM User Guide OL-10106-01

3-19

Chapter 3 Startup Wizard

Using the Startup Wizard

Fields

The Auto Update Server screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable Auto UpdateCheck this box to enable communication between the security appliance and an Auto Update Server. Server area
Server URLClick the drop-down list to select either the secure http (https) or http to designate

the beginning of the URL for the Auto Update server. In the next box, enter the remainder of the IP address for the Auto Update server.
Verify server SSL certificateCheck this box to confirm that a SSL certificate is enabled on the

Auto Update Server.

User area
UsernameEnter the username to log in to the Auto Update server. PasswordEnter the password to log in to the Auto Update server. Confirm PasswordEnter the password again to confirm it.

Device Identify area


Device ID TypeClick the drop-down list to select the type of ID to uniquely identify the

security appliance. Selecting User-defined name enables the Device ID field, where you can specify a unique ID.
Device IDEnter a unique string to use as security appliance ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

DHCP Server
Startup Wizard > DHCP Server
Benefits

The DHCP Server screen lets you configure the security appliance as a Dynamic Host Control Protocol (DHCP) server to hosts on the inside interface. You can configure a range of IP addresses in an address pool, then when a host on the inside interface makes a request for an IP address using DHCP, the security appliance assigns it an address from this pool.

ASDM User Guide

3-20

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Important Notes

DNS, WINS and other information for interfaces with the lowest security level (inside interfaces) can be set in this screen. To configure the DHCP server for other interfaces, go to the Configuration> Properties > DHCP Services > DHCP Server in the main ASDM screen. The number of addresses allowed in the DHCP pool is 256. If you configure ASDM to use the DHCP server option, the security appliance uses the inside IP address, adds one address, and configures the address pool based on the number of addresses available according to your feature license and platform. The pool size varies, and might be configured for fewer IP addresses than you are licensed to use to simplify the configuration.

Fields

The DHCP Server screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable DHCP server on the inside interfaceCheck this box to turn on DHCP for the security appliance.
DHCP Address Pool area

Starting IP AddressEnter the starting range of the DHCP server pool in a block of IP addresses from the lowest to highest. The security appliance supports 256 IP addresses. Ending IP AddressEnter the ending range of the DHCP server pool in a block of IP addresses from the lowest to highest. The security appliance supports 256 IP addresses.
DHCP Parameters area

Enable auto-configurationCheck this box to allow the wizard to configure the DNS server, WINS server, lease length, and ping timeout. DNS Server 1Enter the IP address of the DNS server to use DNS. WINS Server 1Enter the IP address of the WINS (screens Internet Naming Service) server to use DNS. DNS Server 2Enter the IP address of the alternate DNS server to use DNS. WINS Server 2Enter the IP address of the alternate WINS server to use DNS. Lease Length (secs)Enter the amount of time (in seconds) the client can use its allocated IP address before the lease expires. The default value is 3600 seconds (1 hour). Ping TimeoutEnter the parameters for the ping timeout value in milliseconds. Domain NameEnter the domain name of the DNS server to use DNS.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen:

ASDM User Guide OL-10106-01

3-21

Chapter 3 Startup Wizard

Using the Startup Wizard

Configuration > Properties > DHCP Services > DHCP Server

Address Translation (NAT/PAT)


Startup Wizard > Address Translation (NAT/PAT)

Note

This feature is not available in transparent mode.


Benefits

The Address Translation (NAT/PAT) screen lets you configure NAT and PAT on your security appliance. PAT lets you set up a single IP address for use as the global address. With PAT, you can set multiple outbound sessions to appear as if they originate from a single IP address. When enabled, the security appliance chooses a unique port number from the PAT IP address for each outbound translation slot. This feature is useful in smaller installations where there are not enough unique IP addresses for all outbound connections. An IP address that you specify for a port address cannot be used in another global address pool. PAT lets up to 65,535 hosts start connections through a single outside IP address. If you decide to use NAT, enter an address range to use for translating addresses on the inside interface to addresses on the outside interface. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections.
Important Notes

If you use NAT, the range of IP addresses required on this screen creates a pool of addresses that is used outbound on the security appliance. If you have been assigned a range of Internet-registered, global IP addresses by your ISP, enter them here. The following are limitations when using the PAT address configuration:

Does not work with caching name servers. You may need to enable the corresponding inspection engine to pass multimedia application protocols through the security appliance. Does not work with the established command. When in use with a passive FTP, use the Inspect protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic. A DNS server on a higher level security interface, needing to get updates from a root name server on the outside interface, cannot use PAT.

Fields

The Address Translation (NAT/PAT) screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable traffic through the firewall without translationClick to allow traffic through the firewall without translation. NAT is a one-to-one address translation; PAT is a many (inside the firewall)-to-one translation. Use Network Address Translation (NAT)Select to enable NAT and a range of IP addresses to be used for translation.
Starting Global IP AddressEnter the first IP address in a range of IP addresses to be used for

translation.

ASDM User Guide

3-22

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Ending Global IP AddressEnter the last IP address in a range of IP addresses to be used for

translation.
Subnet Mask (optional)Specify the subnet mask for the range of IP addresses to be used for

translation.

Use Port Address Translation (PAT)Select to enable PAT. You must choose one of the following if you select this option.

Note

IPSec with PAT may not work properly because the outside tunnel endpoint device cannot handle multiple tunnels from one IP address.

Use the IP address on the outside interfaceThe security appliance uses the IP address of the

outside interface for PAT.


Specify an IP addressSpecify an IP address to be used for PAT.

IP AddressLets you enter an IP address for the outside interface for PAT. Subnet Mask (optional)Lets you enter a subnet mask for the outside interface for PAT, or click the down arrow to select a subnet mask.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > NAT

Administrative Access
Startup Wizard > Administrative Access
Benefits

The Administrative Access screen lets you configure management access on the security appliance. ASDM automatically lists the interfaces available for configuration, and in this screen you can set the IP address, interface name, and security level to make each interface unique.

Note

This screen allows configuration of management access to interfaces already configured in other places. User cannot change such things as the IP address and the name of the interface in this screen.

ASDM User Guide OL-10106-01

3-23

Chapter 3 Startup Wizard

Using the Startup Wizard

Fields

The Administrative Access screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

TypeSpecifies whether the host or network is accessing security appliance via HTTPS/ASDM, SSH, or Telnet. InterfaceDisplays the host or network name. IP AddressDisplays the IP address of the host or network. MaskDisplays the subnet mask of the host or network. AddLets you choose access type, an interface, then specify the IP address and netmask of the host/network that will be allowed to connect to that interface for management purposes only. EditLets you edit an interface. DeleteLets you delete an interface.

Add/Edit Administrative Access Entry


Startup Wizard > Add/Edit Administrative Access Entry
Benefits

The Add/Edit Administrative Access Entry dialog box let you configure the hosts. You must use one the following types of preconfigured connections for the Command Line Interface console sessions:

Telnet protocolA network connection using the Telnet protocol. ASDM/HTTPS protocolA network connection using the HTTPS (HTTP over SSL) protocol for Tools > Command Line Interface.

Note

ASDM uses HTTPS for all communication with the security appliance. Secure Shell (SSH) protocolA network connection using the Secure Shell (SSH) protocol.

Before configuring your security appliance from the ASDM Command Line Interface tool, we recommend that you review the security appliance Technical Documentation. See also Password, Authentication. For more information about the Command Line Interface commands used by each ASDM screen, see Command Line Interface Commands Used by ASDM screens Help > About the security appliance that will display, among other useful things, which user last changed the configuration.
Fields

The Add/Edit Administrative Access Entry screen displays the OK, Cancel, and Help buttons, in addition to the following:

Access TypeSelect one of the following types of preconfigured connections for the Command Line Interface console sessions from the drop-down menu: ASDM/HTTP, SSH, or Telnet. Interface NameLets you select from a list of predetermined interfaces. IP AddressLets you specify an IP address for the interface.

ASDM User Guide

3-24

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Subnet MaskLets you specify a subnet mask for the interface from a selection of subnet mask IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Device Access > HTTPS/ASDM Configuration > Properties > Device Access > Telnet Configuration > Properties > Device Access > SSH Configuration > Properties > History Metrics

Easy VPN Remote Configuration


Startup Wizard >Easy VPN Remote Configuration
Benefits

Companies with multiple sites can establish secure communications and resource sharing among them by deploying a Cisco Easy VPN solution that consists of an Easy VPN Server at its main site and Easy VPN remote devices at remote offices. Using an Easy VPN solution simplifies the deployment and management of a Virtual Private Network in the following ways:

Hosts at remote sites no longer have to run VPN client software. Security policies reside on a central server and are pushed to the remote devices when a VPN connection is established. Few configuration parameters need to be set locally.

When used as an Easy VPN remote device, the security appliance can also be configured to perform basic firewall services, such as protecting a web server on a DMZ from unauthorized access. However, if the security appliance is configured to function as an Easy VPN remote device, it cannot establish other types of tunnels. For example, the security appliance cannot function simultaneously as both an Easy VPN remote device and as one end of a standard peer-to-peer VPN deployment. The Easy VPN Remote Configuration screen lets you form a secure VPN tunnel between the security appliance and a remotely located Cisco VPN 3000 Concentrator, Cisco IOS-based router, or security appliance that is acting as an Easy VPN server. The security appliance itself acts as an Easy VPN remote device to enable deployment of VPNs to remote locations via the devices listed above. There are two modes of operation when using the security appliance as an Easy VPN remote device:

Client Mode Network Extension Mode

ASDM User Guide OL-10106-01

3-25

Chapter 3 Startup Wizard

Using the Startup Wizard

When configured in Easy VPN Client Mode, the security appliance does not expose the IP addresses of clients on its inside network. Instead, it uses NAT (Network Address Translation) to translate the IP addresses on the private network to a single, assigned IP address. When thesecurity appliance is configured in Client Mode, you cannot ping or access any device from outside the private network. When configured in Easy VPN Network Extension Mode, the security appliance does not protect the IP addresses of local hosts by substituting a assigned IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network. Use the following guidelines when deciding whether to configure the security appliance in Easy VPN Client or Network Extension Mode: Use Client Mode if:

You want VPN connections to be initiated by client traffic You want the IP addresses of local hosts to be hidden from remote networks You are using DHCP on the ASA 5505 to provide IP addresses to local hosts. You want VPN connections to remain open even when not required for transmitting traffic. You want remote hosts to be able to communicate directly with hosts on the local network. Hosts on the local network have static IP addresses.

Use Network Extension Mode if:


Important Notes

ASA supports a maximum of 11 Easy VPN Servers: one primary and up to 10 secondary. In Easy VPN Client Mode, you use a DHCP server to generate dynamic IP addresses for hosts on the inside network. To use Easy VPN Client Mode, you must enable the DHCP server on the inside interface. Before you can connect the ASA Easy VPN remote device to the Easy VPN Server, you must establish network connectivity between both devices through your Internet service provider (ISP). After connecting your ASA to the DSL or cable modem, you should follow the instructions provided by your ISP to complete the network connection. Basically, there are three methods of obtaining an IP address when establishing connectivity to your ISP:
PPPoE client DHCP client Static IP address configuration

The Easy VPN Server controls the policy enforced on the ASA Easy VPN remote device. However, to establish the initial connection to the Easy VPN Server, you must complete some configuration locally. You can perform this configuration by following the steps in this Wizard or by using the command-line interface.
Fields

The Easy VPN Remote Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Enable Easy VPN remoteCheck this box to enable the ASA to act as an Easy VPN remote device. Enabling the ASA to act as an Easy VPN Remote allows you to choose the networks from which your ASA can be remotely managed. If you do not enable this feature, any host that has access to the ASA outside interface through a VPN tunnel can manage it remotely.

ASDM User Guide

3-26

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Mode area
Client ModeClick if you are using a DHCP server to generate dynamic IP addresses for hosts

on your inside network. Client Mode enables VPN connections by traffic, allowing resources to be only used on demand. The ASA applies Network Address Translation (NAT) to all IP addresses of clients connected to the inside (higher security) interface of the ASA.

Note

To use Client Mode, you must enable the DHCP server on the inside interface.

Network extensionClick if hosts on your inside network have static IP addresses.

In Network Extension Mode, IP addresses of clients on the inside interface are received without change at the Easy VPN Server, and VPN connections are kept open even when not required for transmitting traffic. This option does not apply NAT to any IP addresses of clients on the inside (higher security) interface of the ASA.

Group Settings area


Use X.509 CertificateClick to use X.509 certificates to allow IPSec Main Mode. Use the

drop-down list to select a trustpoint or to enter a trustpoint.


Use group passwordLets you enter a password for a group of users.

Group NameLets you enter a name for the user group. PasswordLets you enter a password for the user group. Confirm passwordRequires that you confirm the password.

User Settings area


UsernameLets you enter a username for your settings. PasswordLets you enter a password for your settings. Confirm PasswordRequires that you confirm the password for your settings.

Easy VPN Server areaUsing the ASA as an Easy VPN Server lets you configure your VPN policy in a single location on the ASA, and then push this configuration to multiple Easy VPN remote devices.
Primary serverLets you enter the IP address of the primary Easy VPN Server. Secondary serverLets you enter the IP address of a secondary Easy VPN Server.

Note

ASA supports a maximum of 11 Easy VPN Servers (one primary and up to 10 secondary).

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

3-27

Chapter 3 Startup Wizard

Using the Startup Wizard

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Management IP Address Configuration


Startup Wizard > Management IP Address Configuration

Note

This feature is available only in transparent mode.


Benefits

The Management IP Address Configuration screen lets you configure the management IP address of the host for this context.
Fields

The Management IP Address Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

Management IP AddressThe IP address of the host that can access this context for management purposes using ASDM or a session protocol. Subnet MaskSubnet mask for the Management IP address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

This feature is available in the main ASDM application screen: Configuration > Properties > Management IP

Other Interfaces Configuration


Startup Wizard > Other Interfaces Configuration
Benefits

The Other Interfaces Configuration screen lets you configure the remaining interfaces. You highlight a listed interface, select the Edit button, and configure it from the Edit screen.

ASDM User Guide

3-28

OL-10106-01

Chapter 3

Using the Startup Wizard Startup Wizard

Fields

The Other Interfaces Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:

InterfaceDisplays the network interface on which the original host or network resides. NameDisplays the name of the interface being edited. Security LevelDisplays the security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. Enable traffic between two or more interfaces with same security levelsCheck this box if you assign the same security level to two or more interfaces, and want to enable traffic between the interfaces. Enable traffic between two or more hosts connected to the same interfaceCheck this box if you have an interface between two or more hosts and want to enable traffic between them. EditClick Edit to configure the interface in the Edit Interface dialog box.

Edit Interface
Startup Wizard > Other Interfaces Configuration >Edit Interface
Benefits

Use the Edit Interfaces to edit exisiting interfaces.


Fields

The Edit Interface dialog box displays the OK, Cancel, and Help buttons, in addition to the following:

InterfaceDisplays the name of the selected interface to edit. Interface NameDisplays the name of the selected interface, and lets you change the name of the interface. Security LevelDisplays the security level of the selected interface, or lets you select a security level for the interface. Either 0 for the outside network or 100 for the inside network. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default. If you change the security level of the interface to a lower level, a caution warning appears. IP Address area
Use PPPoECheck this box to use PPPoE to provide an authenticated method of assigning an

IP address to an outside interface. PPPoE provides a standard method of employing the authentication methods of the Point-to-Point Protocol (PPP) over an Ethernet network.

Note

Because PPPoE is permitted on multiple interfaces, each instance of the PPPoE client may require different authentication levels with different usernames and passwords.

Use DHCPCheck this box to use ASA as a DHCP server to provide network configuration

parameters, including dynamically assigned IP addresses, to DHCP clients.


Uses the following IP addressCheck this box to input a specific IP address for an interface.

ASDM User Guide OL-10106-01

3-29

Chapter 3 Startup Wizard

Using the Startup Wizard

IP AddressLets you edit the IP address of the interface. Subnet MaskLets you edit the subnet mask by entering a new address or selecting an existing IP address from the drop-down list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

This feature is available in the main ASDM application screen: Configuration > Interfaces

Startup Wizard Summary


Startup Wizard > Startup Wizard Summary
Benefits

The Startup Wizard Summary screen lets you submit all of the settings you made to the security appliance.

If you would like to change any of the settings you made, click Back. If you started the Startup Wizard directly from a browser, when you click Finish, the configuration created by the wizard is sent to the security appliance and saved to Flash memory. If you ran the Startup Wizard from within ASDM, you must explicitly save the configuration to Flash memory just like any other configuration changes.

Fields

The Startup Wizard Summary screen displays the Back, Finish, Cancel and Help buttons.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

3-30

OL-10106-01

C H A P T E R

Configuring Interfaces
This chapter describes how to configure each interface and subinterface for a name, security level, and IP address. In multiple context mode, you can configure hardware properties and create subinterfaces in the system execution space, while you configure the IP address, name, and security level in each context.

Note

To configure interfaces for the ASA 5505 adaptive security appliance, see Chapter 5, Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance. This chapter includes the following sections:

Security Level Overview, page 4-1 Configuring the Interfaces, page 4-2

Security Level Overview


Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. The level controls the following behavior:

Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection enginesSome application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections. SQL*Net inspection engineIf a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction.

ASDM User Guide OL-10106-01

4-1

Chapter 4 Configuring the Interfaces

Configuring Interfaces

NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions.

Configuring the Interfaces


By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Note

If you are using failover, do not use this procedure to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 12, Failover. to configure the failover and state links. For multiple context mode, follow these guidelines:

Configure the context interfaces from within each context. You can only configure context interfaces that you already assigned to the context in the system configuration. The system configuration only lets you configure Ethernet settings and VLANs. The exception is for failover interfaces; do not configure failover interfaces with this procedure. See the Failover chapter for more information. Interfaces (System), page 4-2 Interfaces (Single Mode and Context), page 4-5

This section includes the following topics:


Interfaces (System)
System > Configuration > Interfaces The Interfaces pane displays configured interfaces and subinterfaces. Before you can assign an interface to a security context (see the Configuring Security Contexts section on page 7-16), define the interface in this pane. Although the system configuration does not include any networking parameters for these interfaces, the system controls the allocation of interfaces to security contexts.

ASDM User Guide

4-2

OL-10106-01

Chapter 4

Configuring Interfaces Configuring the Interfaces

Fields

InterfaceDisplays the interface ID. All physical interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number. If you use failover, you need to assign a dedicated physical interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces). To ensure that you can use an interface for failover, do not configure an interface name in the Interfaces pane. Other settings, including the IP address, are ignored; you set all relevant parameters in the Failover: Setup tab. You can use a subinterface for failover as long as you do not set a name for the physical interface or the subinterface. After you assign an interface as the failover link or state link, you cannot edit or delete the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

EnabledIndicates if the interface is enabled, Yes or No. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

VLANShows the VLAN assigned to a subinterface. Physical interfaces show native, meaning that the physical interface is untagged. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds a subinterface. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. DeleteDeletes the selected subinterface. You cannot delete physical interfaces or allocated interfaces in a context. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface
System > Configuration > Interfaces > Add/Edit Interface The Add Interface dialog box lets you add a subinterface. The Edit Interface dialog box lets you edit an interface or subinterface.

ASDM User Guide OL-10106-01

4-3

Chapter 4 Configuring the Interfaces

Configuring Interfaces

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Hardware PortWhen you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled. Configure Hardware PropertiesFor a physical interface, opens the Hardware Properties dialog box so you can set the speed and duplex. Enable InterfaceEnables this interface to pass traffic. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

VLAN IDFor a subinterface, sets the VLAN ID, between 1 and 4095. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. Sub-interface IDSets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it. DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Hardware Properties
System > Configuration > Interfaces > Edit Interface > Hardware Properties The Hardware Properties dialog box lets you set the speed and duplex of physical interfaces.

ASDM User Guide

4-4

OL-10106-01

Chapter 4

Configuring Interfaces Configuring the Interfaces

Fields

Hardware PortDisplay only. Displays the interface ID. Media TypeSets the media type to RJ45 or SFP. The default is RJ45. DuplexLists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. SpeedLists the speed options for the interface. The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, and you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interfaces (Single Mode and Context)


Configuration > Interfaces The Interfaces pane displays configured interfaces and subinterfaces. You can add or delete subinterfaces (single mode only), and also enable communication between interfaces on the same security level or enable traffic to enter and exit the same interface. Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, Management 0/0, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.
Benefits

This pane lets you enable communication between interfaces on the same security level. By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces provides the following benefits:

You can configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).

You want traffic to flow freely between all same security interfaces without access lists.

ASDM User Guide OL-10106-01

4-5

Chapter 4 Configuring the Interfaces

Configuring Interfaces

Fields

InterfaceDisplays the interface ID. All physical interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number. If you use failover, you need to assign a dedicated physical interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces). To ensure that you can use an interface for failover, do not configure an interface name in the Interfaces pane. Other settings, including the IP address, are ignored; you set all relevant parameters in the Failover: Setup tab. You can use a subinterface for failover as long as you do not set a name for the physical interface or the subinterface. After you assign an interface as the failover link or state link, you cannot edit or delete the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. For multiple context mode, the physical interfaces are listed only in the system configuration. When you allocate interfaces to a context, each allocated interface is listed automatically in the context.

NameDisplays the interface name. EnabledIndicates if the interface is enabled, Yes or No. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. Security LevelDisplays the interface security level between 0 and 100. By default, the security level is 0. IP AddressDisplays the IP address, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. To set the IP address for the context or the security appliance, see the Management IP pane. Subnet MaskFor routed mode only. Displays the subnet mask. Management OnlyIndicates if the interface allows traffic to the security appliance or for management purposes only. MTUDisplays the MTU. By default, the MTU is 1500. Active MAC AddressShows the active MAC address, if you assigned one manually on the Add/Edit Interface > Advanced tab. Standby MAC AddressShows the standby MAC address (for failover), if you assigned one manually. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds a subinterface. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. DeleteDeletes the selected subinterface. You cannot delete physical interfaces or allocated interfaces in a context. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane.

ASDM User Guide

4-6

OL-10106-01

Chapter 4

Configuring Interfaces Configuring the Interfaces

Enable traffic between two or more interfaces which are configured with same security levelsEnables communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Enable traffic between two or more hosts connected to the same interfaceEnables traffic to enter and exit the same interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Interfaces pane, see the system Interfaces (System) pane.

Add/Edit Interface > General


Configuration > Interfaces > Add/Edit Interface > General The Add Interface > General tab lets you add a subinterface. The Edit Interface > General tab lets you edit an interface or subinterface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts section on page 7-16 to assign interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Hardware PortWhen you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled. Configure Hardware PropertiesFor a physical interface, opens the Hardware Properties dialog box so that you can set the speed and duplex, and for some interfaces, the media type. For multiple context mode, you can only set physical properties in the system configuration. Enable InterfaceEnables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. Dedicate this interface to management onlySets the interface to accept traffic to the security appliance only, and not through traffic.

ASDM User Guide OL-10106-01

4-7

Chapter 4 Configuring the Interfaces

Configuring Interfaces

VLAN IDFor a subinterface, sets the VLAN ID, between 1 and 4095. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. Sub-interface IDSets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it. Interface NameSets an interface name up to 48 characters in length. Security LevelSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. IP AddressFor routed mode only. For multiple context mode, set the IP address in the context configuration.
Use Static IPManually sets the IP address.

IP addressSets the IP address. Subnet MaskSets the subnet mask.


Obtain Address via DHCPDynamically sets the IP address using DHCP.

Obtain Default Route Using DHCPObtains a default route from the DHCP server so that you do not need to configure a default static route. Renew DHCP LeaseRenews the DHCP lease. Retry CountSets the number of times between 4 and 16 that the security appliance resends a DHCP request if it does not receive a reply after the first attempt. The total number of attempts is the retry count plus the first attempt. For example, if you set the retry count to 4, the security appliance sends up to 5 DHCP requests. DHCP Learned Route MetricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1. Enable trackingCheck this checkbox to enable route tracking for DHCP-learned routes.

Note

Route tracking is only available in single, routed mode.

Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface. SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647. Monitor OptionsClick this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.
Use PPPoEDynamically sets the IP address using PPPoE.

Note

PPPoE is not supported with failover, or in Multiple context mode and Transparent mode. PPPoE is only supported in Single-Routed mode without failover. Group NameSpecify a group name.

ASDM User Guide

4-8

OL-10106-01

Chapter 4

Configuring Interfaces Configuring the Interfaces

PPPoE UsernameSpecify the username provided by your ISP. PPPoE PasswordSpecify the password provided by your ISP. Confirm PasswordSpecify the password provided by your ISP. PPP AuthenticationSelect either PAP, CHAP, or MSCHAP. PAP passes cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE. Store Username and Password in Local FlashStores the username and password in a special location of NVRAM on the security appliance. If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator. IP Address and Route Settingsdisplays the PPPoE IP Address and Route Settings dialog where you can choose addressing and tracking options.

DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Add/Edit Interfaces dialog box, see the system Add/Edit Interface dialog box.

Add/Edit Interface > Advanced


Configuration > Interfaces > Add/Edit Interface > Advanced The Add/Edit Interface > Advanced tab lets you set the MTU and MAC address of the interface.
Fields

MTUSets the MTU from 300 to 65,535 bytes. The default is 1500 bytes. For multiple context mode, set the MTU in the context configuration. Mac Address CloningManually assigns MAC addresses. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

ASDM User Guide OL-10106-01

4-9

Chapter 4 Configuring the Interfaces

Configuring Interfaces

In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the How the Security Appliance Classifies Packets section on page 7-2 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the Security Contexts section on page 7-16 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this option to override the generated address. For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
Active Mac AddressAssigns a MAC address to the interface in H.H.H format, where H is a

16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
Standby Mac AddressFor use with failover, set the Standby Mac Address. If the active unit

fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Add/Edit Interfaces dialog box, see the system Add/Edit Interface dialog box.

PPPoE IP Address and Route Settings


Configuration > Interfaces > Add/Edit Interface > General > PPPoE IP Address and Route Settings The PPPoE IP Address and Route Settings dialog lets you choose addressing and tracking options for PPPoE connections.
Fields

IP Address areaLets you choose between Obtaining an IP address using PPP or specifying an IP address, and contains the following fields:
Obtain IP Address using PPPSelect to enable the security appliance to use PPP to get an IP

address.
Specify an IP AddressSpecify an IP address and mask for the security appliance to use instead

of negotiating with the PPPoE server to assign an address dynamically.

Route Settings AreaLets you configure route and tracking settings and contains the following fields:

ASDM User Guide

4-10

OL-10106-01

Chapter 4

Configuring Interfaces Configuring the Interfaces

Obtain default route using PPPoESets the default routes when the PPPoE client has not yet

established a connection. When using this option, you cannot have a statically defined route in the configuration. PPPoE learned route metricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1.
Enable trackingCheck this checkbox to enable route tracking for PPPoE-learned routes.

Note

Route tracking is only available in single, routed mode.

Primary TrackSelect this option to configure the primary PPPoE route tracking. Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the

IP address of the next hop gateway for the route, but it could be any network object available off of that interface.
SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to

2147483647.
Monitor OptionsClick this button to open the Route Monitoring Options dialog box. In the

Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.
Secondary TrackSelect this option to configure the secondary PPPoE route tracking. Secondary Track IDA unique identifier for the route tracking process. Valid values are from

1 to 500.

Hardware Properties
Configuration > Interfaces > Edit Interface > Hardware Properties The Hardware Properties dialog box lets you set the speed and duplex of physical interfaces, and for an interface SSM, the media type. In multiple context mode, configure these settings in the system configuration.
Fields

Hardware PortDisplay only. Displays the interface ID. MAC AddressDisplay only. Displays the Interface MAC address. Media TypeSets the media type to RJ45 or SFP. SFP is only available for SSM interfaces on the ASA 5500 series adaptive security appliance. The default is RJ45. DuplexLists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. SpeedLists the speed options for the interface. The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, and you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the

ASDM User Guide OL-10106-01

4-11

Chapter 4 Configuring the Interfaces

Configuring Interfaces

auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System1

1. For the system Hardware Properties dialog box, see the system Hardware Properties dialog box.

ASDM User Guide

4-12

OL-10106-01

C H A P T E R

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
This chapter describes how to configure the switch ports and VLAN interfaces of the ASA 5505 adaptive security appliance.

Note

To configure interfaces of other models, see Chapter 4, Configuring Interfaces. This chapter includes the following sections:

Interface Overview, page 5-13 Configuring VLAN Interfaces, page 5-17 Configuring Switch Ports, page 5-23

Interface Overview
This section describes the ports and interfaces of the ASA 5505 adaptive security appliance, and includes the following topics:

Understanding ASA 5505 Ports and Interfaces, page 5-14 Maximum Active VLAN Interfaces for Your License, page 5-14 Default Interface Configuration, page 5-15 VLAN MAC Addresses, page 5-16 Power Over Ethernet, page 5-16 Security Level Overview, page 5-16

ASDM User Guide OL-10106-01

5-13

Chapter 5 Interface Overview

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Understanding ASA 5505 Ports and Interfaces


The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:

Physical switch portsThe adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. See the Power Over Ethernet section on page 5-16 for more information. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch. Logical VLAN interfacesIn routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the Maximum Active VLAN Interfaces for Your License section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate home, business, and Internet VLANs.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.

Note

Subinterfaces are not available for the ASA 5505 adaptive security appliance.

Maximum Active VLAN Interfaces for Your License


In transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to five active VLANs with the Security Plus license. An active VLAN is a VLAN with a name configured. You can configure up to five inactive VLANs for either license, but if you make them active, be sure to follow the guidelines for your license. With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. See Figure 5-1 for an example network.

ASDM User Guide

5-14

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Interface Overview

Figure 5-1

ASA 5505 Adaptive Security Appliance with Base License

Internet

ASA 5505 with Base License

Home

Business

With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP. This backup interface does not pass through traffic unless the route through the primary interface fails.

Note

The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover. See Figure 5-2 for an example network.
Figure 5-2 ASA 5505 Adaptive Security Appliance with Security Plus License

Backup ISP

Primary ISP

ASA 5505 with Security Plus License

153364

DMZ

Failover ASA 5505

Failover Link

Inside

Default Interface Configuration


If your adaptive security appliance includes the default factory configuration, your interfaces are configured as follows:

153365

ASDM User Guide OL-10106-01

5-15

Chapter 5 Interface Overview

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

The outside interface (security level 0) is VLAN 2. Ethernet0/0 is assigned to VLAN 2 and is enabled. The VLAN 2 IP address is obtained from the DHCP server. The inside interface (security level 100) is VLAN 1 Ethernet 0/1 through Ethernet 0/7 are assigned to VLAN 1 and is enabled. VLAN 1 has IP address 192.168.1.1.

Restore the default factory configuration using File > Reset Device to the Factory Default Configuration. Use the procedures in this chapter to modify the default configuration, for example, to add additional VLAN interfaces. If you do not have a factory default configuration, all switch ports are in VLAN 1, but no other parameters are configured.

VLAN MAC Addresses


In routed firewall mode, all VLAN interfaces share a MAC address. Ensure that any connected switches can support this scenario. If the connected switches require unique MAC addresses, you can manually assign MAC addresses. In transparent firewall mode, each VLAN has a unique MAC address. You can override the generated MAC addresses if desired by manually assigning MAC addresses.

Power Over Ethernet


Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you install a non-PoE device or do not connect to these switch ports, the adaptive security appliance does not supply power to the switch ports. If you shut down the switch port from the Edit Switch Port dialog box, you disable power to the device. Power is restored when you enter reenable it. To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af), use the show power inline command.

Security Level Overview


Each VLAN interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside business network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as a home network can be in between. You can assign interfaces to the same security level. The level controls the following behavior:

Network accessBy default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface. For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

ASDM User Guide

5-16

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

Inspection enginesSome application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.
NetBIOS inspection engineApplied only for outbound connections. SQL*Net inspection engineIf a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the adaptive security appliance.

FilteringHTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level). For same security interfaces, you can filter traffic in either direction.

NAT controlWhen you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside). Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established commandThis command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host. For same security interfaces, you can configure established commands for both directions.

Configuring VLAN Interfaces


For information about how many VLANs you can configure, see the Maximum Active VLAN Interfaces for Your License section on page 5-14.

Note

If you are using failover, do not use this procedure to name interfaces that you are reserving for failover communications. See Chapter 12, Failover, to configure the failover link. If you enabled Easy VPN, you cannot add or delete VLAN interfaces, nor can you edit the security level or interface name. We suggest that you finalize your interface configuration before you enable Easy VPN. This section includes the following topics:

Interfaces > Interfaces, page 5-17 Add/Edit Interface > General, page 5-19 Add/Edit Interface > Advanced, page 5-22

Interfaces > Interfaces


Configuration > Interfaces > Interfaces The Interfaces tab displays configured VLAN interfaces. You can add or delete VLAN interfaces, and also enable communication between interfaces on the same security level or enable traffic to enter and exit the same interface. Transparent firewall mode allows only two interfaces to pass through traffic.

ASDM User Guide OL-10106-01

5-17

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Benefits

This tab lets you enable communication between interfaces on the same security level. By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same security interfaces lets traffic flow freely between all same security interfaces without access lists.
Fields

NameDisplays the interface name. Switch PortsShows the switch ports assigned to this VLAN interface. EnabledIndicates if the interface is enabled, Yes or No. Security LevelDisplays the interface security level between 0 and 100. By default, the security level is 0. IP AddressDisplays the IP address, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. To set the IP address for the context or the security appliance, see the Management IP pane. Subnet MaskFor routed mode only. Displays the subnet mask. Restrict Traffic FlowShows if this interface is restricted from initiating contact to another VLAN. With the Base license, you can only configure a third VLAN if you use this option to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the Restrict Traffic Flow option on the home VLAN; the business network can access the home network, but the home network cannot access the business network. If you already have two VLAN interfaces configured with a name, be sure to enable the Restrict Traffic Flow option before you name the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.

Note

If you upgrade to the Security Plus license, you can remove this option and achieve full functionality for this interface. If you leave this option enabled, this interface continues to be limited even after upgrading.

Backup InterfaceShows the backup ISP interface for this interface. If this interface fails, the backup interface takes over. You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP. (The failover VLAN is not configured in this pane; do not assign a name to the failover VLAN. See Chapter 12, Failover, to configure the failover link.) The backup link to the ISP must be identified by the Backup Interface option. The backup interface does not pass through traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface in case the primary fails, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. For example, you can configure two default routes: one for the primary interface with a lower administrative distance, and one for the backup interface with a higher distance. To configure dual ISP support, see the Static Route Tracking section on page 14-30.

ASDM User Guide

5-18

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

VLANShows the VLAN ID for this interface. Management OnlyIndicates if the interface allows traffic to the security appliance or for management purposes only. MTUDisplays the MTU. By default, the MTU is 1500. Active MAC AddressShows the active MAC address, if you assigned one manually on the Add/Edit Interface > Advanced tab. Standby MAC AddressShows the standby MAC address (for failover), if you assigned one manually. DescriptionDisplays a description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. AddAdds an interface. If you enabled Easy VPN, you cannot add VLAN interfaces. EditEdits the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot edit the interface in this pane. If you enabled Easy VPN, you cannot edit the security level or interface name. DeleteDeletes the selected interface. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane. If you enabled Easy VPN, you cannot delete VLAN interfaces. Enable traffic between two or more interfaces which are configured with same security levelsEnables communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Enable traffic between two or more hosts connected to the same interfaceEnables traffic to enter and exit the same interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface > General


Configuration > Interfaces > Add/Edit Interface > General The Add/Edit Interface > General tab lets you add or edit a VLAN interface. If you intend to use an interface for failover, do not configure the interface in this dialog box; instead, use the Failover: Setup tab. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. If you enabled Easy VPN, you cannot edit the security level or interface name. We suggest that you finalize your interface configuration before you enable Easy VPN.

ASDM User Guide OL-10106-01

5-19

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces pane. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.
Fields

Switch PortsAssigns switch ports to this VLAN interface.


Available Switch PortsLists all switch ports, even if they are currently assigned to a different

interface.
Selected Switch PortsLists the switch ports assigned to this interface. AddAdds a selected switch port to the interface. You see the following message:

switchport is associated with name interface. Adding it to this interface, will remove it from name interface. Do you want to continue? Click OK to add the switch port. You will always see this message when adding a switch port to an interface; switch ports are assigned to the VLAN 1 interface by default even when you do not have any configuration.
RemoveRemoves a switch port from an interface. Because the default VLAN interface for

switch ports is VLAN 1, removing a switch port from an interface essentially just reassigns that switch port to VLAN 1.

Enable InterfaceEnables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Dedicate this interface to management onlySets the interface to accept traffic to the security appliance only, and not through traffic. You cannot set a primary or backup ISP interface to be management only. Interface NameSets an interface name up to 48 characters in length. Security LevelSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. IP AddressFor routed mode only, sets the IP address.
Use Static IPManually sets the IP address.

IP addressSets the IP address. Subnet MaskSets the subnet mask.


Obtain Address via DHCPDynamically sets the IP address using DHCP.

Obtain Default Route Using DHCPObtains a default route from the DHCP server so that you do not need to configure a default static route. Renew DHCP LeaseRenews the DHCP lease. Retry CountSets the number of times between 4 and 16 that the security appliance resends a DHCP request if it does not receive a reply after the first attempt. The total number of attempts is the retry count plus the first attempt. For example, if you set the retry count to 4, the security appliance sends up to 5 DHCP requests. DHCP Learned Route MetricAssigns an administrative distance to the learned route. Valid values are from 1 to 255. If this field is left blank, the administrtive distance for the learned routes is 1. Enable trackingCheck this checkbox to enable route tracking for DHCP-learned routes.

ASDM User Guide

5-20

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring VLAN Interfaces

Note

Route tracking is only available in single, routed mode.

Track IDA unique identifier for the route tracking process. Valid values are from 1 to 500. Track IP AddressEnter the IP address of the target being tracked. Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface. SLA IDA unique identifier for the SLA monitoring process. Valid values are from 1 to 2147483647. Monitor OptionsClick this button to open the Route Monitoring Options dialog box. In the Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.
Use PPPoEDynamically sets the IP address using PPPoE.

Group NameSpecify a group name. PPPoE UsernameSpecify the username provided by your ISP. PPPoE PasswordSpecify the password provided by your ISP. Confirm PasswordSpecify the password provided by your ISP. PPP AuthenticationSelect either PAP, CHAP, or MSCHAP. PAP passes cleartext username and password during authentication and is not secure. With CHAP, the client returns the encrypted [challenge plus password], with a cleartext username in response to the server challenge. CHAP is more secure than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more secure because the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. MSCHAP also generates a key for data encryption by MPPE. Store Username and Password in Local FlashStores the username and password in a special location of NVRAM on the security appliance. If an Auto Update Server sends a clear config command to the security appliance and the connection is then interrupted, the security appliance can read the username and password from NVRAM and re-authenticate to the Access Concentrator. IP Address and Route Settingsdisplays the PPPoE IP Address and Route Settings dialog where you can choose addressing and tracking options. See the PPPoE IP Address and Route Settings section on page 4-10.

DescriptionSets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

ASDM User Guide OL-10106-01

5-21

Chapter 5 Configuring VLAN Interfaces

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface > Advanced


Configuration > Interfaces > Add/Edit Interface > Advanced The Add/Edit Interface > Advanced tab lets you set the MTU, VLAN ID, MAC addresses, and other options.
Fields

MTUSets the MTU from 300 to 65,535 bytes. The default is 1500 bytes. For multiple context mode, set the MTU in the context configuration. VLAN IDSets the VLAN ID for this interface between 1 and 1001. If you do not want to assign the VLAN ID, ASDM assigns one for you randomly. Mac Address CloningManually assigns MAC addresses. By default in routed mode, all VLANs use the same MAC address. In transparent mode, the VLANs use unique MAC addresses. You might want to set unique VLANs or change the generated VLANs if your switch requires it, or for access control purposes.
Active Mac AddressAssigns a MAC address to the interface in H.H.H format, where H is a

16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.
Standby Mac AddressFor use with failover, set the Standby Mac Address. If the active unit

fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Block TrafficRestrict this VLAN interface from initiating contact to another VLAN. With the Base license, you can only configure a third VLAN if you use this option to limit it. For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the Restrict Traffic Flow option on the home VLAN; the business network can access the home network, but the home network cannot access the business network. If you already have two VLAN interfaces configured with a name, be sure to enable the Restrict Traffic Flow option before you name the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance and will not allow you to configure one.

Note

If you upgrade to the Security Plus license, you can remove this option and achieve full functionality for this interface. If you leave this option enabled, this interface continues to be limited even after upgrading.

ASDM User Guide

5-22

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports

Block Traffic from this Interface toChoose a VLAN ID in the list.

Select Backup InterfaceShows the backup ISP interface for this interface. If this interface fails, the backup interface takes over. You can configure up to five VLANs with the Security Plus license. You can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP. (The failover VLAN is not configured in this pane; do not assign a name to the failover VLAN. See Chapter 12, Failover, to configure the failover link.) The backup link to the ISP must be identified by the Backup Interface option. The backup interface does not pass through traffic unless the default route through the primary interface fails. If you already have three active VLAN interfaces, and want to add a fourth backup interface, you can add the backup interface VLAN, but do not specify a name for it. Then edit the primary interface, and specify the new VLAN in this tab. Return to editing the backup VLAN, and assign a name to it. To ensure that traffic can pass over the backup interface in case the primary fails, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. For example, you can configure two default routes: one for the primary interface with a lower administrative distance, and one for the backup interface with a higher distance. To configure dual ISP support, see the Static Route Tracking section on page 14-30.
Backup InterfaceChoose a VLAN ID in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Configuring Switch Ports


This section describes how to configure switch ports, and includes the following topics:

Interfaces > Switch Ports, page 5-23 Edit Switch Port, page 5-24

Caution

The ASA 5505 adaptive security appliance does not support Spanning Tree Protocol for loop detection in the network. Therefore you must ensure that any connection with the adaptive security appliance does not end up in a network loop.

Interfaces > Switch Ports


Configuration > Interfaces > Switch Ports The Switch Ports tab displays the switch port parameters.

ASDM User Guide OL-10106-01

5-23

Chapter 5 Configuring Switch Ports

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Fields

Switch PortLists the switch ports in the security appliance. EnabledShows if the switch port is enabled, Yes or No. Associated VLANsLists the VLAN interfaces to which the switch port is assigned. A trunk switch port can be associated with multiple VLANs. Associated Interface NamesLists the VLAN interface names. ModeThe mode, Access or Trunk. Access ports can be assigned to one VLAN. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. You can only include one trunk port on the security appliance. ProtectedShows if this switch port is protected, Yes or No. This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other. EditEdits the switch port.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit Switch Port


Configuration > Interfaces > Switch Ports > Edit Switch Port > The Edit Switch Port dialog box lets you configure the mode, assign a switch port to a VLAN, and set the Protected option.
Fields

Switch PortDisplay only. Shows the selected switch port ID. Enable Switch PortEnables this switch port. Mode and VLAN IDsSets the mode and the assigned VLANs.
Access VLAN IDSets the mode to access mode. Enter the VLAN ID to which you want to

assign this switch port. By default, the VLAN ID is derived from the VLAN interface configuration in Interfaces > Interfaces. You can change the VLAN assignment in this dialog box. Be sure to apply the change to update the Interfaces > Interfaces tab with the new information. If you want to specify a VLAN that has not yet been added, we suggest you add

ASDM User Guide

5-24

OL-10106-01

Chapter 5

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance Configuring Switch Ports

the VLAN from the Interfaces > Interfaces tab and specify the switch port in the Add/Edit Interface > General tab rather than specifying it in this dialog box; in either case, you need to add the VLAN on the Interfaces > Interfaces tab and assign the switch port to it.
Trunk VLAN IDsSets the mode to trunk mode using 802.1Q tagging. Trunk mode is available

only with the Security Plus license. You can configure only one trunk port. Enter the VLAN IDs to which you want to assign this switch port, separated by commas. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command. If the VLANs are already in your configuration, after you apply the change, the Interfaces > Interfaces tab shows this switch port added to each VLAN. If you want to specify a VLAN that has not yet been added, we suggest you add the VLAN from the Interfaces > Interfaces tab and specify the switch port in the Add/Edit Interface > General tab rather than specifying it in this dialog box; in either case, you need to add the VLAN on the Interfaces > Interfaces tab and assign the switch port to it.

IsolatedThis option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
IsolatedSets this switch port as a protected port.

DuplexLists the duplex options for the interface, including Full, Half, or Auto. The Auto setting is the default. If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. SpeedThe Auto setting is the default. If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power. The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

5-25

Chapter 5 Configuring Switch Ports

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

ASDM User Guide

5-26

OL-10106-01

C H A P T E R

Global Objects
The Global Objects pane provides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. For example, once you define the hosts and networks that are covered by your security policy, you can select the host or network to which a feature applies, instead of having to redefine it every time. This saves time and ensures consistency and accuracy of your security policy. When you need to add or delete a host or network, you can use the Global Objects pane to change it in a single place. This chapter includes the following sections:

Configuring Network Object Groups, page 6-1 Configuring IP Names, page 6-4 Configuring Service Groups, page 6-5 Configuring Class Maps, page 6-8 Configuring Inspect Maps, page 6-30 Configuring Regular Expressions, page 6-104 TCP Maps, page 6-110 Configuring Time Ranges, page 6-112

Configuring Network Object Groups


This section describes how to configure network object groups, and includes the following topics:

Network Object Groups, page 6-1 Add/Edit Network Object Group, page 6-2 Browse Address, page 6-3

Network Object Groups


Configuration > Global Objects > Network Object Groups The Network Object Groups pane lets you define network object groups. Network object groups let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access list or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Grouping together multiple hosts and networks lets you easily apply a rule to a group of addresses.

ASDM User Guide OL-10106-01

6-1

Chapter 6 Configuring Network Object Groups

Global Objects

A network object group consists of one or more IP address objects. An IP address object is either a host or subnet. You can add IP address objects manually when you create the network object group, or you can add IP address objects to the group that are derived from other configuration, such as access rules and AAA rules. Multiple network object groups can be nested into a group of groups and used as a single group. You can use a network object group for most configurations that require you to identify an IP address or network. When you are configuring NAT or security policy rules, the ASDM window even includes a side pane at the right that shows available IP address objects, network object groups, and other global objects; you can add, edit, or delete objects directly in the side pane.
Fields

AddAdds a network object group. EditEdits a network object group. DeleteDeletes a network object group. When a network object group is deleted, it is removed from all network object groups where it is used. If a network object group is used in an access rule, do not remove it. A network object group used in an access rule cannot be made empty. FindFilters the display to show only matching network object groups and IP addresses. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name or IP address included in the network object group. The wildcard

characters asterisk (*) and question mark (?) are allowed.


FilterRuns the filter. ClearClears the Filter field.

NameShows the name of the network object group. Click the plus (+) icon next to the name to expand the object group so you can view the IP addresses. Click the minus (-) icon to collapse the network object group. IP AddressWhen the network object group is expanded, shows the IP addresses. NetmaskWhen the network object group is expanded, shows the subnet masks. DescriptionShows the description of the network object group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Network Object Group


Configuration > Global Objects > Network Object Groups > Add/Edit Network Object Group The Add/Edit Network Object Group lets you assign IP addresses or existing network object groups to a network object group.

ASDM User Guide

6-2

OL-10106-01

Chapter 6

Global Objects Configuring Network Object Groups

Fields

Group NameEnter the group name, up to 64 characters in length. The name must be unique for all object groups. A network object group name cannot share a name with a service group. DescriptionEnter a description of this network object group, up to 200 characters in length. Members Not in GroupLets you assign IP addresses and network object groups to the current network object group.
Existing AddressLets you choose from already defined IP address objects and network object

groups. Existing IP address objects are derived from other configuration, such as access rules and AAA rules. NameLists the already defined IP addresses and network object groups.
New AddressLets you add a new IP address.

IP AddressEnter an IP address. NetmaskEnter the subnet mask for the IP address.


Members in GroupShows IP addresses and network object groups that are already added to the network object group. AddAdds the selected IP address to the network object group. RemoveRemoves the selected IP address from the network object group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Browse Address
(Various) The Browse Address dialog box lets you choose an IP address object, IP name, or network object group. This dialog box is used in multiple configuration screens and is named appropriately for your current task. For example, from the Add/Edit Access Rule dialog box, this dialog box is named Browse Source Address or Browse Destination Address.
Fields

AddAdds a network object group or IP name. EditEdits the selected network object group or IP name. DeleteDeletes the selected network object group or IP name. FindFilters the display to show only matching names or IP addresses. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name or IP address included in the network object group. The wildcard

characters asterisk (*) and question mark (?) are allowed.

ASDM User Guide OL-10106-01

6-3

Chapter 6 Configuring IP Names

Global Objects

FilterRuns the filter. ClearClears the Filter field.

TypeLets you choose the type of object to show, including IP Address Objects, IP Names, or Network Object Groups. To view all objects, choose All. NameShows the name of the object. In the case of IP address objects, the IP address is used as the name. The exception is for the any IP address object. Click the plus (+) icon next to the name of an item to expand it. Click the minus (-) icon to collapse the item. IP AddressShows the IP addresses. NetmaskShows the subnet masks. DescriptionShows the description.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring IP Names
This section describes how to associate a host IP address with a name, and includes the following topics:

IP Names, page 6-4 Add/Edit IP Name, page 6-5

IP Names
Configuration > Global Objects > IP Names ASDM lets you associate a host IP address with a name, so you can use the name in your configuration instead of the IP address. You can update the IP address at any time and not disrupt your configuration. Many features on the security appliance do not support DNS, so this feature accomplishes a similar goal.
Fields

AddAdds an IP name. EditEdits an IP name. DeleteDeletes an IP name. FindFilters the display to show only matching names or IP addresses. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name or IP address. The wildcard characters asterisk (*) and question

mark (?) are allowed.


FilterRuns the filter.

ASDM User Guide

6-4

OL-10106-01

Chapter 6

Global Objects Configuring Service Groups

ClearClears the Filter field.

NameShows the names. IP AddressShows the IP addresses. DescriptionShows the description.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IP Name
Configuration > Global Objects > IP Names > Add IP Name The Add/Edit IP Name dialog box lets you associate an IP address with a name.
Fields

NameEnter the name to associate with the IP address. Use characters a to z, A to Z, 0 to 9, a dash, and an underscore. The name must be 63 characters or less. Also, the name cannot start with a number. IP AddressEnter the IP address. DescriptionEnter a description up to 200 characters in length.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Service Groups


This section describes how to configure service groups, and includes the following topics:

Service Groups, page 6-6 Add/Edit Service Group, page 6-7 Browse Service Groups, page 6-7

ASDM User Guide OL-10106-01

6-5

Chapter 6 Configuring Service Groups

Global Objects

Service Groups
Configuration > Global Objects > Service Groups The Service Groups pane lets you associate multiple services into a named group. You can create service groups for each of the following types:

TCP ports UDP ports TCP-UDP ports ICMP types IP protocols

Multiple service groups can be nested into a group of groups and used as a single group. You can use a service group for most configurations that require you to identify a port, ICMP type, or protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a side pane at the right that shows available service groups and other global objects; you can add, edit, or delete objects directly in the side pane.
Fields

AddAdds a service group. Choose the type of service groups you want to add from the drop-down list. EditEdits a service group. DeleteDeletes a service group. When a service group is deleted, it is removed from all service groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty. FindFilters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name of the service group. The wildcard characters asterisk (*) and

question mark (?) are allowed.


FilterRuns the filter. ClearClears the Filter field.

TypeLets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all service groups, choose All. NameLists the service group names. Click the plus (+) icon next to the name to expand the service group so you can view the services. Click the minus (-) icon to collapse the service group. DescriptionLists the service group descriptions.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

6-6

OL-10106-01

Chapter 6

Global Objects Configuring Service Groups

Add/Edit Service Group


Configuration > Global Objects > Service Groups > Add/Edit Service Group The Add/Edit Service Group dialog box lets you assign services to a service group. This dialog box name matches the type of service group you are adding; for example, if you are adding a TCP service group, the name is Add/Edit TCP Service Group.
Fields

Group NameEnter the group name, up to 64 characters in length. The name must be unique for all object groups. A service group name cannot share a name with a network object group. DescriptionEnter a description of this service group, up to 200 characters in length. Members Not in GroupIdentifies items that can be added to the service group.
Service/Service Group, ICMP Type/ICMP Group, or Protocol/Protocol GroupThe title of this

table depends on the type of service group you are adding. Choose from already defined service groups, or choose from a list of commonly used port, type, or protocol names. NameLists the already defined service groups and commonly used ports, types, or protocols.
Port #, ICMP #, or Protocol #The title of this table depends on the type of service group you

are adding. Lets you add a new item, either by number or name. For TCP, UDP, and TCP-UDP service groups, you can enter a range of ports numbers.

Members in GroupShows items that are already added to the service group. AddAdds the selected item to the service group. RemoveRemoves the selected item from the service group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Browse Service Groups


(Various) The Browse Service Groups dialog box lets you choose a service group. This dialog box is used in multiple configuration screens and is named appropriately for your current task. For example, from the Add/Edit Access Rule dialog box, this dialog box is named Browse Source Port or Browse Destination Port.
Fields

AddAdds a service group. EditEdits the selected service group. DeleteDeletes the selected service group.

ASDM User Guide OL-10106-01

6-7

Chapter 6 Configuring Class Maps

Global Objects

FindFilters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter fieldEnter the name of the service group. The wildcard characters asterisk (*) and

question mark (?) are allowed.


FilterRuns the filter. ClearClears the Filter field.

TypeLets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all types, choose All. Typically, the type of rule you configure can only use one type of service group; you cannot select a UDP service group for a TCP access rule. NameShows the name of the service group. Click the plus (+) icon next to the name of an item to expand it. Click the minus (-) icon to collapse the item.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Class Maps


An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP. This section describes how to configure inspection class maps, and includes the following topics:

DNS Class Map, page 6-8 FTP Class Map, page 6-13 H.323 Class Map, page 6-16 HTTP Class Map, page 6-18 IM Class Map, page 6-23 SIP Class Map, page 6-26

DNS Class Map


Configuration > Global Objects > Class Maps > DNS The DNS Class Map panel lets you configure DNS class maps for DNS inspection.

ASDM User Guide

6-8

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the DNS class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the DNS class map. ValueShows the value to match in the DNS class map.

DescriptionShows the description of the class map. AddAdds match conditions for the DNS class map. EditEdits match conditions for the DNS class map. DeleteDeletes match conditions for the DNS class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Traffic Class Map


Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map.
Fields

NameEnter the name of the DNS class map, up to 40 characters in length. DescriptionEnter the description of the DNS class map. AddAdds a DNS class map. EditEdits a DNS class map. DeleteDeletes a DNS class map.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-9

Chapter 6 Configuring Class Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Match Criterion


Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map > Add/Edit DNS Match Criterion The Add/Edit DNS Match Criterion dialog box lets you define the match criterion and value for the DNS class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of DNS traffic to match.


Header FlagMatch a DNS flag in the header. TypeMatch a DNS query or resource record type. ClassMatch a DNS query or resource record class. QuestionMatch a DNS question. Resource RecordMatch a DNS resource record. Domain NameMatch a domain name from a DNS query or resource record.

Header Flag Criterion ValuesSpecifies the value details for the DNS header flag match.
Match OptionSpecifies either an exact match or match all bits (bit mask match). Match ValueSpecifies to match either the header flag name or the header flag value.

Header Flag NameLets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits. Header Flag ValueLets you enter an arbitrary 16-bit value in hex to match.

Type Criterion ValuesSpecifies the value details for the DNS type match.
DNS Type Field NameLists the DNS types to select.

AIPv4 address NSAuthoritative name server CNAMECanonical name SOAStart of a zone of authority TSIGTransaction signature IXFRIncremental (zone) transfer

ASDM User Guide

6-10

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

AXFRFull (zone) transfer


DNS Type Field ValueSpecifies to match either a DNS type field value or a DNS type field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Class Criterion ValuesSpecifies the value details for the DNS class match.
DNS Class Field NameSpecifies to match on internet, the DNS class field name. DNS Class Field ValueSpecifies to match either a DNS class field value or a DNS class field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Question Criterion ValuesSpecifies to match on the DNS question section. Resource Record Criterion ValuesSpecifies to match on the DNS resource record section.
Resource Record Lists the sections to match.

AdditionalDNS additional resource record AnswerDNS answer resource record AuthorityDNS authority resource record

Domain Name Criterion ValuesSpecifies to match on the DNS domain name.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Regular Expressions


Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map > Add/Edit DNS Match Criterion > Manage Regular Expressions The Manage Regular Expressions dialog box lets you configure Regular Expressions for use in pattern matching. Regular expressions that start with _default are default regular expressions and cannot be modified or deleted.

ASDM User Guide OL-10106-01

6-11

Chapter 6 Configuring Class Maps

Global Objects

Fields

NameShows the regular expression names. ValueShows the regular expression definitions. AddAdds a regular expression. EditEdits a regular expression. DeleteDeletes a regular expression.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Regular Expression Class Maps


Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map > Add/Edit DNS Match Criterion > Manage Regular Expression Class Maps The Manage Regular Expression Class Maps dialog box lets you configure regular expression class maps. See Regular Expressions for more information.
Fields

NameShows the regular expression class map name. Match ConditionsShows the match type and regular expressions in the class map.
Match TypeShows the match type, which for regular expressions is always a positive match

type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched.
Regular ExpressionLists the regular expressions included in each class map.

DescriptionShows the description of the class map. AddAdds a regular expression class map. EditEdits a regular expression class map. DeleteDeletes a regular expression class map.

ASDM User Guide

6-12

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Class Map


Configuration > Global Objects > Class Maps > FTP The FTP Class Map panel lets you configure FTP class maps for FTP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the FTP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the FTP class map. ValueShows the value to match in the FTP class map.

DescriptionShows the description of the class map. AddAdds an FTP class map. EditEdits an FTP class map. DeleteDeletes an FTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit FTP Traffic Class Map


Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.

ASDM User Guide OL-10106-01

6-13

Chapter 6 Configuring Class Maps

Global Objects

Fields

NameEnter the name of the FTP class map, up to 40 characters in length. DescriptionEnter the description of the FTP class map. AddAdds an FTP class map. EditEdits an FTP class map. DeleteDeletes an FTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit FTP Match Criterion


Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of FTP traffic to match.


Request-CommandMatch an FTP request command. File NameMatch a filename for FTP transfer. File TypeMatch a file type for FTP transfer. ServerMatch an FTP server. User NameMatch an FTP user.

Request-Command Criterion ValuesSpecifies the value details for the FTP request command match.
Request CommandLets you select one or more request commands to match.

APPEAppend to a file. CDUPChange to the parent of the current directory. DELEDelete a file at the server site. GETFTP client command for the retr (retrieve a file) command. HELPHelp information from the server.

ASDM User Guide

6-14

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

MKDCreate a directory. PUTFTP client command for the stor (store a file) command. RMDRemove a directory. RNFRRename from. RNTORename to. SITESpecify a server specific command. STOUStore a file with a unique name.

File Name Criterion ValuesSpecifies to match on the FTP transfer filename.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

File Type Criterion ValuesSpecifies to match on the FTP transfer file type.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Server Criterion ValuesSpecifies to match on the FTP server.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

User Name Criterion ValuesSpecifies to match on the FTP user.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-15

Chapter 6 Configuring Class Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Class Map


Configuration > Global Objects > Class Maps > H.323 The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the H.323 class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the H.323 class map. ValueShows the value to match in the H.323 class map.

DescriptionShows the description of the class map. AddAdds an H.323 class map. EditEdits an H.323 class map. DeleteDeletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Traffic Class Map


Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map.

ASDM User Guide

6-16

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

Fields

NameEnter the name of the H.323 class map, up to 40 characters in length. DescriptionEnter the description of the H.323 class map. AddAdds an H.323 class map. EditEdits an H.323 class map. DeleteDeletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Match Criterion


Configuration > Global Objects > Class Maps > H.323 > Add/Edit H.323 Traffic Class Map > Add/Edit H.323 Match Criterion The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of H.323 traffic to match.


Called PartyMatch the called party. Calling PartyMatch the calling party. Media TypeMatch the media type.

Called Party Criterion ValuesSpecifies to match on the H.323 called party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match on the H.323 calling party.


Regular ExpressionLists the defined regular expressions to match.

ASDM User Guide OL-10106-01

6-17

Chapter 6 Configuring Class Maps

Global Objects

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Media Type Criterion ValuesSpecifies which media type to match.


AudioMatch audio type. VideoMatch video type. DataMatch data type.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Class Map


Configuration > Global Objects > Class Maps > HTTP The HTTP Class Map panel lets you configure HTTP class maps for HTTP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the HTTP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the HTTP class map. ValueShows the value to match in the HTTP class map.

DescriptionShows the description of the class map. AddAdds an HTTP class map. EditEdits an HTTP class map. DeleteDeletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-18

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Traffic Class Map


Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map.
Fields

NameEnter the name of the HTTP class map, up to 40 characters in length. DescriptionEnter the description of the HTTP class map. AddAdds an HTTP class map. EditEdits an HTTP class map. DeleteDeletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Match Criterion


Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map > Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of HTTP traffic to match.


Request/Response Content Type MismatchSpecifies that the content type in the response

must match one of the MIME types in the accept field of the request.
Request ArgumentsApplies the regular expression match to the arguments of the request.

ASDM User Guide OL-10106-01

6-19

Chapter 6 Configuring Class Maps

Global Objects

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Body LengthApplies the regular expression match to the body of the request with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request BodyApplies the regular expression match to the body of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header Field CountApplies the regular expression match to the header of the request

with a maximum number of header fields. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Request Header Field LengthApplies the regular expression match to the header of the

request with field length greater than the bytes specified. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request Header FieldApplies the regular expression match to the header of the request.

ASDM User Guide

6-20

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header CountApplies the regular expression match to the header of the request with

a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Request Header LengthApplies the regular expression match to the header of the request with

length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Request Header non-ASCIIMatches non-ASCII characters in the header of the request. Request MethodApplies the regular expression match to the method of the request.

MethodSpecifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request URI LengthApplies the regular expression match to the URI of the request with

length greater than the bytes specified. Greater Than LengthEnter a URI length value in bytes.
Request URIApplies the regular expression match to the URI of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response BodyApplies the regex match to the body of the response.

ASDM User Guide OL-10106-01

6-21

Chapter 6 Configuring Class Maps

Global Objects

ActiveXSpecifies to match on ActiveX. Java AppletSpecifies to match on a Java Applet. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Body LengthApplies the regular expression match to the body of the response with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header Field CountApplies the regular expression match to the header of the

response with a maximum number of header fields. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Response Header Field LengthApplies the regular expression match to the header of the

response with field length greater than the bytes specified. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header FieldApplies the regular expression match to the header of the response.

PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match.

ASDM User Guide

6-22

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Header CountApplies the regular expression match to the header of the response

with a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Response Header LengthApplies the regular expression match to the header of the response

with length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Response Header non-ASCIIMatches non-ASCII characters in the header of the response. Response Status LineApplies the regular expression match to the status line.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IM Class Map
Configuration > Global Objects > Class Maps > Instant Messaging (IM) The IM Class Map panel lets you configure IM class maps for IM inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields

NameShows the IM class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match.

ASDM User Guide OL-10106-01

6-23

Chapter 6 Configuring Class Maps

Global Objects

CriterionShows the criterion of the IM class map. ValueShows the value to match in the IM class map.

DescriptionShows the description of the class map. AddAdds an IM class map. EditEdits an IM class map. DeleteDeletes an IM class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Traffic Class Map


Configuration > Global Objects > Class Maps > IM > Add/Edit IM Traffic Class Map The Add/Edit IM Traffic Class Map dialog box lets you define a IM class map.
Fields

NameEnter the name of the IM class map, up to 40 characters in length. DescriptionEnter the description of the IM class map. AddAdds an IM class map. EditEdits an IM class map. DeleteDeletes an IM class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Match Criterion


Configuration > Global Objects > Class Maps > IM > Add/Edit IM Traffic Class Map > Add/Edit IM Match Criterion The Add/Edit IM Match Criterion dialog box lets you define the match criterion and value for the IM class map.

ASDM User Guide

6-24

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of IM traffic to match.


ProtocolMatch IM protocols. ServiceMatch IM services. VersionMatch IM file transfer service version. Client Login NameMatch client login name from IM service. Client Peer Login NameMatch client peer login name from IM service. Source IP AddressMatch source IP address. Destination IP AddressMatch destination IP address. FilenameMatch filename form IM file transfer service.

Protocol Criterion ValuesSpecifies which IM protocols to match.


Yahoo! MessengerSpecifies to match Yahoo! Messenger instant messages. MSN MessengerSpecifies to match MSN Messenger instant messages.

Service Criterion ValuesSpecifies which IM services to match.


ChatSpecifies to match IM message chat service. ConferenceSpecifies to match IM conference service. File TransferSpecifies to match IM file transfer service. GamesSpecifies to match IM gaming service. Voice ChatSpecifies to match IM voice chat service (not available for Yahoo IM) Web CamSpecifies to match IM webcam service.

Version Criterion ValuesSpecifies to match the version from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Login Name Criterion ValuesSpecifies to match the client login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

ASDM User Guide OL-10106-01

6-25

Chapter 6 Configuring Class Maps

Global Objects

Client Peer Login Name Criterion ValuesSpecifies to match the client peer login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Source IP Address Criterion ValuesSpecifies to match the source IP address of the IM service.
IP AddressEnter the source IP address of the IM service. IP MaskMask of the source IP address.

Destination IP Address Criterion ValuesSpecifies to match the destination IP address of the IM service.
IP AddressEnter the destination IP address of the IM service. IP MaskMask of the destination IP address.

Filename Criterion ValuesSpecifies to match the filename from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Class Map


Configuration > Global Objects > Class Maps > SIP The SIP Class Map panel lets you configure SIP class maps for SIP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

ASDM User Guide

6-26

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

Fields

NameShows the SIP class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the SIP class map. ValueShows the value to match in the SIP class map.

DescriptionShows the description of the class map. AddAdds a SIP class map. EditEdits a SIP class map. DeleteDeletes a SIP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SIP Traffic Class Map


Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map.
Fields

NameEnter the name of the SIP class map, up to 40 characters in length. DescriptionEnter the description of the SIP class map. AddAdds a SIP class map. EditEdits a SIP class map. DeleteDeletes a SIP class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-27

Chapter 6 Configuring Class Maps

Global Objects

Add/Edit SIP Match Criterion


Configuration > Global Objects > Class Maps > SIP > Add/Edit SIP Traffic Class Map > Add/Edit SIP Match Criterion The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map.
Fields

Match TypeSpecifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SIP traffic to match.


Called PartyMatch the called party as specified in the To header. Calling PartyMatch the calling party as specified in the From header. Content LengthMatch the Content Length header, between 0 and 65536. Content TypeMatch the Content Type header. IM SubscriberMatch the SIP IM subscriber. Message PathMatch the SIP Via header. Request MethodMatch the SIP request method. Third-Party RegistrationMatch the requester of a third-party registration. URI LengthMatch a URI in the SIP headers, between 0 and 65536.

Called Party Criterion ValuesSpecifies to match the called party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match the calling party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Content Length Criterion ValuesSpecifies to match a SIP content header of a length greater than specified.
Greater Than LengthEnter a header length value in bytes.

Content Type Criterion ValuesSpecifies to match a SIP content header type.

ASDM User Guide

6-28

OL-10106-01

Chapter 6

Global Objects Configuring Class Maps

SDPMatch an SDP SIP content header type. Regular ExpressionMatch a regular expression.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion ValuesSpecifies to match the IM subscriber. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Message Path Criterion ValuesSpecifies to match a SIP Via header. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Request Method Criterion ValuesSpecifies to match a SIP request method.


Request MethodSpecifies a request method: ack, bye, cancel, info, invite, message, notify,

options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion ValuesSpecifies to match the requester of a third-party registration. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

URI Length Criterion ValuesSpecifies to match a URI of a selected type and greater than the specified length in the SIP headers.
URI typeSpecifies to match either SIP URI or TEL URI. Greater Than LengthLength in bytes.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-29

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Inspect Maps


This section describes how to configure inspect maps, and includes the following topics:

DCERPC Inspect Map, page 6-32 DNS Inspect Map, page 6-35 ESMTP Inspect Map, page 6-42 FTP Inspect Map, page 6-51 GTP Inspect Map, page 6-56 H.323 Inspect Map, page 6-63 HTTP Inspect Map, page 6-69 Instant Messaging (IM) Inspect Map, page 6-77 IPSec Pass Through Inspect Map, page 6-81 MGCP Inspect Map, page 6-84 NetBIOS Inspect Map, page 6-88 RADIUS Inspect Map, page 6-89 SCCP (Skinny) Inspect Map, page 6-91 SIP Inspect Map, page 6-96 SNMP Inspect Map, page 6-103

The algorithm the security appliance uses for stateful application inspection ensures the security of applications and services. Some applications require special handling, and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Each application inspection engine also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. In addition, stateful application inspection audits the validity of the commands and responses within the protocol being inspected. The security appliance helps to prevent attacks by verifying that traffic conforms to the RFC specifications for each protocol that is inspected.

ASDM User Guide

6-30

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

The Inspect Maps feature lets you create inspect maps for specific protocol inspection engines. You use an inspect map to store the configuration for a protocol inspection engine. You then enable the configuration settings in the inspect map by associating the map with a specific type of traffic using a global security policy or a security policy for a specific interface. Use the Service Policy Rules tab on the Security Policy pane to apply the inspect map to traffic matching the criteria specified in the service policy. A service policy can apply to a specific interface or to all the interfaces on the security appliance. DCERPC The DCERPC inspection lets you create, view, and manage DCERPC inspect maps. You can use a DCERPC map to inspect DCERPC messages between a client and endpoint mapper, and to apply NAT for the secondary connection, if needed. DCERPC is a specification for a remote procedure call mechanism. The DNS inspection lets you create, view, and manage DNS inspect maps. You can use a DNS map to have more control over DNS messages and to protect against DNS spoofing and cache poisoning. DNS is used to resolve information about domain names, including IP addresses and mail servers. The ESMTP inspection lets you create, view, and manage ESMTP inspect maps. You can use an ESMTP map for application security and protocol conformance to protect against attacks, to block senders and receivers, and to block mail relay. Extended SMTP defines protocol extensions to the SMTP standard. The FTP inspection lets you create, view, and manage FTP inspect maps. FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server. The GTP inspection lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance. The H.323 inspection lets you create, view, and manage H.323 inspect maps. You can use an H.323 map to inspect RAS, H.225, and H.245 VoIP protocols, and for state tracking and filtering. The HTTP inspection lets you create, view, and manage HTTP inspect maps. HTTP is the protocol used for communication between Worldwide Web clients and servers. You can use an HTTP map to enforce RFC compliance and HTTP payload content type. You can also block specific HTTP methods and prevent the use of certain tunneled applications that use HTTP as the transport. The IM inspection lets you create, view, and manage IM inspect maps. You can use an IM map to control the network usage and stop leakage of confidential data and other network threats from IM applications. The IPSec Pass Through inspection lets you create, view, and manage IPSec Pass Through inspect maps. You can use an IPSec Pass Through map to permit certain flows without using an access list. The MGCP inspection lets you create, view, and manage MGCP inspect maps. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.

DNS

ESMTP

FTP

GTP

H.323

HTTP

IM

IPSec Pass Through

MGCP

ASDM User Guide OL-10106-01

6-31

Chapter 6 Configuring Inspect Maps

Global Objects

NetBIOS

The NetBIOS inspection lets you create, view, and manage NetBIOS inspect maps. You can use a NetBIOS map to enforce NetBIOS protocol conformance including field count and length consistency, and message checks. The RADIUS Accounting inspection lets you create, view, and manage RADIUS Accounting inspect maps. You can use a RADIUS map to protect against an overbilling attack. The SCCP (Skinny) inspection lets you create, view, and manage SCCP (Skinny) inspect maps. You can use an SCCP map to perform protocol conformance checks and basic state tracking. The SIP inspection lets you create, view, and manage SIP inspect maps. You can use a SIP map for application security and protocol conformance to protect against SIP-based attacks. SIP is a protocol widely used for internet conferencing, telephony, presence, events notification, and instant messaging. The SNMP inspection lets you create, view, and manage SNMP inspect maps. SNMP is a protocol used for communication between network management devices and network management stations. You can use an SNMP map to block a specific SNMP version, including SNMP v1, 2, 2c and 3.

RADIUS Accounting

SCCP (Skinny)

SIP

SNMP

DCERPC Inspect Map


Configuration > Global Objects > Inspect Maps > DCERPC The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection. DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection. DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
Low

Pinhole timeout: 00:02:00

ASDM User Guide

6-32

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Endpoint mapper service: not enforced Endpoint mapper service lookup: enabled Endpoint mapper service lookup timeout: 00:05:00
MediumDefault.

Pinhole timeout: 00:01:00 Endpoint mapper service: not enforced Endpoint mapper service lookup: disabled.
High

Pinhole timeout: 00:01:00 Endpoint mapper service: enforced Endpoint mapper service lookup: disabled
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium.

DCERPC Inspect MapsTable that lists the defined DCERPC inspect maps. The defined inspect maps are also listed in the DCERPC area of the Inspect Maps tree. AddAdds the new DCERPC inspect map to the defined list in the DCERPC Inspect Maps table and to the DCERPC area of the Inspect Maps tree. To configure the new DCERPC map, select the DCERPC entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the DCERPC Inspect Maps table and from the DCERPC area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > DCERPC > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured DCERPC application inspection maps.
Fields

SettingsSpecifies the pinhole timeout and endpoint mapper security settings.


Pinhole TimeoutSets the pinhole timeout. Since a client may use the server information

returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.
Enforce endpoint-mapper serviceEnforces endpoint mapper service during binding.

ASDM User Guide OL-10106-01

6-33

Chapter 6 Configuring Inspect Maps

Global Objects

Enforce endpoint-mapper service lookupEnables the lookup operation of the endpoint

mapper service. If disabled, the pinhole timeout is used. Service Lookup TimeoutSets the timeout for pinholes from lookup operation.

Reset to Predefined Security LevelResets the security level settings to the predefined levels of high, medium, or low.
Reset ToResets the security level to high, medium, or low.

ResetResets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DCERPC Inspect Map Basic/Advanced Viewl


Configuration > Global Objects > Inspect Maps > DCERPC > DCERPC Inspect Map > Basic/Advanced View The DCERPC map pane lets you configure basic and advanced settings for previously configured DCERPC application inspection maps.
Fields

NameShows the name of the previously configured DCERPC map. DescriptionEnter the description of the DCERPC map, up to 200 characters in length. Basic ViewShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure security settings. Default LevelSets the security level back to the default level of Medium.

Advanced ViewLets you configure the security settings.


Pinhole TimeoutSets the pinhole timeout. Since a client may use the server information

returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.
Enforce endpoint-mapper serviceEnforces endpoint mapper service during binding. Enforce endpoint-mapper service lookupEnables the lookup operation of the endpoint

mapper service. If disabled, the pinhole timeout is used. Service Lookup TimeoutSets the timeout for pinholes from lookup operation.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-34

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map


Configuration > Global Objects > Inspect Maps > DNS The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets you change the default configuration values used for DNS application inspection. DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example. The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further. A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
LowDefault.

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: disabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: disabled TSIG resource record: not enforced
Medium

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled

ASDM User Guide OL-10106-01

6-35

Chapter 6 Configuring Inspect Maps

Global Objects

ID randomization: enabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: not enforced
High

DNS Guard: enabled NAT rewrite: enabled Protocol enforcement: enabled ID randomization: enabled Message length check: enabled Message length maximum: 512 Mismatch rate logging: enabled TSIG resource record: enforced
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

DNS Inspect MapsTable that lists the defined DNS inspect maps. The defined inspect maps are also listed in the DNS area of the Inspect Maps tree. AddAdds the new DNS inspect map to the defined list in the DNS Inspect Maps table and to the DNS area of the Inspect Maps tree. To configure the new DNS map, select the DNS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the DNS Inspect Maps table and from the DNS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > DNS > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured DNS application inspection maps.
Fields

SettingsSpecifies DNS security settings and actions.

ASDM User Guide

6-36

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Enable DNS guard functionAs part of protocol conformance, this option performs a DNS

query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.
Enable NAT rewrite functionAs part of protocol conformance, this option enables IP address

translation in the A record of the DNS response.


Enable protocol enforcementAs part of protocol conformance, this option enables DNS

message format check, including domain name, label length, compression, and looped pointer check.
Randomize the DNS identifier for DNS queryAs part of protocol conformance, this option

randomizes the DNS identifier in the DNS query message.


Drop packets that exceed specified maximum lengthAs part of filtering, this option drops

packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes.
Enable Logging when DNS ID mismatch rate exceeds specified rateReports excessive

instances of DNS identifier mismatches. Mismatch Instance ThresholdEnter the maximum number of mismatch instances before a system message log is sent. Time IntervalEnter the time period to monitor (in seconds).
Enforce TSIG record source to be present in DNS messageAs part of protocol conformance,

this option requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced: Drop packetDrops the packet (logging can be either enabled or disabled). LogEnables logging.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > DNS > DNS Inspect Map > Basic View The DNS Inspect Map Basic View pane shows the configured settings for the DNS inspect map. The Advanced View lets you configure the settings.

ASDM User Guide OL-10106-01

6-37

Chapter 6 Configuring Inspect Maps

Global Objects

Fields

NameShows the name of the previously configured DNS map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > DNS > DNS Inspect Map > Advanced View The DNS Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured DNS map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Protocol ConformanceTab that lets you configure the protocol conformance settings for DNS.
Enable DNS guard functionPerforms a DNS query and response mismatch check using the

identification field in the DNS header. One response per query is allowed to go through the security appliance.
Enable NAT re-write functionEnables IP address translation in the A record of the DNS

response.
Enable protocol enforcementEnables DNS message format check, including domain name,

label length, compression, and looped pointer check.


Randomize the DNS identifier for DNS query Randomizes the DNS identifier in the DNS

query message.
Enforce TSIG resource record to be present in DNS messageRequires that a TSIG resource

record be present in DNS transactions. Actions taken when TSIG is enforced: Drop packetDrops the packet (logging can be either enabled or disabled). LogEnables logging.

FilteringTab that lets you configure the filtering settings for DNS.
Global SettingsApplies settings globally.

ASDM User Guide

6-38

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Drop packets that exceed specified maximum length (global)Drops packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes.
Server SettingsApplies settings on the server only.

Drop packets that exceed specified maximum lengthDrops packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes. Drop packets sent to server that exceed length indicated by the RRDrops packets sent to the server that exceed the length indicated by the Resource Record.
Client SettingsApplies settings on the client only.

Drop packets that exceed specified maximum lengthDrops packets that exceed maximum length in bytes. Maximum Packet LengthEnter maximum packet length in bytes. Drop packets sent to client that exceed length indicated by the RRDrops packets sent to the client that exceed the length indicated by the Resource Record.

Mismatch RateTab that lets you configure the ID mismatch rate for DNS.
Enable Logging when DNS ID mismatch rate exceeds specified rateReports excessive

instances of DNS identifier mismatches. Mismatch Instance ThresholdEnter the maximum number of mismatch instances before a system message log is sent. Time IntervalEnter the time period to monitor (in seconds).

InspectionsTab that shows you the DNS inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the DNS inspection. ValueShows the value to match in the DNS inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add DNS Inspect dialog box to add a DNS inspection. EditOpens the Edit DNS Inspect dialog box to edit a DNS inspection. DeleteDeletes a DNS inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-39

Chapter 6 Configuring Inspect Maps

Global Objects

Add/Edit DNS Inspect


Configuration > Global Objects > Inspect Maps > DNS > DNS Inspect Map > Advanced View > Add/Edit DNS Inspect The Add/Edit DNS Inspect dialog box lets you define the match criterion and value for the DNS inspect map.
Fields

Single MatchSpecifies that the DNS inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of DNS traffic to match.


Header FlagMatch a DNS flag in the header. TypeMatch a DNS query or resource record type. ClassMatch a DNS query or resource record class. QuestionMatch a DNS question. Resource RecordMatch a DNS resource record. Domain NameMatch a domain name from a DNS query or resource record.

Header Flag Criterion ValuesSpecifies the value details for DNS header flag match.
Match OptionSpecifies either an exact match or match all bits (bit mask match). Match ValueSpecifies to match either the header flag name or the header flag value.

Header Flag NameLets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits. Header Flag ValueLets you enter an arbitrary 16-bit value in hex to match.

Type Criterion ValuesSpecifies the value details for DNS type match.
DNS Type Field NameLists the DNS types to select.

AIPv4 address NSAuthoritative name server CNAMECanonical name SOAStart of a zone of authority TSIGTransaction signature IXFRIncremental (zone) transfer AXFRFull (zone) transfer
DNS Type Field ValueSpecifies to match either a DNS type field value or a DNS type field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Class Criterion ValuesSpecifies the value details for DNS class match.

ASDM User Guide

6-40

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

DNS Class Field NameSpecifies to match on internet, the DNS class field name. DNS Class Field ValueSpecifies to match either a DNS class field value or a DNS class field

range. ValueLets you enter an arbitrary value between 0 and 65535 to match. RangeLets you enter a range match. Both values between 0 and 65535.

Question Criterion ValuesSpecifies to match on the DNS question section. Resource Record Criterion ValuesSpecifies to match on the DNS resource record section.
Resource Record Lists the sections to match.

AdditionalDNS additional resource record AnswerDNS answer resource record AuthorityDNS authority resource record

Domain Name Criterion ValuesSpecifies to match on DNS domain name.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the DNS inspection.


DNS Traffic ClassSpecifies the DNS traffic class match. ManageOpens the Manage DNS Class Maps dialog box to add, edit, or delete DNS Class

Maps.

ActionsPrimary action and log settings.


Primary ActionMask, drop packet, drop connection, none. LogEnable or disable. Enforce TSIGDo not enforce, drop packet, log, drop packet and log.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Class Maps


Configuration > Global Objects > Inspect Maps > DNS > DNS Inspect Map > Advanced View > Add DNS Inspect > Multiple Matches > Manage DNS Class Maps The Manage Class Map dialog box lets you configure class maps for inspection.

ASDM User Guide OL-10106-01

6-41

Chapter 6 Configuring Inspect Maps

Global Objects

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, Instant Messaging (IM), and SIP.
Fields

NameShows the class map name. Match ConditionsShows the type, match criterion, and value in the class map.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the class map. ValueShows the value to match in the class map.

DescriptionShows the description of the class map. AddAdds match conditions for the class map. EditEdits match conditions for the class map. DeleteDeletes match conditions for the class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map


Configuration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection. Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high, medium, or low).
LowDefault.

Log if command line length is greater than 512 Log if command recipient count is greater than 100

ASDM User Guide

6-42

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Log if body line length is greater than 1000 Log if sender address length is greater than 320 Log if MIME file name length is greater than 255
Medium

Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255
High

Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if sender address length is greater than 320 Drop Connections and log if MIME file name length is greater than 255
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low. MIME File Type FilteringOpens the MIME Type Filtering dialog box to configure MIME file

type filters.

ESMTP Inspect MapsTable that lists the defined ESMTP inspect maps. The defined inspect maps are also listed in the ESMTP area of the Inspect Maps tree. AddAdds the new ESMTP inspect map to the defined list in the ESMTP Inspect Maps table and to the ESMTP area of the Inspect Maps tree. To configure the new ESMTP map, select the ESMTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the ESMTP Inspect Maps table and from the ESMTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > ESMTP > Customize Security Level

ASDM User Guide OL-10106-01

6-43

Chapter 6 Configuring Inspect Maps

Global Objects

The Customize Security Level dialog box lets you configure the security settings for previously configured ESMTP application inspection maps.
Fields

SettingsSpecifies ESMTP security settings and actions.


Mask server bannerEnforces banner obfuscation. Configure Mail RelayEnables ESMTP mail relay.

Domain NameSpecifies a local domain. ActionReset, drop connection, log. LogEnable or disable.
Check for command line lengthEnables command line length matching at specified length.

Maximum LengthShows the maximum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for command recipient countEnables command recipient count matching at specified

count. Maximum LengthShows the maximum length configured. ActionReset, drop connection, log. LogEnable or disable. Time IntervalEnter the time period to monitor (in seconds).
Check for body line lengthEnables body line length matching at specified length.

Maximum LengthShows the maximum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for sender address lengthEnables sender address length matching at specified length.

Maximum LengthShows the maximum length configured. ActionReset, drop connection, log. LogEnable or disable.
Check for MIME file name lengthEnables MIME file name length matching at specified

length. Maximum LengthShows the maximum length configured. ActionReset, drop connection, log. LogEnable or disable.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-44

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MIME File Type Filtering


Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add MIME File Type Filter dialog box to add a MIME file type filter. EditOpens the Edit MIME File Type Filter dialog box to edit a MIME file type filter. DeleteDeletes a MIME file type filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Basic View The ESMTP Inspect Map Basic View pane shows the configured settings for the ESMTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured ESMTP map. DescriptionEnter the description of the ESMTP map, up to 200 characters in length. Security LevelShows the current security settings.

ASDM User Guide OL-10106-01

6-45

Chapter 6 Configuring Inspect Maps

Global Objects

CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

MIME File Type FilteringOpens the MIME Type Filtering dialog box to configure MIME file type filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ESMTP Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View The ESMTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured ESMTP map. DescriptionEnter the description of the ESMTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the ESMTP inspect map.
Mask server bannerEnforces banner obfuscation. Configure Mail RelayEnables ESMTP mail relay.

Domain NameSpecifies a local domain. ActionDrop connection or log. LogEnable or disable.

InspectionsTab that shows you the ESMTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the ESMTP inspection. ValueShows the value to match in the ESMTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add ESMTP Inspect dialog box to add an ESMTP inspection. EditOpens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection. DeleteDeletes an ESMTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

ASDM User Guide

6-46

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit ESMTP Inspect


Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View > Add/Edit ESMTP Inspect The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.
Fields

Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of ESMTP traffic to match.


Body LengthMatch body length at specified length in bytes. Body Line LengthMatch body line length matching at specified length in bytes. CommandsMatch commands exchanged in the ESMTP protocol. Command Recipient CountMatch command recipient count greater than number specified. Command Line LengthMatch command line length greater than length specified in bytes. EHLO Reply ParametersMatch an ESMTP ehlo reply parameter. Header LengthMatch header length at length specified in bytes. Header To Fields CountMatch header To fields count greater than number specified. Invalid Recipients CountMatch invalid recipients count greater than number specified. MIME File TypeMatch MIME file type. MIME Filename LengthMatch MIME filename. MIME EncodingMatch MIME encoding. Sender AddressMatch sender email address. Sender Address LengthMatch sender email address length.

Body Length Criterion ValuesSpecifies the value details for body length match.
Greater Than LengthBody length in bytes. ActionReset, drop connection, log. LogEnable or disable.

Body Line Length Criterion ValuesSpecifies the value details for body line length match.
Greater Than LengthBody line length in bytes.

ASDM User Guide OL-10106-01

6-47

Chapter 6 Configuring Inspect Maps

Global Objects

ActionReset, drop connection, log. LogEnable or disable.

Commands Criterion ValuesSpecifies the value details for command match.


Available Commands Table:

AUTH DATA EHLO ETRN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SOML VRFY
AddAdds the selected command from the Available Commands table to the Selected

Commands table.
RemoveRemoves the selected command from the Selected Commands table. Primary ActionMask, Reset, Drop Connection, None, Limit Rate (pps). LogEnable or disable. Rate LimitDo not limit rate, Limit Rate (pps).

Command Recipient Count Criterion ValuesSpecifies the value details for command recipient count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

Command Line Length Criterion ValuesSpecifies the value details for command line length.
Greater Than LengthCommand line length in bytes. ActionReset, drop connection, log. LogEnable or disable.

EHLO Reply Parameters Criterion ValuesSpecifies the value details for EHLO reply parameters match.
Available Parameters Table:

8bitmime auth

ASDM User Guide

6-48

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

binarymime checkpoint dsn ecode etrn others pipelining size vrfy


AddAdds the selected parameter from the Available Parameters table to the Selected

Parameters table.
RemoveRemoves the selected command from the Selected Commands table. ActionReset, Drop Connection, Mask, Log. LogEnable or disable.

Header Length Criterion ValuesSpecifies the value details for header length match.
Greater Than LengthHeader length in bytes. ActionReset, Drop Connection, Mask, Log. LogEnable or disable.

Header To Fields Count Criterion ValuesSpecifies the value details for header To fields count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

Invalid Recipients Count Criterion ValuesSpecifies the value details for invalid recipients count match.
Greater Than CountSpecify command recipient count. ActionReset, drop connection, log. LogEnable or disable.

MIME File Type Criterion ValuesSpecifies the value details for MIME file type match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionReset, drop connection, log. LogEnable or disable.

MIME Filename Length Criterion ValuesSpecifies the value details for MIME filename length match.

ASDM User Guide OL-10106-01

6-49

Chapter 6 Configuring Inspect Maps

Global Objects

Greater Than LengthMIME filename length in bytes. ActionReset, Drop Connection, Log. LogEnable or disable.

MIME Encoding Criterion ValuesSpecifies the value details for MIME encoding match.
Available Encodings table

7bit 8bit base64 binary others quoted-printable


AddAdds the selected parameter from the Available Encodings table to the Selected

Encodings table.
RemoveRemoves the selected command from the Selected Commands table. ActionReset, Drop Connection, Log. LogEnable or disable.

Sender Address Criterion ValuesSpecifies the value details for sender address match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionReset, Drop Connection, Log. LogEnable or disable.

Sender Address Length Criterion ValuesSpecifies the value details for sender address length match.
Greater Than LengthSender address length in bytes. ActionReset, Drop Connection, Log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

6-50

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

FTP Inspect Map


Configuration > Global Objects > Inspect Maps > FTP The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection. FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation. Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (medium or low).
Low

Mask Banner Disabled Mask Reply Disabled


MediumDefault.

Mask Banner Enabled Mask Reply Enabled


CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. File Type FilteringOpens the Type Filtering dialog box to configure file type filters.

FTP Inspect MapsTable that lists the defined FTP inspect maps. The defined inspect maps are also listed in the FTP area of the Inspect Maps tree. AddAdds the new FTP inspect map to the defined list in the FTP Inspect Maps table and to the FTP area of the Inspect Maps tree. To configure the new FTP map, select the FTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the FTP Inspect Maps table and from the FTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-51

Chapter 6 Configuring Inspect Maps

Global Objects

Customize Security Level


Configuration > Global Objects > Inspect Maps > FTP > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.
Fields

SettingsSpecifies FTP security settings and actions.


Mask greeting banner from the serverMasks the greeting banner from the FTP server to

prevent the client from discovering server information.


Mask reply to SYST commandMasks the reply to the syst command to prevent the client from

discovering server information.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is medium.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

File Type Filtering


Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering The File Type Filtering dialog box lets you configure the settings for a file type filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add File Type Filter dialog box to add a file type filter. EditOpens the Edit File Type Filter dialog box to edit a file type filter. DeleteDeletes a file type filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

ASDM User Guide

6-52

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Basic View The FTP Inspect Map Basic View pane shows the configured settings for the FTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured FTP map. DescriptionEnter the description of the FTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

File Type FilteringOpens the Type Filtering dialog box to configure file type filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View The FTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured FTP map. DescriptionEnter the description of the FTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the FTP inspect map.

ASDM User Guide OL-10106-01

6-53

Chapter 6 Configuring Inspect Maps

Global Objects

Mask greeting banner from the serverMasks the greeting banner from the FTP server to

prevent the client from discovering server information.


Mask reply to SYST commandMasks the reply to the syst command to prevent the client from

discovering server information.

InspectionsTab that shows you the FTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the FTP inspection. ValueShows the value to match in the FTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add FTP Inspect dialog box to add an FTP inspection. EditOpens the Edit FTP Inspect dialog box to edit an FTP inspection. DeleteDeletes an FTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit FTP Map


Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the DNS inspect map.
Fields

Single MatchSpecifies that the FTP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of FTP traffic to match.


Request CommandMatch an FTP request command. File NameMatch a filename for FTP transfer. File TypeMatch a file type for FTP transfer. ServerMatch an FTP server.

ASDM User Guide

6-54

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

User NameMatch an FTP user.

Request Command Criterion ValuesSpecifies the value details for FTP request command match.
Request Command:

APPECommand that appends to a file. CDUPCommand that changes to the parent directory of the current working directory. DELECommand that deletes a file. GETCommand that gets a file. HELPCommand that provides help information. MKDCommand that creates a directory. PUTCommand that sends a file. RMDCommand that deletes a directory. RNFRCommand that specifies rename-from filename. RNTOCommand that specifies rename-to filename. SITECommands that are specific to the server system. Usually used for remote administration. STOUCommand that stores a file using a unique filename.

File Name Criterion ValuesSpecifies the value details for FTP filename match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

File Type Criterion ValuesSpecifies the value details for FTP file type match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Server Criterion ValuesSpecifies the value details for FTP server match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

User Name Criterion ValuesSpecifies the value details for FTP user name match.
Regular ExpressionLists the defined regular expressions to match.

ASDM User Guide OL-10106-01

6-55

Chapter 6 Configuring Inspect Maps

Global Objects

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the FTP inspection.


FTP Traffic ClassSpecifies the FTP traffic class match. ManageOpens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class

Maps.

ActionReset. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

GTP Inspect Map


Configuration > Global Objects > Inspect Maps > GTP The GTP pane lets you view previously configured GTP application inspection maps. A GTP map lets you change the default configuration values used for GTP application inspection. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.

Note

GTP inspection is not available without a special license.

Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSecurity level low only.
Do not Permit Errors Maximum Number of Tunnels: 500 GSN timeout: 00:30:00 Pdp-Context timeout: 00:30:00 Request timeout: 00:01:00 Signaling timeout: 00:30:00.

ASDM User Guide

6-56

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Tunnel timeout: 01:00:00. T3-response timeout: 00:00:20. Drop and log unknown message IDs.

CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default. IMSI Prefix FilteringOpens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters. GTP Inspect MapsTable that lists the defined GTP inspect maps. The defined inspect maps are also listed in the GTP area of the Inspect Maps tree. AddAdds the new GTP inspect map to the defined list in the GTP Inspect Maps table and to the GTP area of the Inspect Maps tree. To configure the new GTP map, select the GTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the GTP Inspect Maps table and from the GTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > FTP > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.
Fields

Permit ErrorsLets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped. Drop and Log unknown message IDsDrops and logs all message IDs that are unknown. Maximum Number of RequestsLets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999. Maximum Number of TunnelsLets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit. Timeouts

ASDM User Guide OL-10106-01

6-57

Chapter 6 Configuring Inspect Maps

Global Objects

GSN timeoutLets you change the default for the maximum period of inactivity before a GSN

is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
PDP-Context timeoutLets you change the default for the maximum period of inactivity before

receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
Request QueueLets you change the default for the maximum period of inactivity before

receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
SignalingLets you change the default for the maximum period of inactivity before a GTP

signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.
TunnelLets you change the default for the maximum period of inactivity for the GTP tunnel.

The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeoutSpecifies the GTP Request idle timeout.
T3-Response timeoutSpecifies the maximum wait time for a response before removing the

connection.

Reset toSpecifies low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IMSI Prefix Filtering


Configuration > Global Objects > Inspect Maps > GTP > IMSI Prefix Filtering

ASDM User Guide

6-58

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

The IMSI Prefix tab lets you define the IMSI prefix to allow within GTP requests.
Fields

Mobile Country CodeDefines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value. Mobile Network CodeDefines the two or three-digit value identifying the network code. AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

GTP Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > GTP > GTP Inspect Map > Basic View The GTP Inspect Map Basic View pane shows the configured settings for the GTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured GTP map. DescriptionEnter the description of the GTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

IMSI Prefix FilteringOpens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-59

Chapter 6 Configuring Inspect Maps

Global Objects

GTP Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > GTP > GTP Inspect Map > Advanced View The GTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured GTP map. DescriptionEnter the description of the GTP map, up to 200 characters in length. Permit ParametersTab that lets you configure the permit parameters for the GTP inspect map.
Object Groups to Add

From object groupSpecify an object group or use the browse button to open the Add Network Object Group dialog box. To object groupSpecify an object group or use the browse button to open the Add Network Object Group dialog box.
AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table. Permit ErrorsLets any packets that are invalid or that encountered an error during inspection

to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

General ParametersTab that lets you configure the general parameters for the GTP inspect map.
Maximum Number of RequestsLets you change the default for the maximum request queue

size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.
Maximum Number of TunnelsLets you change the default for the maximum number of

tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.
Timeouts

GSN timeoutLets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. PDP-Context timeoutLets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. Request QueueLets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down. SignalingLets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

ASDM User Guide

6-60

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

TunnelLets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeoutSpecifies the GTP Request idle timeout. T3-Response timeoutSpecifies the maximum wait time for a response before removing the connection.

IMSI Prefix FilteringTab that lets you configure the IMSI prefix filtering for the GTP inspect map.
Mobile Country CodeDefines the non-zero, three-digit value identifying the mobile country

code. One or two-digit entries will be prepended by 0 to create a three-digit value.


Mobile Network CodeDefines the two or three-digit value identifying the network code. AddAdd the specified country code and network code to the IMSI Prefix table. DeleteDeletes the specified country code and network code from the IMSI Prefix table.

InspectionsTab that lets you configure the GTP inspect maps.


Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the GTP inspection. ValueShows the value to match in the GTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add GTP Inspect dialog box to add an GTP inspection. EditOpens the Edit GTP Inspect dialog box to edit an GTP inspection. DeleteDeletes an GTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit GTP Map


Configuration > Global Objects > Inspect Maps > GTP > GTP Inspect Map > Add/Edit GTP Map The Add/Edit GTP Inspect dialog box lets you define the match criterion and value for the GTP inspect map.
Fields

Match TypeSpecifies whether traffic should match or not match the values.

ASDM User Guide OL-10106-01

6-61

Chapter 6 Configuring Inspect Maps

Global Objects

For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of GTP traffic to match.


Access Point NameMatch on access point name. Message IDMatch on the message ID. Message LengthMatch on the message length VersionMatch on the version.

Access Point Name Criterion ValuesSpecifies an access point name to be matched. By default, all messages with valid APNs are inspected, and any APN is allowed.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.


ActionDrop. LogEnable or disable.

Message ID Criterion ValuesSpecifies the numeric identifier for the message that you want to match. The valid range is 1 to 255. By default, all valid message IDs are allowed.
ValueSpecifies whether value is an exact match or a range.

EqualsEnter a value. RangeEnter a range of values.


ActionDrop packet or limit rate (pps). LogEnable or disable.

Message Length Criterion ValuesLets you change the default for the maximum message length for the UDP payload that is allowed.
Minimum valueSpecifies the minimum number of bytes in the UDP payload. The range is

from 1 to 65536.
Maximum valueSpecifies the maximum number of bytes in the UDP payload. The range is

from 1 to 65536.
ActionDrop packet. LogEnable or disable.

Version Criterion ValuesSpecifies the GTP version for messages that you want to match. The valid range is 0-255. Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 3386, while Version 1 uses port 2123. By default all GTP versions are allowed.
ValueSpecifies whether value is an exact match or a range.

EqualsEnter a value. RangeEnter a range of values.


ActionDrop packet. LogEnable or disable.

ASDM User Guide

6-62

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map


Configuration > Global Objects > Inspect Maps > H.323 The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection. H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, protocol state tracking, H.323 call duration enforcement, and audio/video control.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (low, medium, or high).
LowDefault.

State Checking h225 Disabled State Checking ras Disabled Call Party Number Disabled Call duration Limit Disabled RTP conformance not enforced
Medium

State Checking h225 Enabled State Checking ras Enabled Call Party Number Disabled Call duration Limit Disabled RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: no
High

State Checking h225 Enabled State Checking ras Enabled Call Party Number Enabled Call duration Limit 1:00:00

ASDM User Guide OL-10106-01

6-63

Chapter 6 Configuring Inspect Maps

Global Objects

RTP conformance enforced Limit payload to audio or video, based on the signaling exchange: yes
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. Phone Number FilteringOpens the Phone Number Filtering dialog box to configure phone

number filters.

H.323 Inspect MapsTable that lists the defined H.323 inspect maps. The defined inspect maps are also listed in the H.323 area of the Inspect Maps tree. AddAdds the new H.323 inspect map to the defined list in the H.323 Inspect Maps table and to the H.323 area of the Inspect Maps tree. To configure the new H.323 map, select the H.323 entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the H.323 Inspect Maps table and from the H.323 area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > H323 > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured H.323 application inspection maps.
Fields

SettingsSpecifies H.323 security settings and actions.


Check state transition of H.225 messagesEnforces H.323 state checking on H.225 messages. Check state transition of RAS messagesEnforces H.323 state checking on RAS messages. Enforce call duration limitEnforces the absolute limit on a call.

Call Duration LimitTime limit for the call (hh:mm:ss).


Enforce presence of calling and called party numbersEnforces sending call party numbers

during call setup.


Check RTP packets for protocol conformanceChecks RTP/RTCP packets on the pinholes for

protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio or video based on the signaling exchange.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.

ASDM User Guide

6-64

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Phone Number Filtering


Configuration > Global Objects > Inspect Maps > H323 > Phone Number Filtering The Phone Number Filtering dialog box lets you configure the settings for a phone number filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Phone Number Filter dialog box to add a phone number filter. EditOpens the Edit Phone Number Filter dialog box to edit a phone number filter. DeleteDeletes a phone number filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Basic View The H323 Inspect Map Basic View pane shows the configured settings for the H323 inspect map. The Advanced View lets you configure the settings.

ASDM User Guide OL-10106-01

6-65

Chapter 6 Configuring Inspect Maps

Global Objects

Fields

NameShows the name of the previously configured H323 map. DescriptionEnter the description of the H323 map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Phone Number FilteringOpens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

H.323 Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View The H.323 Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured H.323 map. DescriptionEnter the description of the H.323 map, up to 200 characters in length. State CheckingTab that lets you configure state checking parameters for the H.323 inspect map.
Check state transition of H.225 messagesEnforces H.323 state checking on H.225 messages. Check state transition of RAS messagesEnforces H.323 state checking on RAS messages.

Call AttributesTab that lets you configure call attributes parameters for the H.323 inspect map.
Enforce call duration limitEnforces the absolute limit on a call.

Call Duration LimitTime limit for the call (hh:mm:ss).


Enforce presence of calling and called party numbersEnforces sending call party numbers

during call setup.

Tunneling and Protocol ConformanceTab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map.
Check for H.245 tunnelingAllows H.245 tunneling.

ActionDrop connection or log.


Check RTP packets for protocol conformanceChecks RTP/RTCP packets on the pinholes for

protocol conformance.

ASDM User Guide

6-66

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio or video based on the signaling exchange.

HSI Group ParametersTab that lets you configure an HSI group.


HSI Group IDShows the HSI Group ID. IP AddressShows the HSI Group IP address. EndpointsShows the HSI Group endpoints. AddOpens the Add HSI Group dialog box to add an HSI group. EditOpens the Edit HSI Group dialog box to edit an HSI group. DeleteDeletes an HSI group.

InspectionsTab that shows you the H.323 inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the H.323 inspection. ValueShows the value to match in the H.323 inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add H.323 Inspect dialog box to add an H.323 inspection. EditOpens the Edit H.323 Inspect dialog box to edit an H.323 inspection. DeleteDeletes an H.323 inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HSI Group


Configuration > Global Objects > Inspect Maps > H323 > H323 Inspect Map > Advanced View > Add/Edit HSI Group The Add/Edit HSI Group dialog box lets you configure HSI Groups.
Fields

Group IDEnter the HSI group ID. IP AddressEnter the HSI IP address. EndpointsLets you configure the IP address and interface of the endpoints.
IP AddressEnter an endpoint IP address.

ASDM User Guide OL-10106-01

6-67

Chapter 6 Configuring Inspect Maps

Global Objects

InterfaceSpecifies an endpoint interface.

AddAdds the HSI group defined. DeleteDeletes the selected HSI group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit H.323 Map


Configuration > Global Objects > Inspect Maps > H232 > H323 Inspect Map > Advanced View > Add/Edit H323 Inspect The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map.
Fields

Single MatchSpecifies that the H.323 inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of H.323 traffic to match.


Called PartyMatch the called party. Calling PartyMatch the calling party. Media TypeMatch the media type.

Called Party Criterion ValuesSpecifies to match on the H.323 called party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match on the H.323 calling party.


Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match.

ASDM User Guide

6-68

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Media Type Criterion ValuesSpecifies which media type to match.


AudioMatch audio type. VideoMatch video type. DataMatch data type.

Multiple MatchesSpecifies multiple matches for the H.323 inspection.


H323 Traffic ClassSpecifies the H.323 traffic class match. ManageOpens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class

Maps.

ActionDrop packet, drop connection, or reset.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map


Configuration > Global Objects > Inspect Maps > HTTP The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection. HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance. HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (low, medium, or high).
LowDefault.

Protocol violation action: Drop connection Drop connections for unsafe methods: Disabled Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured

ASDM User Guide OL-10106-01

6-69

Chapter 6 Configuring Inspect Maps

Global Objects

Advanced inspections: Not configured


Medium

Protocol violation action: Drop connection Drop connections for unsafe methods: Allow only GET, HEAD, and POST Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured
High

Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Medium. URI FilteringOpens the URI Filtering dialog box to configure URI filters.

HTTP Inspect MapsTable that lists the defined HTTP inspect maps. The defined inspect maps are also listed in the HTTP area of the Inspect Maps tree. AddAdds the new HTTP inspect map to the defined list in the HTTP Inspect Maps table and to the HTTP area of the Inspect Maps tree. To configure the new HTTP map, select the HTTP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the HTTP Inspect Maps table and from the HTTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > HTTP > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured HTTP application inspection maps.
Fields

SettingsSpecifies HTTP security settings and actions.


Check for protocol violationsChecks for HTTP protocol violations.

ASDM User Guide

6-70

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

ActionDrop Connection, Reset, Log. LogEnable or disable.


Drop connections for unsafe methodsChecks for unsafe methods and drops the connection.

Allow OnlyGET and HEAD, GET, HEAD, and POST.


Drop connections for requests with non-ASCII headersChecks for non-ASCII characters in

the message header.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

URI Filtering
Configuration > Global Objects > Inspect Maps > HTTP > URI Filtering The URI Filtering dialog box lets you configure the settings for an URI filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add URI Filtering dialog box to add a URI filter. EditOpens the Edit URI Filtering dialog box to edit a URI filter. DeleteDeletes an URI filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-71

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Basic View The HTTP Inspect Map Basic View pane shows the configured settings for the HTTP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured HTTP map. DescriptionEnter the description of the HTTP map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

URI FilteringOpens the URI Filtering dialog box which lets you configure the settings for an URI filter. Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTP Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View The HTTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured HTTP map. DescriptionEnter the description of the HTTP map, up to 200 characters in length. ParametersTab that lets you configure the parameters for the HTTP inspect map.
Check for protocol violationsChecks for HTTP protocol violations.

ActionDrop Connection, Reset, Log.

ASDM User Guide

6-72

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

LogEnable or disable.
Spoof server stringReplaces the server HTTP header value with the specified string.

Spoof StringEnter a string to substitute for the server header field. Maximum is 82 characters.
Body Match MaximumThe maximum number of characters in the body of an HTTP message

that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance.

InspectionsTab that shows you the HTTP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the HTTP inspection. ValueShows the value to match in the HTTP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add HTTP Inspect dialog box to add an HTTP inspection. EditOpens the Edit HTTP Inspect dialog box to edit an HTTP inspection. DeleteDeletes an HTTP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Map


Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View > Add/Edit HTTP Inspect The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.
Fields

Single MatchSpecifies that the HTTP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of HTTP traffic to match.


Request/Response Content Type MismatchSpecifies that the content type in the response

must match one of the MIME types in the accept field of the request.

ASDM User Guide OL-10106-01

6-73

Chapter 6 Configuring Inspect Maps

Global Objects

Request ArgumentsApplies the regular expression match to the arguments of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Body LengthApplies the regular expression match to the body of the request with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request BodyApplies the regular expression match to the body of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header Field CountApplies the regular expression match to the header of the request

with a maximum number of header fields. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Request Header Field LengthApplies the regular expression match to the header of the

request with field length greater than the bytes specified. PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that request field lengths will be matched against.
Request Header FieldApplies the regular expression match to the header of the request.

ASDM User Guide

6-74

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

PredefinedSpecifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request Header CountApplies the regular expression match to the header of the request with

a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Request Header LengthApplies the regular expression match to the header of the request with

length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Request Header non-ASCIIMatches non-ASCII characters in the header of the request. Request MethodApplies the regular expression match to the method of the request.

MethodSpecifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Request URI LengthApplies the regular expression match to the URI of the request with

length greater than the bytes specified. Greater Than LengthEnter a URI length value in bytes.
Request URIApplies the regular expression match to the URI of the request.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response BodyApplies the regex match to the body of the response.

ASDM User Guide OL-10106-01

6-75

Chapter 6 Configuring Inspect Maps

Global Objects

ActiveXSpecifies to match on ActiveX. Java AppletSpecifies to match on a Java Applet. Regular ExpressionSpecifies to match on a regular expression. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Body LengthApplies the regular expression match to the body of the response with

field length greater than the bytes specified. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header Field CountApplies the regular expression match to the header of the

response with a maximum number of header fields. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than CountEnter the maximum number of header fields.
Response Header Field LengthApplies the regular expression match to the header of the

response with field length greater than the bytes specified. PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than LengthEnter a field length value in bytes that response field lengths will be matched against.
Response Header FieldApplies the regular expression match to the header of the response.

PredefinedSpecifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular ExpressionLists the defined regular expressions to match.

ASDM User Guide

6-76

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
Response Header CountApplies the regular expression match to the header of the response

with a maximum number of headers. Greater Than CountEnter the maximum number of headers.
Response Header LengthApplies the regular expression match to the header of the response

with length greater than the bytes specified. Greater Than LengthEnter a header length value in bytes.
Response Header non-ASCIIMatches non-ASCII characters in the header of the response. Response Status LineApplies the regular expression match to the status line.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple MatchesSpecifies multiple matches for the HTTP inspection.


H323 Traffic ClassSpecifies the HTTP traffic class match. ManageOpens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class

Maps.

ActionDrop connection, reset, or log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Instant Messaging (IM) Inspect Map


Configuration > Global Objects > Inspect Maps > IM The IM pane lets you view previously configured Instant Messaging (IM) application inspection maps. An Instant Messaging (IM) map lets you change the default configuration values used for Instant Messaging (IM) application inspection.

ASDM User Guide OL-10106-01

6-77

Chapter 6 Configuring Inspect Maps

Global Objects

Instant Messaging (IM) application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and propagations of network threats. A regular expression database search representing various patterns for Instant Messaging (IM) protocols to be filtered is applied. A syslog is generated if the flow is not recognized. The scope can be limited by using an access list to specify any traffic streams to be inspected. For UDP messages, a corresponding UDP port number is also configurable. Inspection of Yahoo! Messenger and MSN Messenger instant messages are supported.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. IM Inspect MapsTable that lists the defined IM inspect maps. The defined inspect maps are also listed in the IM area of the Inspect Maps tree. AddAdds the new IM inspect map to the defined list in the IM Inspect Maps table and to the IM area of the Inspect Maps tree. To configure the new IM map, select the IM entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the IM Inspect Maps table and from the IM area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Instant Messaging (IM) Inspect Map View


Configuration > Global Objects > Inspect Maps > IM > IM Inspect Map > View The IM Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured IM map. DescriptionEnter the description of the IM map, up to 200 characters in length. Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the IM inspection. ValueShows the value to match in the IM inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add IM Inspect dialog box to add an IM inspection. EditOpens the Edit IM Inspect dialog box to edit an IM inspection. DeleteDeletes an IM inspection.

ASDM User Guide

6-78

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IM Map
Configuration > Global Objects > Inspect Maps > IM > IM Inspect Map > View > Add/Edit IM Inspect The Add/Edit IM Inspect dialog box lets you define the match criterion and value for the IM inspect map.
Fields

Single MatchSpecifies that the IM inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of IM traffic to match.


ProtocolMatch IM protocols. ServiceMatch IM services. Source IP AddressMatch source IP address. Destination IP AddressMatch destination IP address. VersionMatch IM file transfer service version. Client Login NameMatch client login name from IM service. Client Peer Login NameMatch client peer login name from IM service. FilenameMatch filename form IM file transfer service.

Protocol Criterion ValuesSpecifies which IM protocols to match.


Yahoo! MessengerSpecifies to match Yahoo! Messenger instant messages. MSN MessengerSpecifies to match MSN Messenger instant messages.

Service Criterion ValuesSpecifies which IM services to match.


ChatSpecifies to match IM message chat service. ConferenceSpecifies to match IM conference service. File TransferSpecifies to match IM file transfer service. GamesSpecifies to match IM gaming service. Voice ChatSpecifies to match IM voice chat service (not available for Yahoo IM)

ASDM User Guide OL-10106-01

6-79

Chapter 6 Configuring Inspect Maps

Global Objects

Web CamSpecifies to match IM webcam service.

Source IP Address Criterion ValuesSpecifies to match the source IP address of the IM service.
IP AddressEnter the source IP address of the IM service. IP MaskMask of the source IP address.

Destination IP Address Criterion ValuesSpecifies to match the destination IP address of the IM service.
IP AddressEnter the destination IP address of the IM service. IP MaskMask of the destination IP address.

Version Criterion ValuesSpecifies to match the version from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Login Name Criterion ValuesSpecifies to match the client login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Client Peer Login Name Criterion ValuesSpecifies to match the client peer login name from the IM service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Filename Criterion ValuesSpecifies to match the filename from the IM file transfer service. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Multiple MatchesSpecifies multiple matches for the IM inspection.

ASDM User Guide

6-80

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

IM Traffic ClassSpecifies the IM traffic class match. ManageOpens the Manage IM Class Maps dialog box to add, edit, or delete IM Class Maps.

ActionDrop connection, reset, or log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IPSec Pass Through Inspect Map


Configuration > Global Objects > Inspect Maps > IPSec Pass Through The IPSec Pass Through pane lets you view previously configured IPSec Pass Through application inspection maps. An IPSec Pass Through map lets you change the default configuration values used for IPSec Pass Through application inspection. You can use an IPSec Pass Through map to permit certain flows without using an access list.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00.
High

Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

IPSec Pass Through Inspect MapsTable that lists the defined IPSec Pass Through inspect maps. The defined inspect maps are also listed in the IPSec Pass Through area of the Inspect Maps tree.

ASDM User Guide OL-10106-01

6-81

Chapter 6 Configuring Inspect Maps

Global Objects

AddAdds the new IPSec Pass Through inspect map to the defined list in the IPSec Pass Through Inspect Maps table and to the IPSec Pass Through area of the Inspect Maps tree. To configure the new IPSec Pass Through map, select the IPSec Pass Through entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the IPSec Pass Through Inspect Maps table and from the IPSec Pass Through area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > IPSec Pass Through> Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured IPSec Pass Through application inspection maps.
Fields

SettingsSpecifies IPSec Pass Through security settings and actions.


Limit ESP flows per clientLimits ESP flows per client.

MaximumSpecify maximum limit.


Apply ESP idle timeoutApplies ESP idle timeout.

TimeoutSpecify timeout.
Limit AH flows per clientLimits AH flows per client.

MaximumSpecify maximum limit.


Apply AH idle timeoutApplies AH idle timeout.

TimeoutSpecify timeout.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-82

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IPSec Pass Through Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > IPSec Pass Through> IPSec Pass Through Inspect Map > Basic View The IPSec Pass Through Inspect Map Basic View pane lets you configure basic settings for the inspect map.
Fields

DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00.
High

Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-83

Chapter 6 Configuring Inspect Maps

Global Objects

IPSec Pass Through Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps >IPSec Pass Through > IPSec Pass Through Inspect Map > Advanced View The IPSec Pass Through Inspect Map Advanced View pane lets you configure advanced settings for the inspect map.
Fields

NameShows the name of the previously configured IPSec Pass Through map. DescriptionEnter the description of the IPSec Pass Through map, up to 200 characters in length. Limit ESP flows per clientLimits ESP flows per client.
MaximumSpecify maximum limit.

Apply ESP idle timeoutApplies ESP idle timeout.


TimeoutSpecify timeout.

Limit AH flows per clientLimits AH flows per client.


MaximumSpecify maximum limit.

Apply AH idle timeoutApplies AH idle timeout.


TimeoutSpecify timeout.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MGCP Inspect Map


Configuration > Global Objects > Inspect Maps > MGCP The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Command Queue SizeSpecifies the maximum number of commands to queue. The valid range is from 1 to 2147483647. Gateways and Call AgentsOpens the Gateways and Call Agents dialog box to add an MGCP map. MGCP Inspect MapsTable that lists the defined MGCP inspect maps. The defined inspect maps are also listed in the MGCP area of the Inspect Maps tree.

ASDM User Guide

6-84

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

AddAdds the new MGCP inspect map to the defined list in the MGCP Inspect Maps table and to the MGCP area of the Inspect Maps tree. To configure the new MGCP map, select the MGCP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the MGCP Inspect Maps table and from the MGCP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Gateways and Call Agents


Configuration > Global Objects > Inspect Maps > MGCP > Gateways and Call Agents The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map.
Fields

Group IDIdentifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647CriterionShows the criterion of the inspection. GatewaysIdentifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727. Call AgentsIdentifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427. AddDisplays the Add MGCP dialog box, which you can use to define a new application inspection map. EditDisplays the Edit MGCP dialog box, which you can use to modify the application inspection map selected in the application inspection map table. DeleteDeletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-85

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

MGCP Inspect Map View


Configuration > Global Objects > Inspect Maps > MGCP > MGCP Inspect Map > View The MGCP Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured MGCP map. DescriptionEnter the description of the MGCP map, up to 200 characters in length. Command QueueTab that lets you specify the permitted queue size for MGCP commands.
Command Queue SizeSpecifies the maximum number of commands to queue. The valid

range is from 1 to 2147483647.

Gateways and Call AgentsTab that lets you configure groups of gateways and call agents for this map.
Group IDIdentifies the ID of the call agent group. A call agent group associates one or more

call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647CriterionShows the criterion of the inspection.
GatewaysIdentifies the IP address of the media gateway that is controlled by the associated

call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
Call AgentsIdentifies the IP address of a call agent that controls the MGCP media gateways

in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.
AddDisplays the Add MGCP Group dialog box, which you can use to define a new MGCP

group of gateways and call agents.


EditDisplays the Edit MGCP dialog box, which you can use to modify the MGCP group

selected in the Gateways and Call Agents table.


DeleteDeletes the MGCP group selected in the Gateways and Call Agents table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-86

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit MGCP Group


Configuration > Global Objects > Inspect Maps > MGCP > Add/Edit MGCP Group The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled.
Fields

Group IDSpecifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647. Gateways area
Gateway to Be AddedSpecifies the IP address of the media gateway that is controlled by the

associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.
AddAdds the specified IP address to the IP address table. DeleteDeletes the selected IP address from the IP address table. IP AddressLists the IP addresses of the gateways in the call agent group.

Call Agents
Call Agent to Be AddedSpecifies the IP address of a call agent that controls the MGCP media

gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.
AddAdds the specified IP address to the IP address table. DeleteDeletes the selected IP address from the IP address table. IP AddressLists the IP addresses of the call agents in the call agent group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-87

Chapter 6 Configuring Inspect Maps

Global Objects

NetBIOS Inspect Map


Configuration > Global Objects > Inspect Maps > NetBIOS The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection. NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Check for protocol violationsChecks for protocol violations and executes specified action.
ActionDrop packet or log. LogEnable or disable.

NetBIOS Inspect MapsTable that lists the defined NetBIOS inspect maps. The defined inspect maps are also listed in the NetBIOS area of the Inspect Maps tree. AddAdds the new NetBIOS inspect map to the defined list in the NetBIOS Inspect Maps table and to the NetBIOS area of the Inspect Maps tree. To configure the new NetBIOS map, select the NetBIOS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the NetBIOS Inspect Maps table and from the NetBIOS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

NetBIOS Inspect Map View


Configuration > Global Objects > Inspect Maps > NetBIOS > NetBIOS Inspect Map > View The NetBIOS Inspect Map View pane lets you configure the settings for the inspect map.
Fields

NameShows the name of the previously configured NetBIOS map. DescriptionEnter the description of the NetBIOS map, up to 200 characters in length. Check for protocol violationsChecks for protocol violations and executes specified action.
ActionDrop packet or log. LogEnable or disable.

ASDM User Guide

6-88

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RADIUS Inspect Map


Configuration > Global Objects > Inspect Maps > RADIUS The RADIUS pane lets you view previously configured RADIUS application inspection maps. A RADIUS map lets you change the default configuration values used for RADIUS application inspection. ou can use a RADIUS map to protect against an overbilling attack.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. RADIUS Inspect MapsTable that lists the defined RADIUS inspect maps. The defined inspect maps are also listed in the RADIUS area of the Inspect Maps tree. AddAdds the new RADIUS inspect map to the defined list in the RADIUS Inspect Maps table and to the RADIUS area of the Inspect Maps tree. To configure the new RADIUS map, select the RADIUS entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the RADIUS Inspect Maps table and from the RADIUS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RADIUS Inspect Map Host


Configuration > Global Objects > Inspect Maps > RADIUS > RADIUS Inspect Map > Host The RADIUS Inspect Map Host Parameters pane lets you configure the host parameter settings for the inspect map.
Fields

NameShows the name of the previously configured RADIUS accounting map.

ASDM User Guide OL-10106-01

6-89

Chapter 6 Configuring Inspect Maps

Global Objects

DescriptionEnter the description of the RADIUS accounting map, up to 200 characters in length. Host ParametersLets you configure host parameters.
Host IP AddressSpecify the IP address of the host that is sending the RADIUS messages. Key: (optional)Specify the key.

AddAdds the host entry to the Host table. DeleteDeletes the host entry from the Host table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RADIUS Inspect Map Other


Configuration > Global Objects > Inspect Maps > RADIUS > RADIUS Inspect Map > Other The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map.
Fields

NameShows the name of the previously configured RADIUS accounting map. DescriptionEnter the description of the RADIUS accounting map, up to 200 characters in length. Other ParametersLets you configure additional parameters.
Attribute NumberSpecify the attribute number to validate when an Accounting Start is

received.

AddAdds the entry to the Attribute table. DeleteDeletes the entry from the Attribute table. Send response to the originator of the RADIUS messageSends a message back to the host from which the RADIUS message was sent. Enforce timeoutEnables the timeout for users.
Users TimeoutTimeout for the users in the database (hh:mm:ss).

Enable detection of GPRS accountingEnables detection of GPRS accounting. This option is only available when GTP/GPRS license is enabled.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

6-90

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SCCP (Skinny) Inspect Map


Configuration > Global Objects > Inspect Maps > SCCP (Skinny) The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps. An SCCP (Skinny) map lets you change the default configuration values used for SCCP (Skinny) application inspection. Skinny application inspection performs translation of embedded IP address and port numbers within the packet data, and dynamic opening of pinholes. It also performs additional protocol conformance checks and basic state tracking.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

Registration: Not enforced. Maximum message ID: 0x181. Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced.
Medium

Registration: Not enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No.
High

Registration: Enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Maximum prefix length: 65536.

ASDM User Guide OL-10106-01

6-91

Chapter 6 Configuring Inspect Maps

Global Objects

Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

Message ID FilteringOpens the Messaging ID Filtering dialog box for configuring message ID filters. SCCP (Skinny) Inspect MapsTable that lists the defined SCCP (Skinny) inspect maps. The defined inspect maps are also listed in the SCCP (Skinny) area of the Inspect Maps tree. AddAdds the new SCCP (Skinny) inspect map to the defined list in the SCCP (Skinny) Inspect Maps table and to the SCCP (Skinny) area of the Inspect Maps tree. To configure the new SCCP (Skinny) map, select the SCCP (Skinny) entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the SCCP (Skinny) Inspect Maps table and from the SCCP (Skinny) area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customize Security Level


Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured SCCP (Skinny) application inspection maps.
Fields

SettingsSpecifies SCCP (Skinny) security settings and actions.


Enforce endpoint registrationEnforce that Skinny endpoints are registered before placing or

receiving calls. Maximum Message IDSpecify value of maximum SCCP message ID allowed (0x0 to 0xffff).
SCCP Prefix LengthSpecifies prefix length value in Skinny messages (4 to 4,294,967,295).

Minimum Prefix LengthSpecify minimum value of SCCP prefix length allowed. Maximum Prefix LengthSpecify maximum value of SCCP prefix length allowed.
Enable media timeoutEnables media timeout.

Media TimeoutSpecify timeout value for media connections (0:0:01 to 1993:0:0).


Enable signaling timeoutEnables signaling timeout.

ASDM User Guide

6-92

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Signaling TimeoutSpecify timeout value for signaling connections (0:0:01 to 1993:0:0).


Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio/video based on the signaling exchange.

Reset to predefined security levelResets the security level settings to the predefined levels of high, medium, or low. Default is low.
Reset toSpecifies high, medium, or low security setting. ResetReset settings to selected level.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Message ID Filtering
Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > Message ID Filtering The Message ID Filtering dialog box lets you configure the settings for a message ID filter.
Fields

Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Message ID Filtering dialog box to add a message ID filter. EditOpens the Edit Message ID Filtering dialog box to edit a message ID filter. DeleteDeletes a message ID filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

6-93

Chapter 6 Configuring Inspect Maps

Global Objects

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SCCP (Skinny) Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Basic View The SCCP (Skinny) Inspect Map Basic View pane shows the configured settings for the SCCP (Skinny) inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured SCCP (Skinny) map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default. Message ID FilteringOpens the Messaging ID Filtering dialog box for configuring message

ID filters.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SCCP (Skinny) Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View The SCCP (Skinny) Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured SCCP (Skinny) map. DescriptionEnter the description of the DNS map, up to 200 characters in length. ParametersTab that lets you configure the parameter settings for SCCP (Skinny).

ASDM User Guide

6-94

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Enforce endpoint registrationEnforce that Skinny endpoints are registered before placing or

receiving calls. Maximum Message IDSpecify value of maximum SCCP message ID allowed.
SCCP Prefix LengthSpecifies prefix length value in Skinny messages.

Minimum Prefix LengthSpecify minimum value of SCCP prefix length allowed. Maximum Prefix LengthSpecify maximum value of SCCP prefix length allowed.
Media TimeoutSpecify timeout value for media connections. Signaling TimeoutSpecify timeout value for signaling connections.

RTP ConformanceTab that lets you configure the RTP conformance settings for SCCP (Skinny).
Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces the payload type to be audio/video based on the signaling exchange.

Message ID FilteringTab that lets you configure the message ID filtering settings for SCCP (Skinny).
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the inspection. ValueShows the value to match in the inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add Message ID Filtering dialog box to add a message ID filter. EditOpens the Edit Message ID Filtering dialog box to edit a message ID filter. DeleteDeletes a message ID filter. Move UpMoves an entry up in the list. Move DownMoves an entry down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Message ID Filter


Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View > Add/Edit Message ID Filter The Add Message ID Filter dialog box lets you configure message ID filters.

ASDM User Guide OL-10106-01

6-95

Chapter 6 Configuring Inspect Maps

Global Objects

Fields

Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SCCP (Skinny) traffic to match.


Message IDMatch specified message ID.

Message IDSpecify value of maximum SCCP message ID allowed.


Message ID RangeMatch specified message ID range.

Lower Message IDSpecify lower value of SCCP message ID allowed. Upper Message IDSpecify upper value of SCCP message ID allowed.

ActionDrop packet. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Inspect Map


Configuration > Global Objects > Inspect Maps > SIP The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection. SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats. SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
Fields

NameEnter the name of the inspect map, up to 40 characters in length. DescriptionEnter the description of the inspect map, up to 200 characters in length. Security LevelSelect the security level (high or low).
LowDefault.

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide servers and endpoints IP addresses: Disabled.

ASDM User Guide

6-96

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Not enforced. SIP conformance: Do not perform state checking and header validation.
Medium

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Permitted. Hide servers and endpoints IP addresses: Disabled. Mask software version and non-SIP URIs: Disabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No SIP conformance: Drop packets that fail state checking.
High

SIP instant messaging (IM) extensions: Enabled. Non-SIP traffic on SIP port: Denied. Hide servers and endpoints IP addresses: Disabled. Mask software version and non-SIP URIs: Enabled. Ensure that the number of hops to destination is greater than 0: Enabled. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes SIP conformance: Drop packets that fail state checking and packets that fail header validation.
CustomizeOpens the Customize Security Level dialog box for additional settings. Default LevelSets the security level back to the default level of Low.

SIP Inspect MapsTable that lists the defined SIP inspect maps. The defined inspect maps are also listed in the SIP area of the Inspect Maps tree. AddAdds the new SIP inspect map to the defined list in the SIP Inspect Maps table and to the SIP area of the Inspect Maps tree. To configure the new SIP map, select the SIP entry in Inspect Maps tree. DeleteDeletes the application inspection map selected in the SIP Inspect Maps table and from the SIP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-97

Chapter 6 Configuring Inspect Maps

Global Objects

Customize Security Level


Configuration > Global Objects > Inspect Maps > SIP > Customize Security Level The Customize Security Level dialog box lets you configure the security settings for previously configured SIP application inspection maps.
Fields

SettingsLets you configure additional SIP settings, including RTP and SIP conformance.
Enable SIP instant messaging (IM) extensionsEnables Instant Messaging extensions. Default

is enabled.
Permit non-SIP traffic on SIP portPermits non-SIP traffic on SIP port. Permitted by default. Hide servers and endpoints IP addressesEnables IP address privacy. Disabled by default. Mask software version and non-SIP URIsEnables non-SIP URI inspection in Alert-Info and

Call-Info headers.
Ensure that number of hops to destination is greater than 0Enables check for the value of

Max-Forwards header is zero.

RTP Conformance
Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces payload type to be audio/video based on the signaling exchange.

SIP Conformance
Do not perform state checking and header validationDisables SIP state checking. Drop packets that fail state checkingDrops packets that fail state checking. Drop connections that fail state checking and packets that fail header validationDrops

connections that fail state checking and packets that fail header validation of SIP messages.

Reset to Predefined Security LevelResets the security level settings to the predefined levels of high, medium, or low.
Reset ToResets the security level to high, medium, or low.

ResetResets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.CriterionSpecifies which criterion of SIP traffic to match.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

6-98

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

SIP Inspect Map Basic View


Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Basic View The SIP Inspect Map Basic View pane shows the configured settings for the SIP inspect map. The Advanced View lets you configure the settings.
Fields

NameShows the name of the previously configured SIP map. DescriptionEnter the description of the DNS map, up to 200 characters in length. Security LevelShows the current security settings.
CustomizeOpens the Customize Security Level dialog box to configure the security settings. Default LevelSets the security level back to the default.

Advanced ViewLets you configure the security settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SIP Inspect Map Advanced View


Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View The SIP Inspect Map Advanced View pane lets you configure the inspect map settings.
Fields

NameShows the name of the previously configured SIP map. DescriptionEnter the description of the DNS map, up to 200 characters in length. FilteringTab that lets you configure the filtering settings for SIP.
Enable SIP instant messaging (IM) extensionsEnables Instant Messaging extensions. Default

is enabled.
Permit non-SIP traffic on SIP portPermits non-SIP traffic on SIP port. Permitted by default.

IP Address PrivacyTab that lets you configure the IP address privacy settings for SIP.
Hide servers and endpoints IP addressesEnables IP address privacy. Disabled by default.

Hop CountTab that lets you configure the hop count settings for SIP.
Ensure that number of hops to destination is greater than 0Enables check for the value of

Max-Forwards header is zero. ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.

ASDM User Guide OL-10106-01

6-99

Chapter 6 Configuring Inspect Maps

Global Objects

RTP ConformanceTab that lets you configure the RTP conformance settings for SIP.
Check RTP packets for protocol conformanceChecks RTP/RTCP packets flowing on the

pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchangeEnforces payload type to be audio/video based on the signaling exchange.

SIP ConformanceTab that lets you configure the SIP conformance settings for SIP.
Enable state transition checkingEnables SIP state checking.

ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.


Enable strict validation of header fieldsEnables validation of SIP header fields.

ActionDrop packet, Drop Connection, Reset, Log. LogEnable or Disable.

Field MaskingTab that lets you configure the field masking settings for SIP.
Inspect non-SIP URIsEnables non-SIP URI inspection in Alert-Info and Call-Info headers.

ActionMask or Log. LogEnable or Disable.


Inspect servers and endpoints software versionInspects SIP endpoint software version in

User-Agent and Server headers. ActionMask or Log. LogEnable or Disable.

InspectionsTab that shows you the SIP inspection configuration and lets you add or edit.
Match TypeShows the match type, which can be a positive or negative match. CriterionShows the criterion of the SIP inspection. ValueShows the value to match in the SIP inspection. ActionShows the action if the match condition is met. LogShows the log state. AddOpens the Add SIP Inspect dialog box to add a SIP inspection. EditOpens the Edit SIP Inspect dialog box to edit a SIP inspection. DeleteDeletes a SIP inspection. Move UpMoves an inspection up in the list. Move DownMoves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

6-100

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

Add/Edit SIP Inspect


Configuration > Global Objects > Inspect Maps > SIP > SIP Inspect Map > Advanced View > Add/Edit SIP Inspect The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map.
Fields

Single MatchSpecifies that the SIP inspect has only one match statement. Match TypeSpecifies whether traffic should match or not match the values. For example, if No Match is selected on the string example.com, then any traffic that contains example.com is excluded from the class map.

CriterionSpecifies which criterion of SIP traffic to match.


Called PartyMatch a called party as specified in the To header. Calling PartyMatch a calling party as specified in the From header. Content LengthMatch a content length header. Content TypeMatch a content type header. IM SubscriberMatch a SIP IM subscriber. Message PathMatch a SIP Via header. Request MethodMatch a SIP request method. Third-Party RegistrationMatch the requester of a third-party registration. URI LengthMatch a URI in the SIP headers.

Called Party Criterion ValuesSpecifies to match the called party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Calling Party Criterion ValuesSpecifies to match the calling party. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Content Length Criterion ValuesSpecifies to match a SIP content header of a length greater than specified.
Greater Than LengthEnter a header length value in bytes.

ASDM User Guide OL-10106-01

6-101

Chapter 6 Configuring Inspect Maps

Global Objects

Content Type Criterion ValuesSpecifies to match a SIP content header type.


SDPMatch an SDP SIP content header type. Regular ExpressionMatch a regular expression.

Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion ValuesSpecifies to match the IM subscriber. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Message Path Criterion ValuesSpecifies to match a SIP Via header. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

Request Method Criterion ValuesSpecifies to match a SIP request method.


Request MethodSpecifies a request method: ack, bye, cancel, info, invite, message, notify,

options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion ValuesSpecifies to match the requester of a third-party registration. Applies the regular expression match.
Regular ExpressionLists the defined regular expressions to match. ManageOpens the Manage Regular Expressions dialog box, which lets you configure regular

expressions.
Regular Expression ClassLists the defined regular expression classes to match. ManageOpens the Manage Regular Expression Class dialog box, which lets you configure

regular expression class maps.

URI Length Criterion ValuesSpecifies to match a URI in the SIP headers greater than specified length.
URI typeSpecifies to match either SIP URI or TEL URI. Greater Than LengthLength in bytes.

Multiple MatchesSpecifies multiple matches for the DNS inspection.

ASDM User Guide

6-102

OL-10106-01

Chapter 6

Global Objects Configuring Inspect Maps

DNS Traffic ClassSpecifies the SIP traffic class match. ManageOpens the Manage DNS Class Maps dialog box to add, edit, or delete DNS Class

Maps.

ActionsPrimary action and log settings.


ActionDrop packet, drop connection, reset, log. LogEnable or disable.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SNMP Inspect Map


Configuration > Global Objects > Inspect Maps > SNMP The SNMP pane lets you view previously configured SNMP application inspection maps. An SNMP map lets you change the default configuration values used for SNMP application inspection.
Fields

Map NameLists previously configured application inspection maps. Check a map and click Edit to view or change an existing map. Disallowed SNMP VersionsIdentifies the SNMP versions that have been disallowed for a specific SNMP application inspection map. AddDisplays the Add SNMP dialog box, which you can use to define a new application inspection map. EditDisplays the Edit SNMP dialog box, which you can use to modify the application inspection map selected in the application inspection map table. DeleteDeletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-103

Chapter 6 Configuring Regular Expressions

Global Objects

Add/Edit SNMP Map


Configuration > Global Objects > Inspect Maps > SNMP > Add/Edit SNMP Map (You can get to this dialog box through various paths.) The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.
Fields

SNMP Map NameDefines the name of the application inspection map. SNMP version 1Enables application inspection for SNMP version 1. SNMP version 2 (party based)Enables application inspection for SNMP version 2. SNMP version 2c (community based)Enables application inspection for SNMP version 2c. SNMP version 3Enables application inspection for SNMP version 3.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Regular Expressions


This section describes how to configure regular expressions, and includes the following topics:

Regular Expressions, page 6-104 Add/Edit Regular Expression, page 6-105 Build Regular Expression, page 6-107 Test Regular Expression, page 6-109 Add/Edit Regular Expression Class Map, page 6-110

Regular Expressions
Configuration > Global Objects > Regular Expressions Some Configuring Class Maps and Configuring Inspect Maps can specify regular expressions to match text inside a packet. Be sure to create the regular expressions before you configure the class map or inspect map, either singly or grouped together in a regular expression class map. A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match body text inside an HTTP packet.

ASDM User Guide

6-104

OL-10106-01

Chapter 6

Global Objects Configuring Regular Expressions

Fields

Regular ExpressionsShows the regular expressions


NameShows the regular expression names. ValueShows the regular expression definitions. AddAdds a regular expression. EditEdits a regular expression. DeleteDeletes a regular expression.

Regular Expression ClassesShows the regular expression class maps.


NameShows the regular expression class map name. Match ConditionsShows the match type and regular expressions in the class map.

Match TypeShows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched. Regular ExpressionLists the regular expressions included in each class map.
DescriptionShows the description of the class map. AddAdds a regular expression class map. EditEdits a regular expression class map. DeleteDeletes a regular expression class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Regular Expression


Configuration > Global Objects > Regular Expressions > Add/Edit a Regular Expression The Add/Edit Regular Expression dialog box lets you define and test a regular expression.
Fields

NameEnter the name of the regular expression, up to 40 characters in length. ValueEnter the regular expression, up to 100 characters in length. You can enter the text manually, using the metacharacters in Table 6-1, or you can click Build to use the Build Regular Expression dialog box. Table 6-1 lists the metacharacters that have special meanings.

ASDM User Guide OL-10106-01

6-105

Chapter 6 Configuring Regular Expressions

Global Objects

Table 6-1

regex Metacharacters

Character Description . Dot

Notes Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit. A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz. Matches either expression it separates. For example, dog|cat matches dog or cat. A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.
Note

(exp)

Subexpression

| ?

Alternation Question mark

You must enter Ctrl+V and then the question mark or else the help function is invoked.

Asterisk

A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc. A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse. Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz. Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc. Matches any character in the brackets. For example, [abc] matches a, b, or c. Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter. Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z]. The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc].

Plus

{x} {x,} [abc] [^abc]

Repeat quantifier Minimum repeat quantifier Character class Negated character class

[a-c]

Character range class

""

Quotation marks

Preserves trailing or leading spaces in the string. For example, " test" preserves the leading space when it looks for a match. Specifies the beginning of a line.

Caret

ASDM User Guide

6-106

OL-10106-01

Chapter 6

Global Objects Configuring Regular Expressions

Table 6-1

regex Metacharacters (continued)

Character Description \ Escape character

Notes When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. When character is not a metacharacter, matches the literal character. Matches a carriage return 0x0d. Matches a new line 0x0a. Matches a tab 0x09. Matches a form feed 0x0c. Matches an ASCII character using hexadecimal (exactly two digits). Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space.

char \r \n \t \f \xNN \NNN

Character Carriage return Newline Tab Formfeed Escaped hexadecimal number Escaped octal number

BuildHelps you build a regular expression using the Build Regular Expression dialog box. TestTests a regular expression against some sample text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Build Regular Expression


Configuration > Global Objects > Regular Expressions > Add/Edit a Regular Expression > Build Regular Expression The Build Regular Expression dialog box lets you construct a regular expression out of characters and metacharacters. Fields that insert metacharacters include the metacharacter in parentheses in the field name.
Fields

Build SnippetThis area lets you build text snippets of regular text or lets you insert a metacharacter into the Regular Expression field.

Starts at the beginning of the line (^)Indicates that the snippet should start at the beginning of a line, using the caret (^) metacharacter. Be sure to insert any snippet with this option at the beginning of the regular expression. Specify Character StringEnter a text string manually.

ASDM User Guide OL-10106-01

6-107

Chapter 6 Configuring Regular Expressions

Global Objects

Character StringEnter a text string. Escape Special CharactersIf you entered any metacharacters in your text string that you want

to be used literally, check this box to add the backslash (\) escape character before them. for example, if you enter example.com, this option converts it to example\.com.
Ignore CaseIf you want to match upper and lower case characters, this check box

automatically adds text to match both upper and lower case. For example, entering cats is converted to [cC][aA][tT][sS].

Specify CharacterLets you specify a metacharacter to insert in the regular expression.


Negate the characterSpecifies not to match the character you identify. Any character (.)Inserts the period (.) metacharacter to match any character. For example, d.g

matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.
Character setInserts a character set. Text can match any character in the set. Sets include:

[0-9A-Za-z] [0-9] [A-Z] [a-z] [aeiou] [\n\f\r\t] (which matches a new line, form feed, carriage return, or a tab) For example, if you specify [0-9A-Za-z], then this snippet will match any character from A to Z (upper or lower case) or any digit 0 through 9.
Special characterInserts a character that requires an escape, including \, ?, *, +, |, ., [, (, or ^.

The escape character is the backslash (\), which is auatomatically entered when you choose this option.
Whitespace characterWhitespace characters include \n (new line), \f (form feed), \r (carriage

return), or \t (tab).
Three digit octal numberMatches an ASCII character as octal (up to three digits). For

example, the character \040 represents a space. The backslash (\) is entered automatically.
Two digit hexadecimal numberMatches an ASCII character using hexadecimal (exactly two

digits). The backslash (\) is entered automatically.


Specified characterEnter any single character.

Snippet PreviewDisplay only. Shows the snippet as it will be entered in the regular expression. Append SnippetAdds the snippet to the end of the regular expression. Append Snippet as AlternateAdds the snippet to the end of the regular expression separated by a pipe (|), which matches either expression it separates. For example, dog|cat matches dog or cat. Insert Snippet at CursorInserts the snippet at the cursor.

Regular ExpressionThis area includes regular expression text that you can enter manually and build with snippets. You can then select text in the Regular Expression field and apply a quantifier to the selection.

Selection OccurrancesSelect text in the Regular Expression field, click one of the following options, and then click Apply to Selection. For example, if the regular expression is test me, and you select me and apply One or more times, then the regular expression changes to test (me)+.
Zero or one times (?)A quantifier that indicates that there are 0 or 1 of the previous

expression. For example, lo?se matches lse or lose.

ASDM User Guide

6-108

OL-10106-01

Chapter 6

Global Objects Configuring Regular Expressions

One or more times (+)A quantifier that indicates that there is at least 1 of the previous

expression. For example, lo+se matches lose and loose, but not lse.
Any number of times (*)A quantifier that indicates that there are 0, 1 or any number of the

previous expression. For example, lo*se matches lse, lose, loose, etc.
At leastRepeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc. ExactlyRepeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz. Apply to SelectionApplies the quantifier to the selection.

TestTests a regular expression against some sample text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Test Regular Expression


Configuration > Global Objects > Regular Expressions > Add/Edit a Regular Expression > Test Regular Expression The Test Regular Expression dialog box lets you test input text against a regular expression to make sure it matches as you intended.
Fields

Regular ExpressionEnter ther regular expression you want to test. By default, the regular expression you entered in the Add/Edit Regular Expression or Build Regular Expression dialog box is input into this field. If you change the regular expression during your testing, and click OK, the changes are inherited by the Add/Edit Regular Expression or Build Regular Expression dialog boxes. Click Cancel to dismiss your changes. Test StringEnter a text string that you expect to match the regular expression. TestTests the Text String against the Regular Expression, Test ResultDisplay only. Shows if the test succeeded or failed.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-109

Chapter 6 TCP Maps

Global Objects

Add/Edit Regular Expression Class Map


Configuration > Global Objects > Regular Expressions > Add/Edit Regular Expression Class Map The Add/Edit Regular Expression Class Map dialog box groups regular expressions together. A regular expression class map can be used by inspection class maps and inspection policy maps.
Fields

NameEnter a name for the class map, up to 40 characters in length. The name class-default is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. DescriptionEnter a description, up to 200 characters in length. Available Regular ExpressionsLists the regular expressions that are not yet assigned to the class map.
EditEdits the selected regular expression. NewCreates a new regular expression.

AddAdds the selected regular expression to the class map. RemoveRemoves the selected regular expression from the class map. Configured Match ConditionsShows the regular expressions in this class map, along with the match type.
Match TypeShows the match type, which for regular expressions is always a positive match

type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with OR next it, to indicate that this class map is a match any class map; traffic matches the class map if only one regular expression is matched.
Regular ExpressionLists the regular expression names in this class map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TCP Maps
Configuration > Global Objects > TCP Maps (You can get to this pane through various paths.) Use the TCP Maps option to create a reusable component that defines the TCP connection settings for different traffic flows. After creating a TCP map, you can associate these connection settings with traffic of a specific type using a security policy. You use the Service Policy Rules option on the Security Policy pane to define the traffic criteria and to associate the service policy rule with a specific interface or to apply it to all the interfaces on the security appliance.

ASDM User Guide

6-110

OL-10106-01

Chapter 6

Global Objects TCP Maps

The TCP Maps pane lets you customize inspection on TCP flow for both through and to the box traffic.
Fields

Map NameLists a TCP map name used to apply a TCP map. Urgent FlagLists whether the URG pointer is cleared or allowed through the security appliance. Window VariationLists whether a connection that has changed its window size unexpectedly is allowed or dropped. SYN DataLists whether SYN packets with data are allowed or dropped. TTL Evasion ProtectionLists whether the TTL evasion protection offered by the security appliance is enabled or disabled. Exceed MSSLists whether packets that exceed MSS set by peer are allowed or dropped. Check RetransmissionLists whether the retransmit data check is enabled or disabled. Verify ChecksumLists whether checksum verification is enabled or disabled. Reserved BitsLists the status of the reserved flags policy. TCP OptionLists the behavior of packets with TCP option value configured. The default action is to clear the options and allow the packets.
Clear Selective AckLists whether the selective-ack TCP option is allowed or cleared. Clear TCP TimestampLists whether the TCP timestamp option is allowed or cleared. Clear Window ScaleLists whether the window scale timestamp option is allowed or cleared. RangeLists the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower

bound should be less than or equal to the upper bound.

Queue SizeLists the maximum number of out-of-order packets that can be queued for a TCP connection. Default is 0.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit TCP Map


Configuration > Global Objects > TCP Maps > Add/Edit TCP Map (You can get to this dialog box through various paths.) The Add/Edit TCP Maps dialog box lets you define the class of traffic and customize the TCP inspection with TCP maps. Apply the TCP map using policy map and activate TCP inspection using service policy.
Fields

TCP Map NameSpecifies a TCP map name to use to apply a TCP map. Clear Urgent FlagAllows or clears the URG pointer through the security appliance.

ASDM User Guide OL-10106-01

6-111

Chapter 6 Configuring Time Ranges

Global Objects

Drop SYN Packets With DataAllows or drops SYN packets with data. Drop Connection on Window VariationDrops a connection that has changed its window size unexpectedly. Enable TTL Evasion ProtectionEnables or disables the TTL evasion protection offered by the security appliance. Drop Packets that Exceed Maximum Segment SizeAllows or drops packets that exceed MSS set by peer. Verify TCP ChecksumEnables and disables checksum verification. Check if transmitted data is the same as originalEnables and disables the retransmit data checks. Reserved BitsSets the reserved flags policy in the security appliance.
Clear and allow Allow only Drop

TCP OptionConfigure the behavior of packets with TCP option value configured. The default action is to clear the options and allow the packets.
Clear Selective AckAllows or clears the selective-ack TCP options. Clear TCP TimestampAllows or clears the TCP timestamp option. Clear Window ScaleAllows or clears the window scale timestamp option.

RangeValid TCP options ranges should fall within 6-7 and 9-255. The lower bound should be less than or equal to the upper bound. ActionAllow or drop.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring Time Ranges


Configuration > Global Objects > Time Ranges (You can get to this pane through multiple paths.) Use the Time Ranges option to create a reusable component that defines starting and ending times that can be applied to various security features. Once you have defined a time range, you can select the time range and apply it to different options that require scheduling. The time range feature lets you define a time range that you can attach to traffic rules, or an action. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional periodic entries.

ASDM User Guide

6-112

OL-10106-01

Chapter 6

Global Objects Configuring Time Ranges

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

NameSpecifies the name of the time range. Start TimeSpecifies when the time range begins. End TimeSpecifies when the time range ends. Periodic EntriesSpecifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Time Range


Configuration > Global Objects > Time Ranges > Add/Edit Time Range (You can get to this dialog box through multiple paths.) The Add/Edit Time Range pane lets you define specific times and dates that you can attach to an action. For example, you can attach an access list to a time range to restrict access to the security appliance. The time range relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

Time Range NameSpecifies the name of the time range. The name cannot contain a space or quotation mark, and must begin with a letter or number. Start now/StartedSpecifies either that the time range begin immediately or that the time range has begun already. The button label changes based on the Add/Edit state of the time range configuration. If you are adding a new time range, the button displays Start Now. If you are editing a time range for which a fixed start time has already been defined, the button displays Start Now. When editing a time range for which there is no fixed start time, the button displays Started. Start atSpecifies when the time range begins.
MonthSpecifies the month, in the range of January through December. DaySpecifies the day, in the range of 01 through 31. YearSpecifies the year, in the range of 1993 through 2035. HourSpecifies the hour, in the range of 00 through 23.

ASDM User Guide OL-10106-01

6-113

Chapter 6 Configuring Time Ranges

Global Objects

MinuteSpecifies the minute, in the range of 00 through 59.

Never endSpecifies that there is no end to the time range. End at (inclusive)Specifies when the time range ends. The end time specified is inclusive. For example, if you specified that the time range expire at 11:30, the time range is active through 11:30 and 59 seconds. In this case, the time range expires when 11:31 begins.
MonthSpecifies the month, in the range of January through December. DaySpecifies the day, in the range of 01 through 31. YearSpecifies the year, in the range of 1993 through 2035. HourSpecifies the hour, in the range of 00 through 23. MinuteSpecifies the minute, in the range of 00 through 59.

Periodic Time RangesConfigures daily or weekly time ranges.


AddAdds a periodic time range. EditEdits the selected periodic time range. DeleteDeletes the selected periodic time range.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Periodic Time Range


Configuration > Global Objects > Time Ranges > Add/Edit Time Range > Add/Edit Periodic Time Range (You can get to this dialog box through multiple paths.) The Add/Edit Periodic Time Range pane lets you fine time ranges further by letting you configure them on a daily or weekly basis.

Note

Creating a time range does not restrict access to the device. This pane defines the time range only.
Fields

Days of the week


Every daySpecifies every day of the week. WeekdaysSpecifies Monday through Friday. WeekendsSpecifies Saturday and Sunday. On these days of the weekLets you choose specific days of the week. Daily Start TimeSpecifies the hour and the minute that the time range begins.

ASDM User Guide

6-114

OL-10106-01

Chapter 6

Global Objects Configuring Time Ranges

Daily End Time (inclusive) areaSpecifies the hour and the minute that the time range ends.

The end time specified is inclusive.

Weekly Interval
FromLists the day of the week, Monday through Sunday. ThroughLists the day of the week, Monday through Sunday. HourLists the hour, in the range of 00 through 23. MinuteLists the minute, in the range of 00 through 59.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

6-115

Chapter 6 Configuring Time Ranges

Global Objects

ASDM User Guide

6-116

OL-10106-01

C H A P T E R

Configuring Security Contexts


This chapter describes how to use security contexts and enable multiple context mode. This chapter includes the following sections:

Security Context Overview, page 7-1 Enabling or Disabling Multiple Context Mode at the CLI, page 7-9 Configuring Resource Classes, page 7-10 Configuring Security Contexts, page 7-16

Security Context Overview


You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. This section provides an overview of security contexts, and includes the following topics:

Common Uses for Security Contexts, page 7-2 Unsupported Features, page 7-2 Context Configuration Files, page 7-2 How the Security Appliance Classifies Packets, page 7-2 Management Access to Security Contexts, page 7-8

ASDM User Guide OL-10106-01

7-1

Chapter 7 Security Context Overview

Configuring Security Contexts

Common Uses for Security Contexts


You might want to use multiple security contexts in the following situations:

You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. You are a large enterprise or a college campus and want to keep departments completely separate. You are an enterprise that wants to provide distinct security policies to different departments. You have any network that requires more than one security appliance.

Unsupported Features
Multiple context mode does not support the following features:

Dynamic routing protocols Security contexts support only static routes. You cannot enable OSPF or RIP in multiple context mode.

VPN Multicast

Context Configuration Files


Each context has its own configuration file that identifies the security policy, interfaces, and, for supported features, all the options you can configure on a standalone device. You can store context configurations on the internal Flash memory or the external Flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server. In addition to individual security contexts, the security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Like the single mode configuration, this configuration resides as the startup configuration. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from a server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named admin. If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the Security Appliance Classifies Packets


Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. This section includes the following topics:

Valid Classifier Criteria, page 7-3 Invalid Classifier Criteria, page 7-4

ASDM User Guide

7-2

OL-10106-01

Chapter 7

Configuring Security Contexts Security Context Overview

Classification Examples, page 7-4

Note

If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.

Valid Classifier Criteria


This section describes the criteria used by the classifier, and includes the following topics:

Unique Interfaces, page 7-3 Unique MAC Addresses, page 7-3 NAT Configuration, page 7-3

Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses


If multiple contexts share an interface, then the classifier uses the interface MAC address. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see Add/Edit Interface > Advanced), or you can automatically generate MAC addresses (see Security Contexts).

NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control. For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in each context:

Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0

ASDM User Guide OL-10106-01

7-3

Chapter 7 Security Context Overview

Configuring Security Contexts

Note

For management traffic destined for an interface, the interface IP address is used for classification.

Invalid Classifier Criteria


The following configurations are not used for packet classification:

NAT exemptionThe classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify a mapped interface. Routing tableIf a context includes a static route that points to an external router as the next-hop to a subnet, and a different context includes a static command for the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route.

Classification Examples
Figure 7-1 shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.
Figure 7-1 Packet Classification with a Shared Interface using MAC Addresses

Internet

Packet Destination: 209.165.201.1 via MAC 000C.F142.4CDC GE 0/0.1 (Shared Interface) Classifier

MAC 000C.F142.4CDA Admin Context Context A

MAC 000C.F142.4CDB Context B

MAC 000C.F142.4CDC

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 209.165.202.129

Host 209.165.200.225

Host 209.165.201.1

ASDM User Guide

7-4

OL-10106-01

153367

Chapter 7

Configuring Security Contexts Security Context Overview

Figure 7-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address.
Figure 7-2 Packet Classification with a Shared Interface using NAT

Internet

Packet Destination: 209.165.201.3 GE 0/0.1 (Shared Interface) Classifier Admin Context Context A Context B Dest Addr Translation 209.165.201.3 10.1.1.13

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 10.1.1.13

Host 10.1.1.13

Host 10.1.1.13

Note that all new incoming traffic must be classified, even from inside networks. Figure 7-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.

Note

If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major restrictions. The classifier relies on the address translation configuration to classify the packet within a context, and you must translate the destination addresses of the traffic. Because you do not usually perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not always possible; the outside network is large, (the Web, for example), and addresses are not predictable for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC addresses.

92399

ASDM User Guide OL-10106-01

7-5

Chapter 7 Security Context Overview

Configuring Security Contexts

Figure 7-3

Incoming Traffic from Inside Networks

Internet

GE 0/0.1 Admin Context Context A Context B

Classifier

GE 0/1.1 Admin Network

GE 0/1.2 Inside Customer A

GE 0/1.3 Inside Customer B

Host 10.1.1.13

Host 10.1.1.13

Host 10.1.1.13

ASDM User Guide

7-6

92395

OL-10106-01

Chapter 7

Configuring Security Contexts Security Context Overview

For transparent firewalls, you must use unique interfaces. Figure 7-4 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 7-4 Transparent Firewall Contexts

Internet

Classifier GE 0/0.2 GE 0/0.1 Admin Context Context A GE 0/0.3 Context B

GE 1/0.1 Admin Network

GE 1/0.2 Inside Customer A

GE 1/0.3 Inside Customer B

Host 10.1.1.13

Host 10.1.2.13

Host 10.1.3.13

Cascading Security Contexts


Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context.

Note

Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses.

92401

ASDM User Guide OL-10106-01

7-7

Chapter 7 Security Context Overview

Configuring Security Contexts

Figure 7-5 shows a gateway context with two contexts behind the gateway.
Figure 7-5 Cascading Contexts

Internet GE 0/0.2 Outside Gateway Context Inside GE 0/0.1 (Shared Interface) Outside Admin Context Outside Context A

GE 1/1.8 Inside

GE 1/1.43 Inside
153366

Management Access to Security Contexts


The security appliance provides system administrator access in multiple context mode as well as access for individual context administrators. The following sections describe logging in as a system administrator or as a a context administrator:

System Administrator Access, page 7-8 Context Administrator Access, page 7-9

System Administrator Access


You can access the security appliance as a system administrator in two ways:

Access the security appliance console. From the console, you access the system execution space. Access the admin context using Telnet, SSH, or ASDM. See Chapter 11, Configuring Device Access, to enable Telnet, SSH, and SDM access.

As the system administrator, you can access all contexts. When you change to a context from admin or the system, your username changes to the default enable_15 username. If you configured command authorization in that context, you need to either configure authorization privileges for the enable_15 user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the

ASDM User Guide

7-8

OL-10106-01

Chapter 7

Configuring Security Contexts Enabling or Disabling Multiple Context Mode at the CLI

username admin. The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user admin with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as admin by entering the login command. When you change to context B, you must again enter the login command to log in as admin. The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Context Administrator Access


You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See Chapter 11, Configuring Device Access, to enable Telnet, SSH, and SDM access and to configure management authentication.

Enabling or Disabling Multiple Context Mode at the CLI


Your security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI. This section includes the following topics:

Backing Up the Single Mode Configuration, page 7-9 Enabling Multiple Context Mode, page 7-9 Restoring Single Context Mode, page 7-10

Backing Up the Single Mode Configuration


When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

Enabling Multiple Context Mode


The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name admin. To enable multiple mode, enter the following command:
hostname(config)# mode multiple

ASDM User Guide OL-10106-01

7-9

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

You are prompted to reboot the security appliance.

Restoring Single Context Mode


If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device. Because the system configuration does not have any network interfaces as part of its configuration, you must access the security appliance from the console to perform the copy. To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps in the system execution space:
Step 1

To copy the backup version of your original running configuration to the current startup configuration, enter the following command in the system execution space:
hostname(config)# copy flash:old_running.cfg startup-config

Step 2

To set the mode to single mode, enter the following command in the system execution space:
hostname(config)# mode single

The security appliance reboots.

Configuring Resource Classes


By default, all security contexts have unlimited access to the resources of the security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. This section includes the following topics:

Classes and Class Members Overview, page 7-10 Adding a Resource Class, page 7-13

Classes and Class Members Overview


The security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class. This section includes the following topics:

Resource Limits, page 7-11 Default Class, page 7-12 Class Members, page 7-13

ASDM User Guide

7-10

OL-10106-01

Chapter 7

Configuring Security Contexts Configuring Resource Classes

Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can use up those resources, potentially affecting service to other contexts. You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value. You can oversubscribe the security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 7-6.)
Figure 7-6 Resource Oversubscription

Total Number of System Connections = 999,900 Max. 20% (199,800) 16% (159,984) 12% (119,988) 8% (79,992) 4% (39,996) 1 2 3 4 5 6 Contexts in Class 7 8 9 10 Maximum connections allowed. Connections in use. Connections denied because system limit was reached.
104895

If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the security appliance, then the performance of the security appliance might be impaired. The security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of unassigned connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 7-7.) Setting unlimited access is similar to oversubscribing the security appliance, except that you have less control over how much you oversubscribe the system.

ASDM User Guide OL-10106-01

7-11

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

Figure 7-7

Unlimited Resources

50% 43% 5% 4% 3% 2% 1% A B C Contexts Silver Class 1 2 3 Contexts Gold Class


153211

Maximum connections allowed. Connections in use. Connections denied because system limit was reached.

Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class. By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions5 sessions. SSH sessions5 sessions. IPSec sessions5 sessions. MAC addresses65,535 entries.

ASDM User Guide

7-12

OL-10106-01

Chapter 7

Configuring Security Contexts Configuring Resource Classes

Figure 7-8 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.
Figure 7-8 Resource Classes

Class Bronze (Some Limits Set)

Default Class

Context D

Class Silver (Some Limits Set) Class Gold (All Limits Set)

Context A

Context C

Context B

Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Adding a Resource Class


This section describes the panes available for configuring resource classes, and includes the following topics:

Resource Class, page 7-13 Add/Edit Resource Class, page 7-14

Resource Class
System > Configuration > Resource Class The Resource Class pane shows the configured classes and information about each class. It also lets you add, edit, or delete a class.

104689

ASDM User Guide OL-10106-01

7-13

Chapter 7 Configuring Resource Classes

Configuring Security Contexts

Fields

ClassShows the class name. All ResourcesShows the limit for all resources that you do not set individually, which can only be 0, which means unlimited. ConnectionsShows the limit for TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. HostsShows the limit for hosts that can connect through the security appliance. XlatesShows the limit for address translations. TelnetShows the limit for Telnet sessions, by default 5. SSHShows the limit for SSH sessions, by default 5. ASDM SessionsShows the limit for ASDM management sessions, by default 5. ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between all contexts. MACShows the limit for MAC addresses in the MAC address table in transparent firewall mode, by default 65535. Conns/secShows the limit for connections per second. Fixups/secShows the limit for application inspections per second. Syslogs/secShows the limit for system log messages per second. ContextsShows the contexts assigned to this class. AddAdds a class. EditEdits a class. DeleteDeletes a class. You cannot delete the default class. If you delete a class to which you assigned contexts, the contexts revert to using the default class.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Resource Class


System > Configuration > Security Contexts > Add/Edit Resource Class The Add/Edit Resource Class dialog box lets you add or edit a resource class.
Fields

Resource ClassSets the class name as a string up to 20 characters in length.

ASDM User Guide

7-14

OL-10106-01

Chapter 7

Configuring Security Contexts Configuring Resource Classes

Count Limited ResourcesSets the concurrent limits for resources. For resources that do not have a system limit, you cannot set the percentage; you can only set an absolute value. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then the resource is unlimited, or the system limit if available.
HostsSets the limit for concurrent hosts that can connect through the security appliance.

Select the check box to enable this limit. If you set the limit to 0, it is unlimited.
TelnetSets the limit for concurrent Telnet sessions. Select the check box to enable this limit.

You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.
ASDM SessionsSets the limit for concurrent ASDM sessions. Select the check box to enable

this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 80 sessions divided between all contexts. ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between all contexts.
ConnectionsSets the limit for concurrent TCP or UDP connections between any two hosts,

including connections between one host and multiple other hosts. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Cisco ASDM Release Notes for the connection limit for your model.
XlatesSets the limit for address translations. Select the check box to enable this limit. If you

set the limit to 0, it is unlimited.


SSHSets the limit for SSH sessions. Select the check box to enable this limit. You can set the

limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.
MAC Entries(Transparent mode only) Sets the limit for MAC address entries in the MAC

address table. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 65535 and selecting Absolute from the list.

Rate Limited ResourcesSets the rate limit for resources. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then it is unlimited by default.
Conns/secSets the limit for connections per second. Select the check box to enable this limit.

If you set the limit to 0, it is unlimited.


Syslogs/secSets the limit for system log messages per second. Select the check box to enable

this limit. If you set the limit to 0, it is unlimited.

ASDM User Guide OL-10106-01

7-15

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

Inspects/secSets the limit for application inspections per second. Select the check box to

enable this limit. If you set the limit to 0, it is unlimited.

Show Actual Class Limits(Non-default classes only) When you edit a class, this button shows the limits you set plus any inherited limits from the default class for limits you did not set.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Configuring Security Contexts


This section describes how to add security contexts, and includes the following topics:

Security Contexts, page 7-16 Add/Edit Context, page 7-18 Add/Edit Interface Allocation, page 7-18

Security Contexts
System > Configuration > Security Contexts The Security Contexts pane shows the configured contexts and information about each context. It also lets you add, edit, or delete a context. For more information about multiple context mode, see the Security Context Overview section on page 7-1.
Prerequisites

Before you can configure contexts using ASDM, make sure the security appliance is in multiple context mode. If the ASDM toolbar includes Context and System tools, then the security appliance is in multiple mode. Also, the Home > Device Information > General tab shows the current context mode, either multiple or single. To change from single mode to multiple, access the security appliance CLI and enter the mode multiple command. See the Enabling or Disabling Multiple Context Mode at the CLI section on page 7-9 for more information.
Fields

ContextShows the context name. InterfacesShows the interfaces and subinterfaces assigned to the context. If you assigned an alias for the interface name to show in a context, then the aliased name is shown in parentheses. If you specified a range of subinterfaces, the range displays with a dash between the first and last subinterface numbers. ResourceShows the resource class for each context. Config URLShows the context configuration location.

ASDM User Guide

7-16

OL-10106-01

Chapter 7

Configuring Security Contexts Configuring Security Contexts

GroupShows the failover group to which this context belongs. DescriptionShows a description of the context. AddAdds a context. EditEdits a context. DeleteDeletes a context. Mac-Address autoAutomatically assigns private MAC addresses to each shared context interface. To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the How the Security Appliance Classifies Packets section on page 7-2 for information about classifying packets. By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. When you assign an interface to a context, the new MAC address is generated immediately. If you enable this option after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you apply the option. If you disable this option, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1. The MAC address is generated using the following format: Active unit MAC address: 12_slot.port_subid.contextid. Standby unit MAC address: 02_slot.port_subid.contextid. For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31: Active: 1200.0131.0001 Standby: 0200.0131.0001 In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the Configuring the Interfaces section on page 4-2 to manually set the MAC address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

7-17

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

Add/Edit Context
System > Configuration > Security Contexts > Add/Edit Context The Add Context dialog box lets you add or edit a security context and define context parameters.
Fields

Security ContextSets the context name as a string up to 32 characters long. This name is case sensitive, so you can have two contexts named customerA and CustomerA, for example. System or Null (in upper or lower case letters) are reserved names, and cannot be used. Interface AllocationShows the interfaces and subinterfaces assigned to this context.
InterfaceShows the interface IDs. If you specified a range of subinterfaces, the range displays

with a dash between the first and last subinterface numbers.


Aliased NameShows the aliased name for this interface to be used in the context

configuration instead of the interface ID.


VisibleShows whether context users can see physical interface properties even if you set an

aliased name.
AddAdds an interface to the context. EditEdits the interface properties. DeleteDeletes an interface.

Resource AssignmentAssigns the context to a resource class.


Resource ClassSelect a class from the list. EditEdits the selected resource class. NewAdds a resource class.

Config URLSpecifies the context configuration location, as a URL. Choose the file system type in the list, and then enter the server (for remote file systems), path, and filename in the field. For example, the combined URL for FTP has the following format: ftp://server.example.com/configs/admin.cfg LoginSets the username and password for remote file systems. Failover GroupSets the failover group for active/active failover. DescriptionSets an optional description for the context.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Interface Allocation


System > Configuration > Security Contexts > Add/Edit Context > Add/Edit Interface Allocation

ASDM User Guide

7-18

OL-10106-01

Chapter 7

Configuring Security Contexts Configuring Security Contexts

The Add/Edit Interface Allocation dialog box lets you assign interfaces to a context and set interface parameters.
Fields

InterfacesSpecifies the physical interface and subinterface IDs.


Physical InterfaceSets the physical interface to assign to the context. You can assign the main

interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown. If the main interface was already assigned to another context, then you must choose a subinterface.
Sub Interface Range (Optional)Sets the subinterface ID or a range of subinterface IDs. To

specify a single subinterface, choose the ID in the first list. To specify a range, choose the ending ID in the second list, if available. In transparent firewall mode, only subinterfaces that have not been allocated to other contexts are shown.

Aliased NamesSets an aliased name for this interface to be used in the context configuration instead of the interface ID.
Use Aliased Name in ContextEnables aliased names in the context. NameSets the aliased name. An aliased name must start with a letter, end with a letter or digit,

and have as interior characters only letters, digits, or an underscore. This field lets you specify a name that ends with a letter or underscore; to add an optional digit after the name, set the digit in the Range field.
RangeSets the numeric suffix for the aliased name. If you have a range of subinterfaces, you

can enter a range of digits to be appended to the name.

Show Hardware Properties in ContextEnables context users to see physical interface properties even if you set an aliased name.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

7-19

Chapter 7 Configuring Security Contexts

Configuring Security Contexts

ASDM User Guide

7-20

OL-10106-01

C H A P T E R

Configuring Device Properties


This section contins the following topics:

Management IP Device Administration Auto Update

Management IP
Configuration > Properties > Management IP The Management IP window lets you set the management IP address for the security appliance or for a context in transparent firewall mode. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. The exception is that you can set the IP address for the Management 0/0 management-only interface, which does not pass through traffic. See the Configuring the Interfaces to set the IP address for Management 0/0. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.
Fields

Management IP AddressSets the management IP address. Subnet MaskSets the subnet mask.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

ASDM User Guide OL-10106-01

8-1

Chapter 8 Device Administration

Configuring Device Properties

Device Administration
Under Device Administration, you can set basic parameters for the security appliance. This section contains the following topics:

Banner Boot Image/Configuration Console Clock Device FTP Mode ICMP Rules Management Access NTP Password Secure Copy SNMP TFTP Server User Accounts

Banner
Configuration > Properties > Device Administration > Banner The Banner panel lets you configure message of the day, login, and session banners. To create a banner, enter text into the appropriate box. Spaces in the text are preserved, however, tabs can be entered in the ASDM interface but cannot be entered through the command line interface. The tokens $(domain) and $(hostname) are replaced with the host name and domain name of the security appliance. Use the $(hostname) and $(domain) tokens to echo the hostname and domain name specified in a particular context. Use the $(system) token to echo a banner configured in the system space in a particular context. Multiple lines in a banner are handled by entering a line of text for each line you wish to add. Each line is then appended to the end of the existing banner. If the text is empty, then a carriage return (CR) will be added to the banner. There is no limit on the length of a banner other than RAM and Flash memory limits. You can only use ASCII characters, including new line (the Enter key, which counts as two characters). When accessing the security appliance through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages or if a TCP write error occurs when attempting to display the banner messages. To replace a banner, change the contents of the appropriate box and click Apply. To clear a banner, clear the contents of the appropriate box and click Apply. Although the banner command is not available in the System Context through the ASDM panel, it can be configured with Tools > Command Line Interface.

ASDM User Guide

8-2

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Boot Image/Configuration
Configuration > Properties > Device Administration > Boot Image/Configuration Boot Image/Configuration lets you choose which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can specify up to four local binary image files for use as the startup image, and one image located on a TFTP server for the device to boot from. If you specify an image located on a TFTP server, it must be first in the list. In the event the device cannot reach the tftp server to load the image from, it will attempt to load the next image file in the list located in Flash. If you do not specify any boot variable, the first valid image on internal flash will be chosen to boot the system.
Fields

Boot Configuration

Boot OrderDisplays the order in which binary image files will be used to boot. Boot Image LocationDisplays the physical location and path of the boot file. Boot Config File PathDisplays the location of the configuration file. AddLets you add a flash or tftp boot image entry to be used in the boot process. EditLets you edit a flash or tftp boot image entry. DeleteDeletes the selected flash or tftp boot image entry. Move UpMoves the selected flash or tftp boot image entry up in the boot order. Move DownMoves the selected flash or tftp boot image entry down in the boot order. Browse FlashLets you specify the location of a boot image or configuration file. ASDM Image File PathDisplays the location of the configuration file the device will use at startup. Browse FlashLets you specify the location of a boot image or configuration file.

ASDM Image Configuration


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

8-3

Chapter 8 Device Administration

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add Boot Image


Configuration > Properties > Device Administration > Boot Image/Configuration > Add Boot Image To add a boot image entry to the boot order list, click Add on the Boot Image/Configuration panel. You can select a Flash or TFTP image to add a boot image to the boot order list. Either type the path of the image, or click Browse Flash to specify the image location. You must type the path of the image location if you are using TFTP.
Fields

Flash ImageSelect to add a boot image located in the flash file system.
PathSpecify the path of the boot image in the flash file system.

TFTP ImageSelect to add a boot image located on a TFTP server.


[Path]Enter the path on the TFTP server of the boot image file, including the IP address of

the server.

OKAccepts changes and returns to the previous panel. CancelDiscards changes and returns to the previous panel. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Clock
Configuration > Properties > Device Administration > Clock The Clock panel lets you manually set the date and time for the security appliance. The time displays in the status bar at the bottom of the main ASDM window. In multiple context mode, set the time in the system configuration only. To dynamically set the time using an NTP server, see the NTP panel; time derived from an NTP server overrides any time set manually in the Clock panel.

ASDM User Guide

8-4

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Fields

Time ZoneSets the time zone as GMT plus or minus the appropriate number of hours. If you select the Eastern Time, Central Time, Mountain Time, or Pacific Time zone, then the time adjusts automatically for daylight saving time, from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.

Note

Changing the time zone on the security appliance may drop the connection to intelligent SSMs.

DateSets the date. Select the date and year from the lists, and then click the day on the calendar. TimeSets the time on a 24-hour clock.
hh, mm, and ss boxesSets the hour, minutes, and seconds.

Update Display TimeUpdates the time shown at the bottom right corner of the ASDM window. The current time updates automatically every ten seconds.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Console
Configuration > Properties > Device Administration > Console The Console panel lets you specify a time period in minutes for the management console to remain active. When it reaches the time limit you specify here, the console automatically shuts down. Type the time period in the Console Timeout text box. To specify unlimited, enter 0. The default value is 0.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Device
Configuration > Properties > Device Administration > Device

ASDM User Guide OL-10106-01

8-5

Chapter 8 Device Administration

Configuring Device Properties

The Device panel lets you set the hostname and domain name for the security appliance. The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands. The hostname is also used in system messages. For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts. The hostname that you optionally set within a context does not appear in the command line, can be used for a banner. The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to example.com, and specify a syslog server by the unqualified name of jupiter, then the security appliance qualifies the name to jupiter.example.com.
Fields

Platform Host NameSets the hostname. The default hostname depends on your platform. Domain NameSets the domain name. The default domain name is default.domain.invalid.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

FTP Mode
Configuration > Properties > Device Administration > FTP Mode The FTP Mode panel configures FTP mode as active or passive. The security appliance can use FTP to upload or download image files or configuration files to or from an FTP server. In passive FTP, the client initiates both the control connection and the data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
Fields

Specify FTP mode as passiveConfigures FTP mode as active or passive.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

8-6

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

ICMP Rules
Configuration > Properties > Device Administration > ICMP Rules The ICMP Rules panel provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the security appliance. You can use this table to add or change the hosts or networks that are allowed or prevented from sending ICMP messages to the security appliance. The ICMP rule list controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.

Note

Use the Security Policy panel to configure access rules for ICMP traffic that is routed through the security appliance for destinations on a protected interface. It is recommended that permission is always granted for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery. If an ICMP control list is configured, then the security appliance uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates a syslog message. An exception is when an ICMP control list is not configured; in that case, a permit statement is assumed.
Fields

InterfaceLists the interface on the security appliance from which ICMP access is allowed. ActionDisplays whether ICMP messages are permitted or not allowed from the specified network or host. IP AddressLists the IP address of the network or host that is allowed or denied access. MaskLists the network mask associated with the network or host that is allowed access. ICMP TypeLists the type of ICMP message to which the rule applies. Table 8-1 lists the supported ICMP type values. AddDisplays the Add ICMP Rule dialog box for adding a new ICMP rule to the end of the table. Insert BeforeAdds an ICMP rule before the currently selected rule. Insert AfterAdds an ICMP rule after the currently selected rule. EditDisplays the Edit ICMP Rule dialog box for editing the selected host or network. DeleteDeletes the selected host or network.
ICMP Type Literals

Table 8-1

ICMP Type 0 3 4 5

Literal echo-reply unreachable source-quench redirect

ASDM User Guide OL-10106-01

8-7

Chapter 8 Device Administration

Configuring Device Properties

Table 8-1

ICMP Type Literals (continued)

ICMP Type 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Modes

Literal alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit ICMP Rule


Configuration > Properties > Device Administration > ICMP Rules > Add/Edit ICMP Rule The Add/Edit ICM Rule dialog box lets you add or modify an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the security appliance.
Fields

ICMP TypeSpecifies the type of ICMP message to which the rule applies. Table 8-2 lists the supported ICMP type values. InterfaceIdentifies the interface on the security appliance from which ICMP access is allowed. IP AddressSpecifies the IP address of the network or host that is allowed or denied access. Any AddressApplies the action to all addresses received on the specified interface. MaskSpecifies the network mask associated with the network or host that is allowed access. ActionSpecifies whether ICMP messages are permitted or not from the specified network or host.

ASDM User Guide

8-8

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

PermitCauses ICMP messages from the specified host or network and interface to be

allowed.
DenyCauses ICMP messages from the specified host or network and interface to be dropped. Table 8-2 ICMP Type Literals

ICMP Type 0 3 4 5 6 8 9 10 11 12 13 14 15 16 17 18 31 32
Modes

Literal echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Management Access
Configuration > Properties > Device Administration > Management Access The Management Access panel lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the security appliance. With management access enabled, you can run ASDM on an internal interface with a fixed IP address over an IPSec VPN

ASDM User Guide OL-10106-01

8-9

Chapter 8 Device Administration

Configuring Device Properties

tunnel. Use this feature if VPN is configured on the security appliance and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the security appliance securely from home using the VPN client.
Fields

Management Access InterfaceLets you specify the interface to use for managing the security appliance. None disables management access and is the default. To enable management access, select the interface with the highest security, which will be an inside interface. You can enable management access on only one interface at a time.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

NTP
Configuration > Properties > Device Administration > NTP The NTP panel lets you define NTP servers to dynamically set the time on the security appliance. The time displays in the status bar at the bottom of the main ASDM window. Time derived from an NTP server overrides any time set manually in the Clock panel. NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating CRLs, which include a precise time stamp. You can configure multiple NTP servers. The security appliance chooses the server with the lowest stratuma measure of how reliable the data is.
Fields

NTP Server ListShows defined NTP servers.


IP AddressShows the NTP server IP address. InterfaceSpecifies the outgoing interface for NTP packets, if configured. The system does

not include any interfaces, so it uses the admin context interfaces. If the interface is blank, then the security appliance uses the default admin context interface according to the routing table.
Preferred?Shows whether this NTP server is a preferred server, Yes or No. NTP uses an

algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a more accurate server over a less accurate server that is preferred.
Key NumberShows the authentication key ID number. Trusted Key?Shows if the key is a trusted key, Yes or No. The key must be trusted for

authentication to work.

Enable NTP AuthenticationEnables authentication for all servers.

ASDM User Guide

8-10

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

AddAdds an NTP server. EditEdits an NTP server. DeleteDeletes and NTP server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit NTP Server Configuration


Configuration > Properties > Device Administration > NTP > Add/Edit NTP Server Configuration The Add/Edit NTP Server Configuration dialog box lets you add or edit an NTP server.
Fields

IP AddressSets the NTP server IP address. PreferredSets this server as a preferred server. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the preferred server is used. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a more accurate server over a less accurate server that is preferred. InterfaceSets the outgoing interface for NTP packets, if you want to override the default interface according to the routing table. The system does not include any interfaces, so it uses the admin context interfaces. If you intend to change the admin context (thus changing the available interfaces), you should choose None (the default interface) for stability. Authentication KeySets the authentication key attributes if you want to use MD5 authentication for communicating with the NTP server.
Key NumberSets the key ID for this authentication key. The NTP server packets must also

use this key ID. If you previously configured a key ID for another server, you can select it in the list; otherwise, type a number between 1 and 4294967295.
TrustedSets this key as a trusted key. You must select this box for authentication to work. Key ValueSets the authentication key as a string up to 32 characters in length. Reenter Key ValueValidates the key by ensuring that you enter the key correctly two times.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

8-11

Chapter 8 Device Administration

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Password
Configuration > Properties > Device Administration > Password The Password panel lets you set the login password and the enable password. The login password lets you access EXEC mode if you connect to the security appliance using a Telnet or SSH session. (If you configure user authentication for Telnet or SSH access, then each user has their own password, and this login password is not used; see the AAA Access panel.) The enable password lets you access privileged EXEC mode after you log in. Also, this password is used to access ASDM as the default user, which is blank. The default user shows as enable_15 in the User Accounts panel. (If you configure user authentication for enable access, then each user has their own password, and this enable password is not used; see the AAA Access panel. In addition, you can configure authentication for HTTP/ASDM access.)
Fields

Enable PasswordSets the enable password. By default, it is blank.


Change the privileged mode passwordLets you change the enable password. Old PasswordEnter the old password. New PasswordEnter the new password. Confirm New PasswordConfirm the new password.

Telnet PasswordSets the login password. By default, it is cisco. Although this group box is called Telnet Password, this password applies to Telnet and SSH access.
Change the password to access the platform consoleLets you change the login password. Old PasswordEnter the old password. New PasswordEnter the new password. Confirm New PasswordConfirm the new password.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

8-12

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Secure Copy
Configuration > Properties > Device Administration > Secure Copy The Secure Copy panel lets you enable the secure copy server on the security appliance. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection.
Limitations

This implementation of the secure copy server has the following limitations:

The server can accept and terminate connections for secure copy, but cannot initiate them. The server does not have directory support. The lack of directory support limits remote client access to the security appliance internal files. The server does not support banners. The server does not support wildcards. The security appliance license must have the VPN-3DES-AES feature to support SSH version 2 connections.

Fields

Enable Secure Copy ServerSelect this check box to enable the secure copy server on the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

SMTP
Configuration > Properties > Device Administration > SMTP The SMTP panel lets you enable or disable the SMTP client for notification by email that a significant event has transpired. Here you can add an IP address of an SMTP server and optionally, the IP address of a backup server. ASDM does not check to make sure the IP address is valid, so it is important to type the address correctly. You can configure what email addresses will receive alerts in Configuration > Properties > Logging > Email Setup.
Fields

Remote SMTP ServerLets you configure the primary and secondary SMTP servers. Primary Server IP AddressEnter the IP address of the SMTP server. Secondary Server IP Address (Optional)Optionally, you can enter the IP address of a secondary SMTP server.

ASDM User Guide OL-10106-01

8-13

Chapter 8 Device Administration

Configuring Device Properties

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SNMP
Configuration > Properties > Device Administration > SNMP The SNMP panel lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations. SNMP defines a standard way for network management stations running on PCs or workstations to monitor the health and status of many types of devices, including switches, routers, and the security appliance.
SNMP Terminology

Management stationNetwork management stations running on PCs or workstations, use the SNMP protocol to administer standardized databases residing on the device being managed. Management stations can also receive messages about events, such as hardware failures, which require attention. AgentIn the context of SNMP, the management station is a client and an SNMP agent running on the security appliance is a server. OIDThe SNMP standard assigns a system object ID (OID) so that a management station can uniquely identify network devices with SNMP agents and indicate to users the source of information monitored and displayed. MIBThe agent maintains standardized data structures called Management Information Databases, or MIBs which are compiled into management stations. MIBs collect information, such as packet, connection, and error counters, buffer usage, and failover status. MIBs are defined for specific products, in addition to MIBs for the common protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs or request only specific fields. In some applications, MIB data can be modified for administrative purposes. TrapThe agent also monitors alarm conditions. When an alarm condition defined in a trap occurs, such as a link up, link down, or syslog event, the agent sends notification, also known as SNMP trap, to the designated management station immediately.

SNMP

For Cisco MIB files and OIDs, refer to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. OIDs may be downloaded at this URL: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
MIB Support

The security appliance provides the following SNMP MIB support:

ASDM User Guide

8-14

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Note

The security appliance does not support browsing of the Cisco syslog MIB.

You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending traps. Browsing means doing an snmpget or snmpwalk of the MIB tree from the management station to determine values. The Cisco MIB and Cisco Memory Pool MIB are available. The security appliance does not support the following in the Cisco MIB: cfwSecurityNotification NOTIFICATION-TYPE cfwContentInspectNotification NOTIFICATION-TYPE cfwConnNotification NOTIFICATION-TYPE cfwAccessNotification NOTIFICATION-TYPE cfwAuthNotification NOTIFICATION-TYPE cfwGenericNotification NOTIFICATION-TYPE

SNMP CPU Utilization

The security appliance supports monitoring CPU utilization through SNMP. This feature allows network administrators to monitor security appliance CPU usage using SNMP management software, such as HP OpenView, for capacity planning. This functionality is implemented through support for the cpmCPUTotalTable of the Cisco Process MIB (CISCO-PROCESS-MIB.my). The other two tables in the MIB, cpmProcessTable and cpmProcessExtTable, are not supported in this release. Each row of the cpmCPUTotalTable includes the index of each CPU and the following objects: MIB object name cpmCPUTotalPhysicalIndex cpmCPUTotalIndex cpmCPUTotal5sec cpmCPUTotal1min cpmCPUTotal5min Description The value of this object will be zero because the entPhysicalTable of Entity MIB is not supported on the security appliance SNMP agent. The value of this object will be zero because the entPhysicalTable of Entity MIB is not supported on the security appliance SNMP agent. Overall CPU busy percentage in the last five-second period. Overall CPU busy percentage in the last one-minute period. Overall CPU busy percentage in the last five-minute period.

Note

Because all current security appliance hardware platforms support a single CPU, the security appliance returns only one row from cpmCPUTotalTable and the index is always 1. The values of the last three elements are the same as the output from the show cpu usage command. The security appliance does not support the following new MIB objects in the cpmCPUTotalTable:

cpmCPUTotal5secRev cpmCPUTotal1minRev cpmCPUTotal5minRev

ASDM User Guide OL-10106-01

8-15

Chapter 8 Device Administration

Configuring Device Properties

Fields

Community string (default)Enter the password used by the SNMP management station when sending requests to the security appliance. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security appliance uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default is public. SNMPv2c allows separate community strings to be set for each management station. If no community string is configured for any management station, the value set here will be used by default. ContactEnter the name of the security appliance system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Security Appliance LocationSpecify the security appliance location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. Listening PortSpecify the port on which SNMP traffic is sent. The default is 161. Configure TrapsLets you configure the events to notify through SNMP traps. SNMP Management Station box:
InterfaceDisplays the security appliance interface name where the SNMP management

station resides.
IP AddressDisplays the IP address of an SNMP management station to which the security

appliance sends trap events and receive requests or polls.


Community stringIf no community string is specified for a management station, the value

set in Community String (default) field will be used.


SNMP VersionDisplays the version of SNMP set on the management station. Poll/TrapDisplays the method for communicating with this management station, poll only,

trap only, or both trap and poll. Polling means that the security appliance waits for a periodic request from the management station. The trap setting sends syslog events when they occur.
UDP PortSNMP host UDP port. The default is port 162.

AddOpens Add SNMP Host Access Entry with these fields: Interface NameSelect the interface on which the management station resides. IP AddressSpecify the IP address of the management station. Server Poll/Trap SpecificationSelect Poll, Trap, or both. UDP PortUDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port. HelpProvides more information. EditOpens the Edit SNMP Host Access Entry dialog box with the same fields as Add. DeleteDeletes the selected item.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

8-16

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SNMP Host Access Entry


Configuration > Properties > Device Administration > SNMP > Add/Edit SNMP Host Access Entry
Adding SNMP Management Stations

To add SNMP management stations, perform the following steps:


1. 2. 3. 4. 5.

Click Add to open the SNMP Host Access Entry dialog box. From Interface Name, select the interface on which the SNMP management station resides. Enter the IP address of that management station in IP Address. Enter the UDP port for the SNMP host. The default is 162. Enter the Community String password for the SNMP host. If no community string is specified for a management station, the value set in Community String (default) field in the SNMP Configuration screen will be used. Click to select Poll, Trap, or both. To return to the previous panel click:

6. 7.

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel HelpProvides more information

Editing SNMP Management Stations

To edit SNMP management stations, perform the following steps:


1. 2. 3. 4. 5.

Select a list item from the SNMP management station table on the SNMP panel. Click Edit to open Edit SNMP Host Access Entry. From Interface Name, select the interface on which the SNMP management station resides. Enter the IP address of that management station in IP Address. Enter the Community String password for the SNMP host. If no community string is specified for a management station, the value set in Community String (default) field in the SNMP Configuration screen will be used. Enter the UDP port for the SNMP host. The default is 162. Click to select Poll, Trap, or both. Select SNMP version. To return to the previous panel click:

6. 7. 8. 9.

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel

ASDM User Guide OL-10106-01

8-17

Chapter 8 Device Administration

Configuring Device Properties

HelpProvides more information

Deleting SNMP Management Stations

To delete an SNMP management station from the table, perform the following steps:
1. 2.

Select an item from the SNMP management station table on the SNMP panel. Click Delete.

Fields

Interface nameSelect the interface where the SNMP host resides. IP AddressEnter the IP address of the SNMP host. UDP PortEnter the UDP port on which to send SNMP updates. The default is 162. Community StringEnter the community string for the SNMP server. SNMP VersionSelect the SNMP version. Server Port/Trap Specification

PollSelect to send poll information. Polling means that the security appliance waits for a periodic request from the management station. TrapSelect to send trap information. The trap setting sends syslog events when they occur.

OKAccepts changes and returns to the previous panel CancelDiscards changes and returns to the previous panel HelpProvides more information

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

SNMP Trap Configuration


Configuration > Properties > Device Administration > SNMP > SNMP Trap Configuration
Traps

Traps are different than browsing; they are unsolicited comments from the managed device to the management station for certain events, such as link up, link down, and syslog event generated. An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. The security appliance provides system OID in SNMP event traps & SNMP mib-2.system.sysObjectID. The SNMP service running on the security appliance performs two different functions:

Replies to SNMP requests from management stations (also known as SNMP clients). Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.

ASDM User Guide

8-18

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

The security appliance supports 3 types of traps:


firewall generic syslog

Configure Traps

Opens SNMP Trap Configuration with the following fields:

Standard SNMP TrapsSelect standard traps to send:


AuthenticationEnables authentication standard trap. Cold StartEnables cold start standard trap. Link UpEnables link up standard trap. Link DownEnables link down standard trap.

Entity MIB Notifications


FRU InsertEnables a trap notification when a Field Replaceable Unit (FRU) has been

inserted.
FRU RemoveEnables a trap notification when a Field Replaceable Unit (FRU) has been

removed.
Configuration ChangeEnables a trap notification when there has been a hardware change.

IPSec TrapsEnables IPSec traps.


StartEnables a trap when IPSec starts. StopEnables a trap when IPSec stops.

Remote Access TrapsEnables remote access traps.


Session threshold exceededEnables a trap when the number of remote access session

attempts exceeds the threshold configured.


Enable Syslog trapsEnables sending of syslog messages to SNMP management station. OKAccepts changes and returns to the previous panel. CancelDiscards changes and returns to the previous panel. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TFTP Server
Configuration > Properties > Device Administration > TFTP

ASDM User Guide OL-10106-01

8-19

Chapter 8 Device Administration

Configuring Device Properties

The TFTP Server panel lets you configure the security appliance to save its configuration to a file server using TFTP.

Note

This panel does not write the file to the server. Configure the security appliance for using a TFTP server in this panel, then click File > Save Running Configuration to TFTP Server.
TFTP Servers and the security appliance

TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. This panel lets you configure the security appliance as a TFTP client so that it can transfer a copy of its running configuration file to a TFTP server using File > Save Running Configuration to TFTP Server or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple security appliances. This panel uses the configure net command to specify the IP address of the TFTP server, and the tftp-server command to specify the interface and the path/filename on the server where the running configuration file will be written. Once this information is applied to the running configuration, ASDM File > Save Running Configuration to TFTP Server uses the copy command to execute the file transfer. The security appliance supports only one TFTP server. The full path to the TFTP server is specified in Configuration > Properties > Administration > TFTP Server. Once configured here, you can use a colon (:) to specify the IP address in the CLI configure net and copy commands. However, any other authentication or configuration of intermediate devices necessary for communication from the security appliance to the TFTP server is done apart from this function. The show tftp-server command lists the tftp-server command statements in the current configuration. The no tftp server command disables access to the server.
Fields

The TFTP panel provides the following fields:


EnableClick to select and enable these TFTP server settings in the configuration. Interface NameSelect the name of the security appliance interface which will use these TFTP server settings. IP AddressEnter the IP address of the TFTP server. PathType in the TFTP server path, beginning with / (forward slash) and ending in the file name, to which the running configuration file will be written. Example TFTP server path: /tftpboot/security appliance/config3

Note

The path must begin with a forward slash (/).

For More Information

For more information about TFTP, refer to the security appliance Technical Documentation for your version of software.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

8-20

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

User Accounts
Configuration > Properties > Device Administration > User Accounts The User Accounts panel lets you manage the local user database. The local database is used for the following features:

ASDM per-user access By default, you can log into ASDM with a blank username and the enable password (see Password). However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a match.

Note

Although you can configure HTTP authentication using the local database (see the Authentication Tab), that functionality is always enabled by default. You should only configure HTTP authentication if you want to use a RADIUS or TACACS+ server for authentication. Console authentication (see the Authentication Tab) Telnet and SSH authentication (see the Authentication Tab) enable command authentication (see the Authentication Tab) This setting is for CLI-access only and does not affect the ASDM login. Command authorization (see the Authorization Tab) If you enable command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.

Note

If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. Without command authorization, users can access privileged mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication for console access so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged mode. Network access authentication VPN client authentication

You cannot use the local database for network access authorization.

ASDM User Guide OL-10106-01

8-21

Chapter 8 Device Administration

Configuring Device Properties

For multiple context mode, you can configure usernames in the system execution space to provide individual logins at the CLI using the login command; however, you cannot configure any aaa commands that use the local database in the system execution space.

Note

VPN functions are not supported in multimode. To configure the enable password from this panel (instead of in Password), change the password for the enable_15 user. The enable_15 user is always present in this panel, and represents the default username. This method of configuring the enable password is the only method available in ASDM for the system configuration. If you configured other enable level passwords at the CLI (enable password 10, for example), then those users are listed as enable_10, etc.
Fields

User NameSpecifies the user name to which these parameters apply. Privilege (Level)Specifies the privilege level assigned to that user. The privilege level is used with local command authorization. See the Authorization Tab for more information. VPN Group PolicySpecifies the name of the VPN group policy for this user. Not available in multimode. VPN Group LockSpecifies what, if any, group lock policy is in effect for this user. Not available in multimode. AddDisplays the Add User Account dialog box. EditDisplays the Edit User Account dialog box. DeleteRemoves the selected row from the table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > Identity Tab


Configuration > Properties > Device Administration > User Accounts > Add/Edit User Account > Identity Tab Use this tab to specify parameters that identify the user account you want to add or change. The changes appear in the User Accounts table as soon as you click OK.
Fields

UsernameSpecifies the username for this account. PasswordSpecifies the unique password for this user. The minimum password length is 4 characters. The maximum is 32 characters. Entries are case-sensitive. The field displays only asterisks.

ASDM User Guide

8-22

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Note

To protect security, we recommend a password length of at least 8 characters. Confirm PasswordAsks you to re-enter the user password to verify it. The field displays only asterisks. Privilege LevelSelects the privilege level for this user to use with local command authorization. The range is 0 (lowest) to 15 (highest). See the Authorization Tab for more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > VPN Policy Tab


Configuration > Properties > Device Administration > User Accounts > Add/Edit User Account > VPN Policy Tab Use this tab to specify VPN policies for this user. Check an Inherit check box to let the corresponding setting take its value from the group policy.
Fields

Group PolicyLists the available group policies. Tunneling ProtocolsSpecifies what tunneling protocols that this user can use, or whether to inherit the value from the group policy. Check the desired Tunneling Protocols check boxes to select the VPN tunneling protocols that this user can use. Users can use only the selected protocols. The choices are as follows: IPSecIP Security Protocol. IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. WebVPNVPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. L2TP over IPSecAllows remote users with VPN clients provided with several common PC and mobile PC operating systems to establish secure connections over the public IP network to the security appliance and private corporate networks.

Note

If no protocol is selected, an error message appears.

ASDM User Guide OL-10106-01

8-23

Chapter 8 Device Administration

Configuring Device Properties

FilterSpecifies what filter to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Configuration > VPN > VPN General > Group Policy panel. ManageDisplays the ACL Manager panel, on which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). Tunnel Group LockSpecifies whether to inherit the tunnel group lock or to use the selected tunnel group lock, if any. Selecting a specific lock restricts users to remote access through this group only. Tunnel Group Lock restricts users by checking if the group configured in the VPN client is the same as the users assigned group. If it is not, the security appliance prevents the user from connecting. If the Inherit check box is not selected, the default value is --None--. Store Password on Client SystemSpecifies whether to inherit this setting from the group. Deselecting the Inherit check box activates the Yes and No radio buttons. Selecting Yes stores the login password on the client system (potentially a less-secure option). Selecting No (the default) requires the user to enter the password with each connection. For maximum security, we recommend that you not do allow password storage. This parameter has no bearing on interactive hardware client authentication or individual user authentication for a VPN 3002. Connection SettingsSpecifies the connection settings parameters.
Access HoursIf the Inherit check box is not selected,you can select the name of an existing

access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.
NewOpens the Add Time Range dialog box, on which you can specify a new set of access

hours.
Simultaneous LoginsIf the Inherit check box is not selected, this parameter specifies the

maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.

Note

While there is no maximum limit, allowing several simultaneous connections could compromise security and affect performance.

Maximum Connect TimeIf the Inherit check box is not selected, this parameter specifies the

maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, select the Unlimited check box (the default).
Idle TimeoutIf the Inherit check box is not selected, this parameter specifies this users idle

timeout period in minutes. If there is no communication activity on the users connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. This value does not apply to WebVPN users.

Dedicated IP Address (Optional)


IP Address boxSpecifies the optional Dedicated IP address. Subnet Mask listSpecifies the subnet mask for the Dedicated IP address.

Check the Group Lock check box to restrict users to remote access through this group only. Group Lock restricts users by checking if the group configured in the VPN client is the same as the users assigned group. If it is not, the VPN Concentrator prevents the user from connecting. If this box is unchecked (the default), the system authenticates a user without regard to the users assigned group.

ASDM User Guide

8-24

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit User Account > WebVPN Tab


Configuration > Properties > Device Administration > User Accounts > Add/Edit User Account > WebVPN Tab The Add or Edit User Account panel, WebVPN tab, displays six tabs that let you configure WebVPN attributes for users.
Fields

InheritIndicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. FunctionsConfigures the features available to WebVPN users.
Enable URL entryPlaces the URL entry box on the home page. If this feature is enabled,

users can enter web addresses in the URL entry box, and use WebVPN to access those websites. Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote users PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In a WebVPN connection, the security appliance acts as a proxy between the end users web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the servers SSL certificate. The end users browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.
Enable file server accessEnables Windows file access (SMB/CIFS files only) through

HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in Servers and URLs group box. To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing parameters. Users can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

ASDM User Guide OL-10106-01

8-25

Chapter 8 Device Administration

Configuring Device Properties

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.

Note

Note File access is not supported in an Active Native Directory environment when used with

Dynamic DNS. It is supported if used with a WINS server.


Enable file server entryPlaces the file server entry box on the portal page. File server access

must be enabled. With this box selected, users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.
Enable file server browsingLets users browse the Windows network for

domains/workgroups, servers and shares. File server access must be enabled. With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.
Enable port forwardingWebVPN Port Forwarding provides access for remote users in the

group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.

Note

Port Forwarding does not work with some SSL/TLS versions. With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems.

Note

When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browsers keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

Enable Outlook/Exchange proxyEnables the use of the Outlook/Exchange e-mail proxy. Apply Web-type ACLApplies the WebVPN Access Control List defined for the users of this

group.
Enable HTTP ProxyEnables the forwarding of an HTTP applet proxy to the client. The proxy

is useful for technologies that interfere with proper mangling, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browsers old proxy configuration automatically and redirects all HTTP and HTTPS

ASDM User Guide

8-26

OL-10106-01

Chapter 8

Configuring Device Properties Device Administration

requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Content FilteringBlocks or removes the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.
Filter Java/ActiveXRemoves <applet>, <embed> and <object> tags from HTML. Filter scriptsRemoves <script> tags from HTML. Filter imagesRemoves <img> tags from HTML. Removing images dramatically speeds the

delivery of web pages.


Filter cookies from imagesRemoves cookies that are delivered with images. This may

preserve user privacy, because advertisers use cookies to track visitors.

HomepageConfigures what, if any, home page to use.


Specify URLIndicates whether the subsequent fields specify the protocol, either http or https,

and the URL of the Web page to use as the home page.
ProtocolSpecifies whether to use http or https as the connection protocol for the home page. ://Specifies the URL of the Web page to use as the home page. Use noneSpecifies that no home page is configured.

Port ForwardingConfigures port forwarding parameters.


Port Forwarding ListSpecifies whether to inherit the port forwarding list from the default

group policy, select one from the list, or create a new port forwarding list.
NewDisplays a new panel on which you can add a new port forwarding list. See the

description of the Add/Edit Port Forwarding List panel.


Applet NameSpecifies whether to inherit the applet name or to use the name specified in the

box. Specify this name to identify port forwarding to end users. The name you configure displays in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users.The default applet name is Application Access.

OtherConfigures servers and URL lists and the Web-type ACL ID.
Servers and URL ListsSpecifies whether to inherit the list of Servers and URLs, to select

and existing list, or to create a new list.


NewDisplays a new panel on which you can add a new port forwarding list. Web-Type ACL IDSpecifies the identifier of the Web-Type ACL to use.

SSL VPN Client tablets you configure the security appliance to download SSL VPN clients (SVCs) to remote computer. SVC is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance. To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote

ASDM User Guide OL-10106-01

8-27

Chapter 8 Device Administration

Configuring Device Properties

computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation. After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates. The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system.
InheritIndicates that the corresponding setting takes its value from the default group policy,

rather than from the explicit specifications that follow.


Keep Installer on Client SystemEnables permanent SVC installation and disables the

automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user.
Keepalive MessagesAdjusts the frequency of keepalive messages, in the range of 15 to 600

seconds. The default is keepalive messages are disabled. You can adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
CompressionEnables compression on the SVC connection. By default, compression is

enabled. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.
Rekey Negotiation Settings group boxWhen the security appliance and the SVC perform a

rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection. Renegotiation Interval specifies the number of minutes from the start of the session until the rekey takes place, from 1 to 10080 (1 week). Renegotiation Method specifies whether the SVC establishes a new tunnel during SVC rekey. If you check none, SVC rekey is disabled. If you check ssl, SSL renegotiation takes place during SVC rekey.
Dead Peer DetectionDead Peer Detection (DPD) ensures that the security appliance

(gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed. Gateway Side Detection enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance performs DPD. If you check disable, DPD performed by the security appliance is disabled. Client Side Detection enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds, with which the SVC performs DPD. If you check disable, DPD performed by the SVC is disabled

ASDM User Guide

8-28

OL-10106-01

Chapter 8

Configuring Device Properties Auto Update

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Auto Update
Configuration > Properties > Auto Update The Auto Update pane lets you configure the security appliance to be managed remotely from servers that supports the Auto Update specification. Auto Update lets you apply configuration changes to the security appliance and receive software updates from remote locations. Auto Update is useful in solving many of the challenges facing administrators for security appliance management:

Overcomes dynamic addressing and NAT challenges. Gives ability to commit configuration changes in one atomic action. Provides a reliable method for updating software. Leverages well understood methods for high scalability. Open interface gives developers tremendous flexibility. Simplifies security solutions for Service Provider environments. High reliability, rich security/management features, broad support by many products.

Introduction to Auto Update

The Auto Update specification provides the infrastructure necessary for remote management applications to download security appliance configurations, software images, and to perform basic monitoring from a centralized location or multiple locations. The Auto Update specification allows the Auto Update server to either push configuration information and send requests for information to the security appliance, or to pull configuration information by causing the security appliance to periodically poll the Auto Update server. The Auto Update server can also send a command to the security appliance to send an immediate polling request at any time. Communication between the Auto Update server and the security appliance requires a communications path and local CLI configuration on each security appliance. The Auto Update feature on the security appliance can be used with Cisco security products, as well as products from third-party companies that want to manage the security appliance.
Important Notes

If the security appliance configuration is updated from an Auto Update server, ASDM is not notified. You must choose Refresh or File > Refresh ASDM with the Running Configuration on the Device to get the latest configuration, and any changes to the configuration made in ASDM will be lost.

ASDM User Guide OL-10106-01

8-29

Chapter 8 Auto Update

Configuring Device Properties

If HTTPS is chosen as the protocol to communicate with the Auto Update server, the security appliance will use SSL. This requires the security appliance to have a DES or 3DES license.

Fields

The Auto Update pane consists of an Auto Update Servers table and two areas: the Timeout area, and the Polling area. The Auto Update Servers table lets you view the parameters of previously-configured Auto Update servers. The security appliance polls the server listed at the top of the table first. You can change the position of the servers in the table with the Move Up and Move Down buttons. The Auto Update Servers table contains the following columns:

ServerThe name or IP address of the Auto Update server. User NameThe user name used to access the Auto Update server. InterfaceThe interface used when sending requests to the Auto Update server. Verify CertificateIndicates whether the security appliance checks the certificate returned by the Auto Update server against the Certification Authority (CA) root certificates. This requires that the Auto Update server and the security appliance use the same CA.

Double-clicking any of the rows in the Auto Update Server table opens the Edit Auto Update Server dialog, in which you can modify the Auto Update server parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration. The Timeout area lets you set the amount of time the security appliance waits for the Auto Update server to timeout. The Timeout area contains the following fields:

Enable Timeout PeriodCheck to enable the security appliance to timeout if no response is received from the Auto Update server. Timeout Period (Minutes)Enter the number of minutes the security appliance will wait to timeout if no response is received from the Auto Update server.

The Polling area lets you configure how often the security appliance will poll for information from the Auto Update server. The Polling area contains the following fields:

Polling Period (minutes)The number of minutes the security appliance will wait to poll the Auto Update server for new information. Poll on Specified DaysAllows you to specify a polling schedule. Set Polling ScheduleDisplays the Set Polling Schedule dialog where you can configure the days and time-of-day to poll the Auto Update server. Retry Period (minutes)The number of minutes the security appliance will wait to poll the Auto Update server for new information if the attempt to poll the server fails. Retry CountThe number of times the security appliance will attempt to retry to poll the Auto Update server for new information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

8-30

OL-10106-01

Chapter 8

Configuring Device Properties Auto Update

Set Polling Schedule


Configuration > Properties > Auto Update > Set Polling Schedule The Set Polling Schedule dialog lets you configure specific days, and the time-of-day for the security appliance to poll the Auto Update server.
Fields

The Set Polling Schedule dialog contains the following fields: Days of the WeekCheck the days of the week that you want the security appliance to poll the Auto Update server. The Daily Update Window group lets you configure the time of day when you want the security appliance to poll the Auto Update server, and contains the following fields:

Start TimeEnter the hour and minute to begin the Auto Update poll. Enable RandomizeCheck to enable the security appliance to randomly choose a time to poll the Auto Update server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Auto Update Server


Configuration > Properties > Auto Update > Add/Edit Auto Update Server The Edit Auto Update Server dialog contains the following fields:

URLThe protocol the Auto Update server uses to communicate with the security appliance, either http or https, and the path to the Auto Update server. InterfaceThe interface to use when sending requests to the Auto Update server. Verify CertificateSelect to enable the security appliance to verify the certificate returned by the Auto Update server against the Certification Authority (CA) root certificates. This requires that the Auto Update server and the security appliance use the same CA. User Name (Optional)Enter the user name needed to access the Auto Update server. PasswordEnter the user password for the Auto Update server. Confirm PasswordReenter the user password for the Auto Update server.

The User area contains the following fields:


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

8-31

Chapter 8 Client Update

Configuring Device Properties

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Advanced Auto Update Settings


Configuration > Properties > Auto Update > Advanced Auto Update Settings
Fields

Use Device ID to uniquely identify the ASAEnables authentication using a Device ID. The Device ID is used to uniquely identify the security appliance to the Auto Update server. Device IDType of Device ID to use.
HostnameThe name of the host. Serial NumberDevice serial number. IP Address on interfaceThe IP address of the selected interface, used to uniquely identify the

security appliance to the Auto Update server.


MAC Address on interfaceThe MAC address of the selected interface, used to uniquely

identify the security appliance to the Auto Update server.


User-defined valueA unique user ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Client Update
Configuration > Properties > Client Update The Client Update pane lets you configure the parameters of Auto Update clients associated with the security appliance when it is configured as an Auto Update server. As an Auto Update server, you can specify the platform and asdm images for security appliances configured as Auto Update clients, including image revision numbers and locations, according to the device ID, device family, or device type of the client.

ASDM User Guide

8-32

OL-10106-01

Chapter 8

Configuring Device Properties Client Update

Introduction to Auto Update Server and Client Update

The Auto Update specification provides the infrastructure necessary for remote management applications to download security appliance configurations, software Images, and to perform basic monitoring from a centralized location. As an Auto Update server, the specification allows the Auto Update server to either push configuration information and send requests for information to the security appliance, or to pull configuration information by causing the security appliance to periodically poll the Auto Update server. The Auto Update server can also send a command to the security appliance to send an immediate polling request at any time. Communication between the Auto Update server and the security appliance requires a communications path and local CLI configuration on each security appliance.
Fields

The Client Update pane consists of the following fields:


Enable Client UpdateCheck to allow the security appliance to update the images used by other security appliances that are configured as Auto Update clients. Client Images tablelets you view previously-configured Client Update entries and includes the following columns:
DeviceDisplays a text string corresponding to a device-id of the client. Device FamilyDisplays the family name of a client, either asa, pix, or a text string. Device TypeDisplays the type name of a client. Image TypeSpecifies the type of image, either ASDM image or Boot image. Image URLSpecifies the URL for the software component. Client RevisionSpecifies the revision number(s) of the software component.

Double-clicking any of the rows in the Client Images table opens the Edit Client Update Entry dialog, in which you can modify the client parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration.

Live Client Update areaLets you immediately update Auto Update clients that are currently connected to the security appliance through a tunnel.
Tunnel GroupSelect all to update all Auto Update clients connected over all tunnel groups,

or specify a tunnel group for clients that you want to update.


Update NowClick to begin an immediate update.

Note

Live Client Update is only available when the security appliance is configured in routed mode.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

8-33

Chapter 8

Configuring Device Properties

Add/Edit Client Update


Configuration > Properties > Add/Edit Client Update
Fields

The Add/Edit Client Update dialog displays the following fields:

Device Identification group:


Device IDEnable if the client is configured to identify itself with a unique string, and specify

the same string that the client uses. The maximum length is 63 characters.
Device FamilyEnable if the client is configured to identify itself by device family, and specify

the same same device family that the client uses. It can be asa, pix, or a text string with a maximum length of 7 characters.
Device TypeEnable if the client is configured to identify itself by device type, and specify the

same device type that the client uses. It can be pix-515, pix-515e, pix-525, pix-535, asa5505, asa5510, asa5520, or asa5540. It can also be a text string with a maximum length of 15 characters.
Not SpecifiedSelect for clients that do not match the above.

Image TypeSpecifies an image type, either ASDM or boot image. This URL must point to a file appropriate for this client. Maximum length of 255 characters. Client RevisionSpecifies a text string corresponding to the revision number(s) of the software component. For example: 7.1(0)22. Image URLSpecifies the URL for the software component. This URL must point to a file appropriate for this client.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

8-34

OL-10106-01

C H A P T E R

DHCP and DNS Services


A DHCP server provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. The Domain Name System (DNS) is the system in the Internet that maps names of objects (usually host names) into IP numbers or other resource record values. The namespace of the Internet is divided into domains, and the responsibility for managing names within each domain is delegated, typically to systems within each domain. DNS client services allows you to specify DNS servers to which the security appliance sends DNS requests, request timeout period, and other parameters. Dynamic DNS (DDNS) update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and automates IP address allocation; DDNS update automatically records the association between assigned addresses and host names at pre-defined intervals. DDNS allows frequently changing address-host name associations to be updated frequently. Mobile hosts, for example, can then move freely on a network without user or administrator intervention. For information about configuring these services, see the following topics:

DHCP Relay DHCP Server DNS Client Dynamic DNS

DHCP Relay
Configuration > Properties > DHCP Services > DHCP Relay The DHCP Relay pane lets you configure DHCP relay services on the security appliance. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. To configure DHCP relay, you need to specify at least one DHCP relay server and then enable a DHCP relay agent on the interface receiving DHCP requests.
Restrictions

You cannot enable a DHCP relay agent on an interface that has a DHCP relay server configured for it. The DHCP relay agent works only with external DHCP servers; it will not forward DHCP requests to a security appliance interface configured as a DHCP server.

ASDM User Guide OL-10106-01

9-1

Chapter 9 DHCP Relay

DHCP and DNS Services

Prerequisites

Before you can enable a DHCP relay agent on an interface, you must have at least one DHCP relay server in the configuration.
Fields

DHCP Relay AgentDisplay only. Contains the fields for configuring the DHCP relay agent.
InterfaceDisplays the interface ID. Double-clicking an interface opens the Edit DHCP Relay

Agent Settings dialog box, where you can enable the DHCP relay agent and configure the relay agent parameters.
DHCP Relay EnabledIndicates whether the DHCP relay agent is enabled on the interface.

This column displays Yes if the DHCP relay agent is enabled or No if the DHCP relay agent is not enabled on the interface.
Set RouteIndicates whether the DHCP relay agent is configured to modify the default router

address in the information returned from the DHCP server. This column display Yes if the DHCP relay agent is configured to change the default router address to the interface address or No if the DHCP relay agent does not modify the default router address.
EditOpens the Edit DHCP Relay Agent Settings dialog box, where you can enable the DHCP

relay agent and configure the relay agent parameters.

DHCP Relay ServerContains the fields for configuring the DHCP relay servers.
TimeoutSpecifies the amount of time, in seconds, allowed for DHCP address negotiation.

Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
ServerDisplay only. Displays the IP address of a configured, external DHCP server.

Double-clicking a server address opens the DHCP Relay - Edit DHCP Server dialog box, where you can edit the DHCP relay server settings.
InterfaceDisplay only. Display the interface the specified DHCP server is attached to. AddOpens the DHCP Relay - Add DHCP Server dialog box, where you can specify a new

DHCP relay server. You can define up to 4 DHCP relay servers on the security appliance. This button is unavailable if you already have 4 DHCP relay servers defined.
EditOpens the DHCP Relay - Edit DHCP Server dialog box, where you can edit the DHCP

relay server settings.


DeleteRemoves the selected DHCP relay server. The server is removed from the security

appliance configuration when you apply or save your changes.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit DHCP Relay Agent Settings


Configuration > Properties > DHCP Services > DHCP Relay > Edit DHCP Relay Agent Settings

ASDM User Guide

9-2

OL-10106-01

Chapter 9

DHCP and DNS Services DHCP Relay

You can enable the DHCP relay agent and configure the relay agent parameters for the selected interface in the Edit DHCP Relay Agent Settings dialog box.
Restrictions

You cannot enable a DHCP relay agent on an interface that has a DHCP relay server configured for it. You cannot enable a DHCP relay agent on a security appliance that has DHCP server configured on an interface.

Prerequisites

Before you can enable a DHCP relay agent on an selected interface, you must have at least one DHCP relay server in the configuration.
Fields

Enable DHCP Relay AgentWhen checked, enables the DHCP relay agent on the selected interface. You must have a DHCP relay server defined before enabling the DHCP relay agent. Set RouteSpecifies whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. When this check box is checked, the DHCP relay agent substitutes the address of the selected interface for the default router address in the information returned from the DHCP server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DHCP Relay - Add/Edit DHCP Server


Configuration > Properties > DHCP Services > DHCP Relay > DHCP Relay - Add/Edit DHCP Server Define new DHCP relay servers in the DHCP Relay - Add DHCP Server dialog box or edit exiting server information in the DHCP Relay - Edit DHCP Server dialog box. You can define up to 4 DHCP relay servers.
Restrictions

You cannot define a DHCP relay server on an interface with a DHCP server enabled on it.
Fields

DHCP ServerSpecifies the IP address of the external DHCP server to which DHCP requests are forwarded. InterfaceSpecifies the interface through which DHCP requests are forwarded to the external DHCP server.

ASDM User Guide OL-10106-01

9-3

Chapter 9 DHCP Server

DHCP and DNS Services

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DHCP Server
Configuration > Properties > DHCP Services > DHCP Server The DHCP Server pane lets you configure the security appliance interfaces as DHCP servers. You can configure one DHCP server per interface on the security appliance.

Note

You cannot configure a DHCP server on an interface that has DHCP relay configured on it. For more information about DHCP relay, see DHCP Relay.
Fields

InterfaceDisplay only. Displays the interface ID. Double-clicking an interface ID opens the Edit DHCP Server dialog box, where you can enable DHCP on and assign a DHCP address pool to the selected interface. DHCP EnabledDisplay only. Indicates whether DHCP is enabled on the interface. This column displays Yes if DHCP is enabled or No if DHCP is not enabled on the interface. Address PoolDisplay only. Displays the range of IP addresses assigned to the DHCP address pool. DNS ServersDisplay only. Displays the DNS servers configured for the interface. WINS ServersDisplay only. Displays the WINS servers configured for the interface. Domain NameDisplay only. Displays the domain name of the interface. Ping TimeoutDisplay only. Displays time in milliseconds that the security appliance will wait for an ICMP ping response on the interface. Lease LengthDisplay only. Displays the duration of time that the DHPC server configured on the interface allows DHCP clients to use the an assigned IP address. Auto InterfaceDisplay only. Displays the interface on a DHCP client providing DNS, WINS, and domain name information for automatic configuration. OptionsDisplay only. Displays advanced DHCP options configured for the interface. Dynamic DNS SettingsDisplay only. Displays EditOpens the Edit DHCP Server dialog box for the selected interface. You can enable DHCP and specify the DHCP address pool in the Edit DHCP Server dialog box. Other DHCP OptionsContains optional DHCP parameters.
Enable Autoconfiguration on interfaceCheck to enable DHCP auto configuration and select

the interface from the menu.

ASDM User Guide

9-4

OL-10106-01

Chapter 9

DHCP and DNS Services DHCP Server

DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If any of the information obtained through auto configuration is also specified manually in the Other DHCP Options area, the manually specified information takes precedence over the discovered information.
DNS Server 1(Optional) Specifies the IP address of the primary DNS server for a DHCP

client.
DNS Server 2(Optional) Specifies the IP address of the alternate DNS server for a DHCP

client.
Domain Name(Optional) Specifies the DNS domain name for DHCP clients. Enter a valid

DNS domain name, for example example.com.


Lease Length(Optional) Specifies the amount of time, in seconds, that the client can use its

allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Primary WINS Server(Optional) Specifies the IP address of the primary WINS server for a

DHCP client.
Secondary WINS Server(Optional) Specifies the IP address of the alternate WINS server for

a DHCP client.
Ping Timeout(Optional) To avoid address conflicts, the security appliance sends two ICMP

ping packets to an address before assigning that address to a DHCP client. The Ping Timeout field specifies the amount of time, in milliseconds, that the security appliance waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
AdvancedOpens the Advanced DHCP Options dialog box, where you can specify DHCP

options and their parameters.

Dynamic DNS Settings for DHCP ServerIn this area, you can configure the DDNS update settings for the DHCP server.
Update DNS ClientsCheck to specify that, besides the default action of updating the client

PTR resource records, the DHCP server should also perform the following update actions (if selected):
Update Both RecordsCheck to specify that the DHCP server should update both the A and

PTR RRs.
Override Client SettingsCheck to specify that the DHCP server actions should override any

update actions requested by the DHCP client.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

9-5

Chapter 9 DHCP Server

DHCP and DNS Services

Edit DHCP Server


Configuration > Properties > DHCP Services > DHCP Server > Edit DHCP Server You can enable DHCP and specify the DHCP address pool for the selected interface in the Edit DHCP Server dialog box.
Fields

Enable DHCP ServerCheck this check box to enable the DHCP server on the selected interface. Uncheck this check box to disable DHCP on the selected interface. Disabling the DHCP server on the selected interface does not clear the specified DHCP address pool. DHCP Address PoolEnter the IP address pool used by the DHCP server. Enter the range of IP addresses from lowest to highest. The range of IP addresses must be on the same subnet as the selected interface and cannot contain the IP address of the interface itself. Optional ParametersYou can optionally configure the following parameters for the DHCP server:
DNS Server 1Enter the IP address of the primary DNS server for a DHCP client. DNS Server 2 Enter the IP address of the alternate DNS server for a DHCP client. Domain NameEnter the DNS domain name for DHCP clients. Enter a valid DNS domain

name, for example example.com.


Lease LengthEnter the amount of time, in seconds, that the client can use its allocated IP

address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Primary WINS ServerEnter the IP address of the primary WINS server for a DHCP client. Secondary WINS ServerEnter the IP address of the alternate WINS server for a DHCP client. Ping TimeoutEnter the amount of time, in milliseconds, that the security appliance waits to

time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
Enable Autoconfiguration on interfaceCheck to enable DHCP auto configuration and select

the interface from the menu.


AdvancedOpens the Advanced DHCP Options dialog box, where you can specify DHCP

options and their parameters.

Dynamic DNS Settings for DHCP ServerIn this area, you can configure the DDNS update settings for the DHCP server.
Update DNS ClientsCheck to specify that, besides the default action of updating the client

PTR resource records, the DHCP server should also perform the following update actions (if selected):
Update Both RecordsCheck to specify that the DHCP server should update both the A and

PTR RRs.
Override Client SettingsCheck to specify that DHCP server actions should override any

update actions requested by the DHCP client.


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

9-6

OL-10106-01

Chapter 9

DHCP and DNS Services DHCP Server

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced DHCP Options


Configuration > Properties > DHCP Services > DHCP Server > Advanced DHCP Options The Advanced DHCP Options dialog box lets you configure DHCP option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers. You can use that advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients. You can also use the DHCP auto configuration setting to obtain these values or manually specify them on the DHCP Server pane. When you use more than one method to specify this information, the information is passed to DHCP clients with the following preference:
1. 2. 3.

Manually configured settings. Advanced DHCP Options settings. DHCP auto configuration.

For example, you can manually define the domain name that you want the DHCP clients to receive, and then enable DHCP auto configuration. Although DHCP auto configuration will discover the domain along with the DNS and WINS servers, the manually-defined domain name is passed to DHCP clients with the discovered DNS and WINS server names. The domain name discovered by the DHCP auto configuration process is discarded in favor of the manually-defined domain name.
Fields

Option to be AddedContains the fields used to configure a DHCP option.


Choose the option codeLists the available option codes. All DHCP options (options 1 through

255) are supported except 1, 12, 5054, 5859, 61, 67, and 82. Choose the option that you want to configure. Some options are standard. For standard options, the option name is shown in parentheses after the option number and the option parameters are limited to those supported by the option. For all other options, only the option number is shown and you must choose the appropriate parameters to supply with the option. For standard DHCP options, only the supported option value type is available. For example, if you choose DHCP Option 2 (Time Offset), you can only supply a hexadecimal value for the option. For all other DHCP options, all of the option value types are available and you must choose the appropriate options value type.

Option DataThese options specify the type of information the option returns to the DHCP client. For standard DHCP options, only the supported option value type is available. For all other DHCP options, all of the option value types are available. IP AddressChoosing this value specifies that an IP address is returned to the DHCP client. You can specify up to two IP addresses.

ASDM User Guide OL-10106-01

9-7

Chapter 9 DHCP Server

DHCP and DNS Services

Note

The name of the associated IP Address fields can change based on the DHCP option you chose. For example, if you choose DHCP Option 3 (Router), the fields change name to Router 1 and Router 2.

IP Address 1An IP address in dotted-decimal notation. IP Address 2(Optional) An IP address in dotted-decimal notation.

ASCIIChoose this option specifies that an ASCII value is returned to the DHCP client.

Note

The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 14 (Merit Dump File), the associated Data field changes name to File Name.

DataAn ASCII character string. The string cannot include white space.

HexSelecting this option specifies that a hexadecimal value is returned to the DHCP client.

Note

The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 2 (Time Offset), the associated Data field becomes the Offset field.

DataA hexadecimal string with an even number of digits and no spaces. You do not need to

use a 0x prefix.

AddAdds the configured option to the DHCP option table. DeleteRemoves the selected option from the DHCP option table. DHCP option tableLists the DHCP options that have been configured.
Option CodeShows the DHCP option code. For standard DHCP options, the option name

appears in parentheses next to the option code.


Option DataShows the parameters that have been configured for the selected option.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

9-8

OL-10106-01

Chapter 9

DHCP and DNS Services DNS Client

DNS Client
Configuration > Properties > DNS > DNS Client The DNS Client pane shows the DNS server groups and DNS lookup information for the security appliance, so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution. In those cases, you must enter the IP address or manually resolve the name to an IP address by adding the server name in the Network Object Groups pane.
Fields

DNS Server GroupsDisplays and manages the DNS server list. There can be up to six addresses to which DNS requests can be forwarded. The security appliance tries each DNS server in order until it receives a response. You must enable DNS on at least one interface in the DNS Lookup area before you can add a DNS server. The contents of the table in this area are as follows:
NameDisplay only. Shows the name of each configured DNS server group. ServersDisplay only. Shows the IP addresses of the configured servers. TimeoutDisplay only. Shows the number of seconds to wait before trying the next DNS server

in the list, between 1 and 30 seconds. The default is 2 seconds. Each time the security appliance retries the list of servers, this timeout doubles.
RetriesDisplay only. Shows the number of seconds to wait before trying the next DNS server

in the list.
Domain NameDisplay only. Shows the number of times the security appliance retries the

request.

DNS LookupEnables or disables DNS lookup on an interface.


InterfaceDisplay only. Lists all interface names. DNS EnabledDisplay only. Shows whether an interface supports DNS lookup, Yes or No. DisableDisables DNS lookup for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit DNS Server Group


Configuration > Properties > DNS Client > Add/Edit DNS Server Group The Add or Edit DNS Server Group pane lets you specify or modify one or more DNS servers for the security appliance so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration (See Add/Edit Trustpoint Configuration > Enrollment Settings Tab and

ASDM User Guide OL-10106-01

9-9

Chapter 9 Dynamic DNS

DHCP and DNS Services

Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab). Other features that define server names (such as AAA) do not support DNS resolution. For those, you must enter the IP address or manually resolve the name to an IP address by adding the server name in the Network Object Groups pane.
Fields

NameSpecifies the server name. For the Edit function, this field is Display only. DNS ServersManages the DNS server list. You can specify up to six addresses to which DNS requests can be forwarded. The security appliance tries each DNS server in order until it receives a response. You must enable DNS on at least one interface in the DNS Lookup area before you can add a DNS server.
Server to be AddedSpecifies the DNS server IP address. AddAdds a DNS server to the bottom of the list. DeleteDeletes the selected DNS server from the list. ServersDisplay only. Shows the DNS server list. Move UpMoves the selected DNS server up the list. Move downMoves the selected DNS server down the list.

TimeoutSpecifies the number of seconds to wait before trying the next DNS server in the list, between 1 and 30 seconds. The default is 2 seconds. Each time the security appliance retries the list of servers, this timeout doubles. RetriesSets the number of times the security appliance retries the request. The range is 1 through 10 retries. Domain Name(Optional) Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example example.com.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Dynamic DNS
Configuration > Properties > DNS > Dynamic DNS The Dynamic DNS pane shows the configured DDNS update methods and the interfaces configured for DDNS. By automatically records the association between assigned addresses and host names at pre-defined intervals, DDNS allows frequently changing address-host name associations to be updated frequently. Mobile hosts, for example, can then move freely on a network without user or administrator intervention.
Fields

Update MethodsLists the DDNS update methods that are configured on the security appliance. This table includes:

ASDM User Guide

9-10

OL-10106-01

Chapter 9

DHCP and DNS Services Dynamic DNS

Method NameDisplay only. Shows the user-defined name for the DDNS update method. IntervalDisplay only. Shows the time between DNS update attempts configured for the update

method.
Update DNS Server RecordsDisplay only. Shows whether the method updates both the A

resource record (name to IP address) and the PTR resource record (IP address to name), or neither record.
Add/EditDisplays the Add/Edit Dynamic DNS Update Methods dialog box. DeleteRemoves the currently selected update method from the table.

Dynamic DNS Interface SettingsLists the DDNS settings for each interface configured for DDNS.
InterfaceDisplay only. Shows the names of the security appliance interfaces configured for

DDNS.
Method NameDisplay only. Shows the update methods assigned to each interface. HostnameDisplay only. Shows the hostname of the DDNS client. Update DHCP Server RecordsDisplay only. Shows whether the interface updates both the A

and PTR resource records or neither.


Add/EditDisplays the Add/Edit Dynamic DNS Interface Settings dialog box. DeleteRemoves the DDNS update settings for the selected interface.

DHCP Clients Update DNS RecordsThis is the global setting specifying which records the DHCP client requests to be updated by the DHCP server. Click one of the following radio buttons:
Default (PTR Records) to specify that the client request PTR record updating by the server

or
Both (PTR Records and A Records) to specify that the client request both the A and PTR DNS

resource records by the server or


None to specify that the client request no updates by the server

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic DNS Update Methods


Configuration > Properties > DNS > Dynamic DNS > Add/Edit Dynamic DNS Update Method The Add/Edit Dynamic DNS Update Methods dialog box lets you add a new method or edit a previously added method. You can specify the method name (if adding a method), specify the interval between DDNS update attempts, and specify whether the DDNS client attempts to update both or neither of the two DNS records, the A record and the PTR record.

ASDM User Guide OL-10106-01

9-11

Chapter 9 Dynamic DNS

DHCP and DNS Services

Fields

NameIf you are adding a method, enter then name of the new method in this field. If you are editing an existing method, this field is display-only and shows the name of the method selected for editing. Update IntervalSpecifies the time to elapse between update attempts. The interval ranges from 0 to nearly one year.
DaysChoose the number of days between update attempts from 0 to 364. HoursChoose the number of hours (in whole numbers) between update attempts from 0 to 23. MinutesChoose the number of minutes (in whole numbers) between update attempts from 0

to 59.
SecondsChoose the number of minutes (in whole numbers) between update attempts from 0

to 59.
Update RecordsClick Both (A and PTR Records) for the client to attempt updates to both the

A and PTR DNS resource records, or click A Records Only to update just the A records. This is the individual method setting for DNS server records updated by the client. These units are additive. That is, if you enter 0 days, 0 hours, 5 minutes and 15 seconds, the update method will attempt an update every 5 minutes and 15 seconds for as long as the method is active.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic DNS Interface Settings


Configuration > Properties > DNS > Dynamic DNS > Add/Edit Dynamic DNS Interface Settings The Add/Edit Dynamic DNS Interface Settings allows you to configure DDNS on a security appliance interface. You can assign an update method, specify the hostname, and configure DHCP server updating of both the A and PTR records by the client or neither.
Fields

InterfaceChoose an interface on which to configure DDNS from the menu. Update MethodChoose an available DDNS update method from the menu. HostnameEnter the hostname of the DDNS client. DHCP ClientThis area allows you to specify that the DHCP client updates both the A and PTR DNS records or neither. This interface setting overrides the global setting at Configuration > Properties > DNS > Dynamic DNS DCHP Client Updates DNS RecordsClick one of the following radio buttons:
Default (PTR Records only) to specify that the client request only PTR record updating by the

server

ASDM User Guide

9-12

OL-10106-01

Chapter 9

DHCP and DNS Services Dynamic DNS

or
Both (PTR Records and A Records) to specify that the client request both the A and PTR DNS

resource records by the server or


None to specify that the client request no updates by the server

Note

DHCP must be enabled on the selected interface for this action to be effective.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

9-13

Chapter 9 Dynamic DNS

DHCP and DNS Services

ASDM User Guide

9-14

OL-10106-01

C H A P T E R

10

Configuring AAA Servers


This section contains the following topics:

Understanding AAA AAA Setup

Understanding AAA
This section contains the following topics:

AAA Overview Preparing for AAA LOCAL Database AAA for Device Administration AAA for Network Access AAA for VPN Access

AAA Overview
AAA enables the security appliance to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). You can use authentication alone or with authorization and accounting. Authorization always requires a user to be authenticated first. You can use accounting alone, or with authentication and authorization. AAA provides an extra level of protection and control for user access than using access lists alone. For example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server and you might not always know IP addresses of these users, you can enable AAA to allow only authenticated and/or authorized users to make it through the security appliance. (The Telnet server enforces authentication, too; the security appliance prevents unauthorized users from attempting to access the server.)

About AuthenticationAuthentication grants access based on user identity. Authentication establishes user identity by requiring valid user credentials, which are typically a username and password.

ASDM User Guide OL-10106-01

10-1

Chapter 10 Understanding AAA

Configuring AAA Servers

About AuthorizationAuthorization controls access per user after users authenticate. Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users. If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization. The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.

About AccountingAccounting tracks traffic that passes through the security appliance, enabling you to have a record of user activity. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Preparing for AAA


AAA services depend upon the use of the LOCAL database or at least one AAA server. You can also use the LOCAL database as a fallback for most services provided by a AAA server. Before you implement AAA, you should configure the LOCAL database and configure AAA server groups and servers. How you configure the LOCAL database and AAA servers depends upon the AAA services you want the security appliance to support. Regardless of whether you use AAA servers, you should configure the LOCAL database with user accounts that support administrative access, to prevent accidental lockouts and, if so desired, to provide a fallback method when AAA servers are unreachable. For more information, see LOCAL Database. Table 10-1 provides a summary of AAA service support by each AAA server type and by the LOCAL database. You manage the LOCAL database by configuring user profiles in the Configuration > Properties > Device Administration > User Accounts pane. You establish AAA server groups and add individual AAA servers to the server groups in the Configuration > Properties > AAA Setup > AAA Server Groups pane.
Table 10-1 Summary of AAA Support

Database Type AAA Service


Authentication of...

Local Yes Yes Yes Yes No

RADIUS Yes Yes Yes Yes Yes


3

TACACS+ Yes Yes Yes No Yes

SDI Yes Yes Yes2 No No

NT Yes Yes Yes No No

Kerberos Yes Yes Yes No No

LDAP Yes Yes Yes Yes No

HTTP Form Yes1 No No No No

VPN users Firewall sessions Administrators


Authorization of...

VPN users Firewall sessions

ASDM User Guide

10-2

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Implementation in ASDM

Table 10-1

Summary of AAA Support (continued)

Database Type AAA Service Administrators


Accounting of...

Local Yes4 No No No

RADIUS No Yes Yes Yes


5

TACACS+ Yes Yes Yes Yes

SDI No No No No

NT No No No No

Kerberos No No No No

LDAP No No No No

HTTP Form No No No No

VPN connections Firewall sessions Administrators

1. HTTP Form protocol supports single sign-on authentication for WebVPN users only. 2. SDI is not supported for HTTP administrative access. 3. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 4. Local command authorization is supported by privilege level only. 5. Command accounting is available for TACACS+ only.

LOCAL Database
The security appliance maintains a local database that you can populate with user profiles.

User ProfilesUser profiles contain, at a minimum, a username. Typically, you assign a password to each username, although passwords are optional. User profiles can also specify VPN access policy per user. You can manage user profiles with the Configuration > Properties > Device Administration > User Accounts pane. Fallback SupportThe local database can act as a fallback method for console and enable password authentication, for command authorization, and for VPN authentication and authorization. This behavior is designed to help you prevent accidental lockout from the security appliance. For users who need fallback support, we recommend that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

AAA Implementation in ASDM


You can use AAA for the following:

AAA for Device Administration AAA for Network Access AAA for VPN Access

AAA for Device Administration


You can authenticate all administrative connections to the security appliance, including:

ASDM User Guide OL-10106-01

10-3

Chapter 10 AAA Setup

Configuring AAA Servers

Telnet SSH Serial console ASDM VPN management access

You can also authenticate administrators who attempt to enter enable mode. You can authorize administrative commands. You can have accounting data for administrative sessions and for commands issued during a session sent to an accounting server. You can configure AAA for device administration with the Configuration > Properties > Device Access > AAA Access pane.

AAA for Network Access


You can configure rules for authenticating, authorizing, and accounting for traffic passing through the firewall by using the Configuration > Security Policy > AAA Rules tab. The rules you create are similar to access rules, except that they specify whether to authenticate, authorize, or perform accounting for the traffic defined; and which AAA server group the security applianceis to use to process the AAA service request.

AAA for VPN Access


AAA services for VPN access include the following:

User account settings for assigning users to VPN groups, configured in the Configuration > Properties > Device Administration > User Accounts pane. VPN group policies that can be referenced by many user accounts or tunnel groups, configured in the Configuration > VPN > General > Group Policy pane. Tunnel group policies, configured in the Configuration > VPN > General > Tunnel Group pane.

AAA Setup
The AAA Setup panes let you configure AAA server groups, AAA servers, and the authentication prompt. This section includes the following topics:

AAA Server Groups Auth. Prompt LDAP Attribute Map

AAA Server Groups


Configuration > Properties > AAA Setup > AAA Server Groups The AAA Server Groups pane lets you:

Configure AAA server groups and the protocols the security appliance uses to communicate with the servers listed in each group.

ASDM User Guide

10-4

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

Configure and add individual servers to AAA server groups.

You can have up to 15 groups in single-mode or 4 groups in multi-mode. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. When a user logs in, the servers are accessed one at a time, starting with the first server you specify, until a server responds. If AAA accounting is in effect, the accounting information goes only to the active server, unless you have configured simultaneous accounting. For an overview of AAA services, see Understanding AAA.
Fields

The fields in the AAA Server Groups pane are grouped into two main areas: the AAA Server Groups area and the Servers In The Selected Group area. The AAA Server Groups area lets you configure AAA server groups and the protocols the security appliance uses to communicate with the servers listed in each group.

Note

Double-clicking any of the rows in the AAA Server Groups table opens the Edit AAA Server Group dialog box, in which you can modify the AAA Server Group parameters. These changes are immediately reflected in the table, but you must click Apply to save them to the configuration. Clicking a column head sorts the table rows in alphanumeric order according to the contents of that column.

Server GroupDisplay only. Shows the symbolic name of the selected server group. ProtocolDisplay only. Lists the AAA protocol that servers in the group support. Accounting ModeDisplay only. Shows either simultaneous or single mode accounting. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. Reactivation ModeDisplay only. Shows the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time. Dead TimeDisplay only. Shows the number of minutes that will elapse between the disabling of the last server in the group and the subsequent reenabling of all servers. This parameter applies only in depletion mode. Max Failed AttemptsDisplay only. Shows the number of failed connection attempts allowed before declaring a nonresponsive server inactive. AddDisplays the Add AAA Server Group dialog box. EditDisplays the Edit AAA Server Group dialog box, or, if you have selected LOCAL as the server group, displays the Edit AAA Local Server Group dialog box. DeleteRemoves the currently selected server group entry from the server group table. There is no confirmation or undo.

The Servers In Selected Group area, the second area of the AAA Server Groups pane, lets you add and configure AAA servers for existing AAA server groups. The servers can be RADIUS, TACACS+, NT, SDI, Kerberos, LDAP, or HTTP-form servers.

Server Name or IP AddressDisplay only. Shows the name or IP address of the AAA server. InterfaceDisplay only. Shows the network interface where the authentication server resides.

ASDM User Guide OL-10106-01

10-5

Chapter 10 AAA Setup

Configuring AAA Servers

TimeoutDisplay only. Shows the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server. Add/EditDisplays the Add/Edit AAA Server dialog box. DeleteRemoves the selected AAA server from the list. Move upMoves the selected AAA server up in the AAA sequence. Move downMoves the selected AAA server back in the AAA sequence. TestDisplays the Test AAA Server dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Add/Edit AAA Server Group


Configuration > Properties > AAA Setup > AAA Server Groups > Add/Edit AAA Server Group The Add/Edit AAA Server Group dialog box lets you add or modify AAA server groups. The results appear in the AAA Server table.
Fields

Server GroupDisplay only. Shows the name of the selected server group. Protocol drop-down listSpecifies the protocols supported by servers in the group. They include RADIUS, TACACS+, NT Domain, SDI, Kerberos, LDAP, and HTTP Form for single sign-on (WebVPN users only).

Note

The following fields are not available after selecting the HTTP Form protocol. Accounting ModeSpecifies the accounting mode used with the server group.
SimultaneousConfigures the security appliance to send accounting data to all servers in the

group.
SingleConfigures the security appliance to send accounting data to only one server of the

group.

Reactivation ModeSpecifies the method by which failed servers are reactivated.


DepletionConfigures the security appliance to reactivate failed servers only after all of the

servers in the group are inactive.


TimedConfigures the security appliance to reactive failed servers after 30 seconds of down

time.

ASDM User Guide

10-6

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

Dead TimeSpecifies the number of minutes that will elapse between the disabling of the last server in the group and the subsequent reenabling of all servers. This field is not available for timed mode. Max Failed AttemptsSpecifies the number of failed connection attempts (1 through 5) allowed before declaring a nonresponsive server inactive.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Edit AAA Local Server Group


Configuration > Properties > AAA Setup > AAA Server Groups > Edit AAA Local Server Group The Edit AAA Local Server Group dialog box lets you specify whether to enable local user lockout and the maximum number of failed login attempts to allow before locking out the user. If a user is locked out, and administrator must clear the lockout condition before the user can successfully log in.
Fields

Enable Local User Lockout Enables locking out and denying access to a user who has exceeded the configured maximum number of failed authentication attempts. Maximum AttemptsSpecifies the maximum number of failed login attempts allowed before locking out and denying access to a user. This limit applies only when the LOCAL database is used for authentication.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Add/Edit AAA Server


Configuration > Properties > AAA Setup > AAA Servers > Add/Edit AAA Server The Add/Edit AAA Server dialog box lets you modify the parameters of an existing AAA server or add a new AAA server to an existing group selected in the AAA server groups table.

ASDM User Guide OL-10106-01

10-7

Chapter 10 AAA Setup

Configuring AAA Servers

Fields

Note

The first four fields are the same for all types of servers. The area contents area is specific to each server type.

Server GroupDisplay only. Shows the name of the server group. Interface NameSpecifies the network interface where the server resides. Server Name or IP AddressSpecifies the name or IP address of the AAA server. TimeoutSpecifies the timeout interval, in seconds. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server. RADIUS Parameters areaSpecifies the parameters needed for using a RADIUS server. This area appears only when the selected server group uses RADIUS.
Retry IntervalSpecifies the number of seconds to wait after sending a query to the server and

receiving no response, before reattempting the connection. The minimum time is 1 second. The default time is 10 seconds. The maximum time is 10 seconds.
Server Authentication PortSpecifies the server port to use for user authentication. The default

port is 1645.

Note

The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
Server Accounting PortSpecifies the server port to use for user accounting. The default port

is 1646.
Server Secret KeySpecifies the server secret key (also called the shared secret) to use for

encryption; for example: C8z077f. The secret is case-sensitive. The field displays only asterisks.The security appliance uses the server secret to authenticate to the RADIUS server. The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server. The maximum field length is 64 characters.
Confirm Server Secret KeyRequires that you reenter the server secret, to confirm its accuracy.

The secret is case-sensitive. The field displays only asterisks.


Common PasswordSpecifies the common password for the group. The password is

case-sensitive. The field displays only asterisks. If you are defining a RADIUS server to be used for authentication rather than authorization, do not provide a common password. A RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS authorization server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator. Enter a common password for all users who are accessing this RADIUS authorization server through this security appliance. If you leave this field blank, each user password will be his or her own username. For example, a user with the username jsmith would enter jsmith. As a security precaution never use a RADIUS authorization server for authentication. Use of a common password or usernames as passwords is much less secure than strong passwords per user.

ASDM User Guide

10-8

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

Note

The password field is required by the RADIUS protocol and the RADIUS server requires it; however, users do not need to know it.
Confirm Common PasswordRequires that you reenter the common password, to confirm its

accuracy. The password is case-sensitive. The field displays only asterisks.


ACL Netmask ConvertSpecifies how the security appliance handles netmasks received in

downloadable access lists. The security appliance expects downloadable access lists to contain standard netmask expressions whereas Cisco Secure VPN 3000 series concentrators expect downloadable access lists to contain wildcard netmask expressions, which are the reverse of a standard netmask expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. The ACL Netmask Convert list helps minimize the effects of these differences upon how you configure downloadable access lists on your RADIUS servers. If you choose Detect Automatically, the security appliance attempts to determine the type of netmask expression used. If it detects a wildcard netmask expression, it converts it to a standard netmask expression; however, because some wildcard expressions are difficult to detect unambiguously, this setting may occasionally misinterpret a wildcard netmask expression as a standard netmask expression. If you choose Standard, the security appliance assumes downloadable access lists received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed. If you choose Wildcard, the security appliance assumes downloadable access lists received from the RADIUS server contain only wildcard netmask expressions and it converts them all to standard netmask expressions when the access lists are downloaded.

TACACS+ ParametersSpecifies the parameters needed for using a TACACS+ server. This area appears only when the selected server group uses TACACS+.
Server PortSpecifies the server port to use. Server Secret KeySpecifies the server secret key to use for encryption. The secret is

case-sensitive. The field displays only asterisks.


Confirm Server Secret KeyRequires that you reenter the server secret, to confirm its accuracy.

The secret is case-sensitive. The field displays only asterisks.

SDI ParametersSpecifies the parameters needed for using an SDI server. This area appears only when the selected server group uses SDI.
Server PortSpecifies the server port to use. Retry IntervalSpecifies the number of seconds to wait before reattempting the connection.

Kerberos ParametersSpecifies the parameters needed for using a Kerberos server. This area appears only when the selected server group uses Kerberos.
Server PortSpecifies the server port that the Kerberos server listens to. Retry IntervalSpecifies the number of seconds to wait before reattempting the connection.

Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the security appliance declares this server inoperative and uses the next Kerberos/Active Directory server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

ASDM User Guide OL-10106-01

10-9

Chapter 10 AAA Setup

Configuring AAA Servers

Kerberos RealmSpecifies the name of the Kerberos realm to use, for example:

USDOMAIN.ACME.COM. The maximum length is 64 characters. The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows.NET. You must enter this name, and it must be the correct realm name for the server whose IP address you entered in the Server IP Address field.

LDAP ParametersSpecifies the parameters needed for using an LDAP server. This area appears only when the selected server group uses LDAP.
Enable LDAP Over SSLSpecifies that SSL secures communications between the security

appliance and the LDAP server. Also called secure LDAP.


Server PortSpecifies the server port to use. Enter the TCP port number by which you access

the server.
Server TypeLets you manually set the LDAP server type as a Sun Microsystems JAVA System

Directory Server (formerly the Sun ONE Directory Server) or a Microsoft Active Directory, or lets you specify auto-detection for server type determination.
Base DNSpecifies the Base DN. Enter the location in the LDAP hierarchy where the server

should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com .
ScopeSpecifies the extent of the search in the LDAP hierarchy that the server should make

when it receives an authorization requestOne Level (Search only one level beneath the Base DN. This option is quicker.) All Levels (Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.)
Naming Attribute(s)Specifies the Relative Distinguished Name attribute (or attributes) that

uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
Login DNSpecifies the login DN. Some LDAP servers (including the Microsoft Active

Directory server) require the security appliance to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the security appliances authentication characteristics; these characteristics should correspond to those of a user with administration privileges. Enter the name of the directory object for security appliance authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=Example Corporation, dc=com. For anonymous access, leave this field blank.
Login PasswordSpecifies the login password. The characters you type are replaced with

asterisks.
LDAP Attribute MapLists the LDAP attribute maps that you can apply to LDAP server. The

LDAP attribute map translates Cisco attribute names into user-defined attribute names and values.
SASL MD5 authenticationSpecifies that the MD5 mechanism of the Simple Authentication

and Security Layer secures authentication communications between the security appliance and the LDAP server.
SASL Kerberos authenticationSpecifies that Kerberos mechanism of the Simple

Authentication and Security Layer secures authentication communications between the security appliance and the LDAP server.
Kerberos Server GroupSpecifies the Kerberos server or server group used for authentication.

NT Domain ParametersSpecifies the parameters needed for using an NT server and includes the following fields:

ASDM User Guide

10-10

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

Server PortSpecifies the TCP port number by which you access the server. The default port

number is 139.
NT Domain Controller Specifies the NT Primary Domain Controller host name for this

server, for example: PDC01. The maximum host name length is 15 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP Address in Authentication Server Address; if the name is incorrect, authentication fails.

HTTP Form ParametersSpecifies the parameters for the HTTP Form protocol for single sign-on authentication, available only to WebVPN users. This area appears only when the selected server group uses HTTP Form, and only the Server Group name and the protocol are visible. Other fields are not available when using HTTP Form.

Note

To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges. If you do not know what the following parameters are, use an HTTP header analyzer to extract the data from the HTTP GET and POST exchanges when logging into the authenticating web server directly, not through the security appliance. See the WebVPN chapter in the Cisco Security Appliance Command Line Configuration Guide for more detail on extracting these parameters from the HTTP exchanges.
Start URLSpecifies the complete URL of the authenticating web server location where a

pre-login cookie can be retrieved. This parameter must be configured only when the authenticating web server loads a pre-login cookie with the login page. A drop-down list offers both HTTP and HTTPS. The maximum number of characters is 1024, and there is no minimum.
Action URISpecifies the complete Uniform Resource Identifier for the authentication

program on the authorizing web server. The maximum number of characters for the complete URI is 2048 characters.
UsernameSpecifies the name of a username parameternot a specific usernamethat must

be submitted as part of the HTTP form used for SSO authentication. The maximum number of characters is 128, and there is no minimum.
PasswordSpecifies the name of a user password parameternot a specific password

valuethat must be submitted as part of the HTTP form used for SSO authentication. The maximum number of characters is 128, and there is no minimum.
Hidden ValuesSpecifies hidden parameters for the HTTP POST request submitted to the

authenticating web server for SSO authentication. This parameter is necessary only when it is expected by the authenticating web server as indicated by its presence in the HTTP POST request. The maximum number of characters is 2048.
Authentication Cookie Name(Optional) Specifies the name of the cookie that is set by the

server on successful login and that contains the authentication information. It is used to assign a meaningful name to the authentication cookie to help distinguish it from other cookies that the web server may pass back. The maximum number of characters is 128, and there is no minimum.

ASDM User Guide OL-10106-01

10-11

Chapter 10 AAA Setup

Configuring AAA Servers

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

1.

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Test AAA Server


Configuration > Properties > AAA Setup > AAA Server Groups > Test

Note

Test AAA Server is not available for HTTP Form authentication servers. Use the Test button to determine whether the security appliance can contact the selected AAA server. Failure to reach the AAA server may be due to incorrect configuration in ASDM or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime. After you complete the fields in this dialog box and click OK, the security appliance sends the applicable test message to the selected server. If the test fails, ASDM displays an error message about the type of error encountered. If the error message suggests a configuration error in ASDM, correct the configuration and try the test again.

Tip

Checking for basic network connectivity to the AAA server may save you time in troubleshooting. To test basic connectivity, click Tools > Ping.
Fields

AAA Server GroupDisplay only. Shows the AAA server group that the selected AAA server belongs to. Host Display only. Shows the hostname of the AAA server you selected. AuthorizationSpecifies that ASDM tests authorizing a user with the selected AAA server. If the server type selected does not support authorization, this radio button is not available. For example, the security appliance cannot support authorization with Kerberos servers. AuthenticationSpecifies that ASDM tests authenticating a user with the selected AAA server. If the server type selected does not support authentication, this radio button is not available. For example, the security appliance cannot support authentication with LDAP servers. UsernameSpecifies the username you want to use to test the AAA server. Make sure the username exists on the AAA server; otherwise, the test will fail. PasswordSpecifies the password for the username you entered in the Username field. The Password field is available only for authentication tests. Make sure the password is correct for the username entered; otherwise, the authentication test will fail.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

10-12

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. HTTP Form and WebVPN are supported only in single routed mode.

Auth. Prompt
Configuration > Properties > AAA Setup > Auth. Prompt The Auth. Prompt pane lets you specify text to display to the user during the AAA authentication challenge process.You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the security appliance when requiring user authentication from TACACS+ or RADIUS servers. This text is primarily for cosmetic purposes and displays above the username and password prompts that users view when logging in. If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server. If the AAA server authenticates the user, the security appliance displays the User accepted message text, if specified, to the user; otherwise it displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.

Note

Microsoft Internet Explorer displays up to 37 characters in an authentication prompt. Netscape Navigator displays up to 120 characters, and Telnet and FTP display up to 235 characters in an authentication prompt.
Fields

Prompt(Optional) Enables the display of AAA challenge text, specified in the field below the check box, for through-the-security appliance user sessions. Text(Optional) Specify a string of up to 235 alphanumeric characters or 31 words, limited by whichever maximum is first reached. Do not use special characters; however, spaces and punctuation characters are permitted. Entering a question mark or pressing the Enter key ends the string. (The question mark appears in the string.) User accepted message(Optional) Enables the display of text, specified in the field below the check box, confirming that the user has been authenticated. User rejected message(Optional) Enables the display of text, specified in the field below the check box, indicating that authentication failed.

Note

All of the fields in this pane are optional. If you do not specify an authentication prompt, FTP users see FTP authentication, HTTP users see HTTP Authentication Telnet users see no challenge text.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

10-13

Chapter 10 AAA Setup

Configuring AAA Servers

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

LDAP Attribute Map


Configuration > Properties > AAA Setup > LDAP Attribute Map The LDAP Attribute Map pane lets you create and name an attribute map for mapping custom (user-defined) attribute names to Cisco LDAP attribute names. If you are introducing a security appliance to an existing LDAP directory, your existing custom LDAP attribute names and values are probably different from the Cisco attribute names and values. Rather than renaming your existing attributes, you can create LDAP attribute maps that map your custom attribute names and values to Cisco attribute names and values. By using simple string substitution, the security appliance then presents you with only your own custom names and values. You can then bind these attribute maps to LDAP servers or remove them as needed. You can also delete entire attribute maps or remove individual name and value entries.

Note

To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.
Fields

NameDisplays the names of the LDAP attribute maps available for editing. Attribute Map NameDisplays the mappings of custom attribute names to Cisco attribute names within each attribute map. AddDisplays the Add LDAP Attribute Map dialog box. EditDisplays the Edit LDAP Attribute Map dialog box. DeleteDeletes the selected LDAP Attribute Map.

Add/Edit LDAP Attribute Map


Configuration > Properties > AAA Setup > LDAP Attribute Map > Add/Edit LDAP Attribute Map The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. Your typical steps to add a new attribute map using the LDAP Attribute Map dialog box would be as follows:
1. 2. 3.

Create a new, unpopulated attribute map. Populate the attribute map with name mappings that translate Cisco attribute names to custom, user-defined attribute names. Populate the attribute map with value mappings that apply custom, user-defined attribute values to the custom attribute name and to the matching Cisco attribute name and value.

ASDM User Guide

10-14

OL-10106-01

Chapter 10

Configuring AAA Servers AAA Setup

You would then bind the attribute map to an LDAP server when adding or editing the LDAP server using the Add/Edit AAA Server dialog box.
Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Name MapDisplays the fields necessary for mapping custom attribute names to Cisco attribute names. Value MapDisplays the fields necessary for mapping custom attribute values to custom attribute names and to the matching Cisco attribute name and value.

Add/Edit LDAP Attribute Map > Map Name Tab


Configuration > Properties > AAA Setup > LDAP Attribute Map > Add/Edit LDAP Attribute Map > Map Name Tab The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. See also Add/Edit LDAP Attribute Map. Some fields vary depending upon whether you have selected the Map Name tab or the Map Value tab. When you click the Map Name tab, the following fields display.
Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Custom NameSpecifies the custom, user-defined attribute name that maps to an attribute name selected from the Cisco Name drop-down list. Cisco NameSpecifies the Cisco attribute name you want to map to the user-defined name in the Custom Name field. AddInserts the name mapping into the attribute map. RemoveRemoves the selected name mapping from the attribute map. Custom NameDisplays the custom attribute names of mappings in the attribute map. Cisco NameDisplays the Cisco attribute names of mappings in the attribute map.

Add/Edit LDAP Attribute Map > Map Value Tab


Configuration > Properties > AAA Setup > LDAP Attribute Map > Add/Edit LDAP Attribute Map > Map Value Tab The Add/Edit LDAP Attribute Map dialog box lets you modify or delete an existing LDAP attribute map, add a new LDAP attribute map, and populate attribute maps with attribute name and value mappings. See also Add/Edit LDAP Attribute Map. Some fields vary depending upon whether you have selected the Map Name tab or the Map Value tab. When you click the Map Value tab, the following fields appear.

ASDM User Guide OL-10106-01

10-15

Chapter 10 AAA Setup

Configuring AAA Servers

Fields

NameSpecifies the name of the LDAP attribute map you are adding or editing. If you are adding a new map, you enter the name of the map in this field. If you are editing a map that was selected in the LDAP Attribute Map pane, the name of the selected map displays as read-only text in this field. To change the map, you must return to the LDAP Attribute Map pane and choose the desired map. Custom NameDisplays the custom attribute names of mappings in the attribute map. Custom to Cisco Map ValueDisplays the mapping of a custom value to a Cisco value for a custom attribute. AddDisplays the Add LDAP Attributes Map Value dialog box. EditDisplays the Edit LDAP Attributes Map Value dialog box. DeleteDeletes the selected attribute value mapping from the LDAP attribute map.

Add/Edit LDAP Attributes Value Map


Configuration > Properties > AAA Setup > LDAP Attribute Map > Add/Edit LDAP Attribute Map > Add/Edit LDAP Attributes Map Value The Add/Edit LDAP Attribute Map Value dialog box lets you map a custom attribute value for a custom attribute name to the Cisco value of the associated Cisco attribute name.
Fields

Custom NameIf adding a new attribute value mapping, this is a drop-down list that lets you choose a custom attribute name from a list of attributes which do not yet have a custom value mapped to a Cisco attribute value. If editing an existing attribute value mapping, this is a read-only field which displays the name of the custom attribute selected on the Map Value tab of the Add/Edit LDAP Attribute Map dialog box. Custom ValueSpecifies a custom value for the selected custom attribute. Cisco ValueSpecifies the Cisco value for the selected custom attribute. AddAdds the value mapping to the custom attribute value map. RemoveRemoves the value mapping from the custom attribute value map. Custom NameDisplays the custom value for the custom attribute name. Cisco NameDisplays the Cisco value for the Cisco attribute name.

ASDM User Guide

10-16

OL-10106-01

C H A P T E R

11

Configuring Device Access


Configuration > Device Access This chapter contains the following topics:

AAA Access HTTPS/ASDM Secure Shell Telnet

AAA Access
Configuration > Device Access > AAA Access The AAA Access pane includes tabs for configuring authentication, authorization, and accounting for management access. For an overview of AAA services, see Configuring AAA Servers.

Authentication Tab Authorization Tab Accounting Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authentication Tab
Configuration > Device Access > AAA Access > Authentication Tab Use this tab to enable authentication for administrator access to the security appliance. Authentication lets you control access by requiring a valid username and password. You can configure the security appliance to authenticate the following items:

ASDM User Guide OL-10106-01

11-1

Chapter 11 AAA Access

Configuring Device Access

All administrative connections to the security appliance using the following methods:
Telnet SSH HTTPS/ASDM Serial

The enable command

Fields

Require authentication to allow use of privileged mode commandsSpecifies the parameters that control access to the privileged mode commands.
EnableEnables or disables the requirement that a user be authenticated before being allowed

to use privileged mode commands.


Server GroupSelects the server group to use for authenticating users to use privileged mode

commands.
Use LOCAL when server group failsAllows the use of the LOCAL database for

authenticating users to use privileged mode commands if the selected server group fails.

Require authentication for the following types of connectionsSpecifies the types of connections for which you want to require authentication and specifies the server group to use for that authentication.
HTTP/ASDMSpecifies whether to require authentication for HTTP/ASDM connections. Server GroupSelects the server group to use for authenticating the specified connection type. Use LOCAL when server group failsAllows the use of the LOCAL database for

authenticating the specified connection type if the selected server group fails.
SSHSpecifies whether to require authentication for SSH connections. TelnetSpecifies whether to require authentication for Telnet connections. SerialSpecifies whether to require authentication for serial connections.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authorization Tab
Configuration > Device Access > AAA Access > Authorization Tab Authorization lets you control access per user after you authenticate with a valid username and password. You can configure the security appliance to authorize management commands. Authorization lets you control which services and commands are available to an individual user. Authentication alone provides the same access to services for all authenticated users.

ASDM User Guide

11-2

OL-10106-01

Chapter 11

Configuring Device Access AAA Access

When you enable command authorization, you have the option of manually assigning privilege levels to individual commands or groups of commands (using the Advanced button) or enabling the Predefined User Account Privileges (using the Restore Predefined User Account Privileges button): Predefined User Admin Read Only Monitor Only Privilege Level 15 5 3 Description Full access to all CLI commands Read only access to all commands Monitoring tab only

The Predefined User Account Privileges Setup pane displays a list of commands and privileges ASDM issues to the security appliance if you click Yes. Yes allows ASDM to support the three privilege levels: Admin, Read Only and Monitor Only. The Command Privileges Setup pane displays a list of commands and privileges ASDM is going to issue to the security appliance. You can select one or more commands in the lists and use the Edit button to change the privilege level for the selected commands.
Fields

EnableEnables or disables authorization for security appliance command access. Selecting this check box activates the remaining parameters on this pane. Server GroupSelects the server group to use for authorizing users for command access. Use LOCAL when server group failsAllows the use of the LOCAL database for authorizing users to use privileged mode commands if the selected server group fails. AdvancedOpens the Command Privileges Setup pane, on which you can manually assign privilege levels to individual commands or a group of commands. Restore Predefined User Account PrivilegesOpens the Predefined User Account Command Privilege Setup pane, which sets up predefined user profiles and sets the privilege levels for the selected, listed commands.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Command Privileges Setup


Configuration > Device Access > AAA Access > Authorization > Command Privileges Setup Use this pane to assign privilege levels to individual commands or groups of commands. Clicking a column heading sorts the entire table in alphanumeric order, using the selected column as the key field.

Command ModeSelects a specific command mode or All Modes. This selection determines what appears in the Command Modes table immediately below this list.

ASDM User Guide OL-10106-01

11-3

Chapter 11 AAA Access

Configuring Device Access

CLI CommandSpecifies the name of a CLI command. ModeIndicates a mode that applies to this command. Certain commands have more than one mode. VariantIndicates the form (for example, show or clear) of the specified command to which the privilege level applies. PrivilegeShows the privilege level currently assigned to this command. EditDisplays the Select Command(s) Privilege dialog box. This dialog box lets you select from a list the privilege level for one or more commands selected on the parent window. The Command Modes table reflects the change as soon as you click OK. Select AllSelects the entire contents of the Command Modes table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Predefined User Account Command Privilege Setup


Configuration > Device Access > AAA Access > Authorization > Predefined User Account Command Privilege Setup This pane asks whether you want the security appliance to set up user profiles named Admin, Read Only, and Monitor Only. You get to this pane by clicking Restore Predefined user Account Privileges on the Authorization tab of the Authentication/Authorization/Accounting pane.
Fields

Command ListLists the CLI commands, their modes, variants, and privileges, affected by the predefined user account privilege setup.
CLI CommandSpecifies the name of a CLI command. ModeIndicates a mode that applies to this command. Certain commands have more than one

mode.
VariantIndicates the form (for example, show or clear) of the specified command to which the

privilege level applies.


PrivilegeShows the privilege level currently assigned to this command.

YesDirects the security appliance to set up the listed commands with the respective privilege levels. This setup lets you create users through the User Accounts pane with the roles Admin, privilege level 15; Read Only, with privilege level 5; and Monitor Only with privilege level 3. NoLets you manage the privilege levels of commands and users manually.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

11-4

OL-10106-01

Chapter 11

Configuring Device Access AAA Access

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Accounting Tab
Configuration > Device Access > AAA Access > Accounting Tab Accounting lets you keep track of traffic that passes through the security appliance. If you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting information includes when sessions start and stop, the AAA client messages and username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Note

You can configure accounting only for a TACACS+ server group. If no such group has yet been configured, go to Configuration > Properties > AAA Setup > AAA Server Groups.
Fields

Require accounting to allow accounting of user activitySpecifies parameters related to accounting of user activity.
EnableEnables or disables the requirement to allow accounting of user activity. Server GroupSpecifies the selected server group, if any, to use for user accounting. If no

TACACS+ server group exists, the default value of this list is --None--.

Note

The definition of the Server Group list parameter is the same for all group boxes on this pane. Require accounting for the following types of connectionsSpecifies the connection types for which you want to require accounting and the respective server groups for each.
HTTP/ASDMRequires accounting for HTTP/ASDM connections. SerialRequires accounting for serial connections. SSHRequires accounting for secure shell (SSH) connections. TelnetRequires accounting for Telnet connections.

Require command accounting for Security ApplianceYou can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI. If you customize the command privilege level using the Configuration > Device Access > AAA Access > Authorization > Command Privilge Setup dialog box, you can limit which commands the security appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
EnableEnables accounting for commands. Privilege levelSets the minimum privilege level for which to perform command accounting.

ASDM User Guide OL-10106-01

11-5

Chapter 11 HTTPS/ASDM

Configuring Device Access

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTPS/ASDM
Configure > Device Access > HTTPS/ASDM The HTTPS/ASDM pane provides a table that specifies the addresses of all the hosts or networks that are allowed access to the ASDM using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.
Fields

InterfaceLists the interface on the security appliance from which the administrative access to the device manager is allowed. IP AddressLists the IP address of the network or host that is allowed access. MaskLists the network mask associated with the network or host that is allowed access. AddDisplays the Add HTTP Configuration dialog box for adding a new host or network. EditDisplays the Edit HTTP Configuration dialog box for editing the selected host or network. DeleteDeletes the selected host or network.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit HTTP Configuration


Configure > Device Access > HTTPS/ASDM > Add/Edit HTTP Configuration The Add/Edit HTTP Configuration dialog box lets you add a host or network that will be allowed administrative access to the security appliance device manager over HTTPS.
Fields

Interface NameSpecifies the interface on the security appliance from which the administrative access to the security appliance device manager is allowed. IP AddressSpecifies the IP address of the network or host that is allowed access.

ASDM User Guide

11-6

OL-10106-01

Chapter 11

Configuring Device Access Secure Shell

MaskSpecifies the network mask associated with the network or host that is allowed access.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Secure Shell
Configuration > Device Access > HTTPS/ASDM > Secure Shell The Secure Shell pane lets you configure rules that permit only specific hosts or networks to connect to the security appliance for administrative access using the SSH protocol. The rules restrict SSH access to a specific IP address and netmask. SSH connection attempts that comply with the rules must then be authenticated by a AAA server or the Telnet password. You can monitor SSH sessions using Monitoring > Administration > Secure Shell Sessions.
Fields

The Secure Shell pane displays the following fields:


Allowed SSH VersionsRestricts the version of SSH accepted by the security appliance. By default, SSH Version 1 and SSH Version 2 connections are accepted. Timeout (minutes)Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the security appliance closes it. The default is 5 minutes. SSH Access RuleDisplays the hosts and networks that are allowed to access the security appliance using SSH. Double-clicking a row in this table opens the Edit SSH Configuration dialog box for the selected entry.
InterfaceDisplays the name of a security appliance interface that will permit SSH

connections.
IP AddressDisplays the IP address of each host or network permitted to connect to this

security appliance through the specified interface.


MaskDisplays the netmask for the IP address of each host or network permitted to connect to

this security appliance through the specified interface.


AddOpens the Add SSH Configuration dialog box. EditOpens the Edit SSH Configuration dialog box. DeleteDeletes the selected SSH access rule.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

11-7

Chapter 11 Telnet

Configuring Device Access

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SSH Configuration


Configuration > Device Access > HTTPS/ASDM > Secure Shell > Add/Edit SSH Configuration The Add SSH Configuration dialog box lets you add a new SSH access rule to the rule table. The Edit SSH Configuration dialog box lets you change an existing rule.
Fields

InterfaceSpecifies the name of the security appliance interface that permits SSH connections. IP AddressSpecifies the IP address of the host or network that is permitted to establish an SSH connection with the security appliance. MaskThe netmask of the host or network that is permitted to establish an SSH connection with the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Telnet
Configuration > Device Access > Telnet The Telnet pane lets you configure rules that permit only specific hosts or networks running ASDM to connect to the security appliance using the Telnet protocol. The rules restrict administrative Telnet access through a security appliance interface to a specific IP address and netmask. Connection attempts that comply with the rules must then be authenticated by a preconfigured AAA server or the Telnet password. You can monitor Telnet sessions using Monitoring > Telnet Sessions.

Note

Although a configuration file may contain more, there may be only five Telnet sessions active at the same time in single context mode. In multiple context mode, there may be only five Telnet sessions active per context.

ASDM User Guide

11-8

OL-10106-01

Chapter 11

Configuring Device Access Telnet

Fields

The Telnet pane displays the following fields: Telnet Rule Table:

InterfaceDisplays the name of a security appliance interface which will permit Telnet connections, an interface on which is located a PC or workstation running ASDM. IP AddressDisplays the IP address of each host or network permitted to connect to this security appliance through the specified interface.

Note

This is not the IP address of the security appliance interface. NetmaskDisplays the netmask for the IP address of each host or network permitted to connect to this security appliance through the specified interface.

Note

This is not the IP address of the security appliance interface. TimeoutDisplays the number of minutes, 1 to 60, the Telnet session can remain idle before the security appliance closes it. The default is 5 minutes. AddOpens the Add Telnet Configuration dialog box. EditOpens the Edit Telnet Configuration dialog box. DeleteDeletes the selected item. ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Telnet Configuration


Configuration > Device Access > Telnet > Add/Edit Telnet Configuration
Adding Telnet Rules

To add a rule to the Telnet rule table, perform the following steps:
1.

Click the Add button to open the Telnet > Add dialog box.

ASDM User Guide OL-10106-01

11-9

Chapter 11 Telnet

Configuring Device Access

2. 3.

Click Interface to add a security appliance interface to the rule table. In the IP Address box, enter the IP address of the host running ASDM which will be permitted Telnet access through this security appliance interface.

Note 4.

This is not the IP address of the security appliance interface. In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access.

Note 5.

This is not a mask for the IP address of the security appliance interface. To return to the previous pane click: OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Editing Telnet Rules

To edit a rule in the Telnet rule table, perform the following steps:
1. 2. 3.

Click Edit to open the Telnet > Edit dialog box. Click Interface to select a security appliance interface from the rule table. In the IP Address field, enter the IP address of the host running ASDM which will be permitted Telnet access through this security appliance interface.

Note 4.

This is not the IP address of the security appliance interface. In the Mask list, select or enter a netmask for the IP address to be permitted Telnet access.

Note 5.

This is not a mask for the IP address of the security appliance interface. To return to the previous Window, click one of the following buttons: OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Deleting Telnet Rules

To delete a rule from the Telnet table, perform the following steps:
1. 2.

Select a rule from the Telnet rule table. Click Delete.

ASDM User Guide

11-10

OL-10106-01

Chapter 11

Configuring Device Access Telnet

Applying Changes

Changes to the table made by Add, Edit, or Delete are not immediately applied to the running configuration. To apply or discard changes, click one of the following buttons:
1.

ApplySends changes made in ASDM to the security appliance and applies them to the running configuration. Click Save to write a copy of the running configuration to Flash memory. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby unit. ResetDiscards changes and reverts to the information displayed before changes were made or the last time you clicked Refresh or Apply. After Reset, use Refresh to make sure that information from the current running configuration is displayed.

2.

Fields

Interface NameSelect the interface to allow Telnet access to the security appliance. IP AddressEnter the IP address of the host or network permitted to Telnet to the security appliance. MaskEnter the subnet mask of the host or network permitted to Telnet to the security appliance. OKAccepts changes and returns to the previous pane. CancelDiscards changes and returns to the previous pane. HelpProvides more information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

11-11

Chapter 11 Telnet

Configuring Device Access

ASDM User Guide

11-12

OL-10106-01

C H A P T E R

12

Failover
This section contains the following topics:

Understanding Failover Configuring Failover with the High Availability and Scalability Wizard Field Information for the Failover Panes

Understanding Failover
The Failover pane contains the settings for configuring failover on the security appliance. However, the Failover pane changes depending upon whether you are in multiple mode or single mode, and when you are in multiple mode, it changes based on the security context you are in. Failover allows you to configure two security appliances so that one will take over operation if the other fails. Using a pair of security appliances, you can provide high availability with no operator intervention. The security appliance communicates failover information over a dedicated failover link. This failover link can be either a LAN-based connection or, on the PIX security appliance platform, a dedicated serial failover cable. The following information is communicated over the failover link:

The failover state (active or standby). Hello messages (keep-alives). Network link status. MAC address exchange. Configuration replication.

Caution

All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using the security appliance to terminate VPN tunnels. The security appliance supports two types of failover, Active/Standby and Active/Active. Additionally, failover can be stateful or stateless. For more information about the types of failover, see the following topics:

Active/Standby Failover

ASDM User Guide OL-10106-01

12-1

Chapter 12 Understanding Failover

Failover

Active/Active Failover Stateless (Regular) Failover Stateful Failover

Active/Standby Failover
In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance. When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Active/Standby failover is available to security appliances in single mode or multiple mode.

Active/Active Failover
In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode. To enable Active/Active failover on the security appliance, you need to create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is simply a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines on which unit in the failover pair the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices. Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:

When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit. When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit. Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.

After both units are running, commands are replicated from one unit to the other as follows:

Note

A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit.

ASDM User Guide

12-2

OL-10106-01

Chapter 12

Failover Understanding Failover

Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state. Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.

Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs. In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.

Note

When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.

Stateless (Regular) Failover


Stateless failover is also referred to as regular failover. In stateless failover, all active connections are dropped when a failover occurs. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover
Note

Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. When Stateful Failover is enabled, the active unit in the failover pair continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

Note

The IP address and MAC address for the state and LAN failover links do not change at failover. To use Stateful Failover, you must configure a state link to pass all state information to the standby unit. If you are using a LAN failover connection rather than the serial failover interface (available on the PIX security appliance platform only), you can use the same interface for the state link as the failover link. However, we recommend that you use a dedicated interface for passing state information the standby unit. The following information is passed to the standby unit when Stateful Failover is enabled:

NAT translation table. TCP connection table (except for HTTP), including the timeout connection. HTTP connection states (if HTTP replication is enabled). H.323, SIP, and MGCP UDP media connections. The system clock.

ASDM User Guide OL-10106-01

12-3

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

The ISAKMP and IPSec SA table.

The following information is not copied to the standby unit when Stateful Failover is enabled:

HTTP connection table (unless HTTP replication is enabled). The user authentication (uauth) table. The ARP table. Routing tables.

Configuring Failover with the High Availability and Scalability Wizard


The High Availability and Scalability Wizard steps you through the process of creating an Active/Active failover configuration, and Active/Standby failover configuration, or a VPN Cluster Load Balancing configuration. See the following topics for information about using the High Availability and Scalability Wizard:

Accessing and Using the High Availability and Scalability Wizard Configuring Active/Active Failover with the High Availability and Scalability Wizard Configuring Active/Standby Failover with the High Availability and Scalability Wizard Configuring VPN Load Balancing with the High Availability and Scalability Wizard Field Information for the High Availability and Scalability Wizard

Accessing and Using the High Availability and Scalability Wizard


To open the High Availability and Scalability Wizard, choose Wizards > High Availability and Scalability Wizard from the ASDM menu bar. The first screen of the wizard appears. To move to the next screen of the wizard, click the Next button. You must complete the mandatory field of each screen before you can move to the next screen. To move to a previous screen of the wizard, click the Back button. If information filled in on later screens of the wizard is not affected by the change you make to an earlier screen, that information remains on the screen as you move forward through the wizard again. You do not need to reenter it. To leave the wizard at any time without saving any changes, click Cancel. To send your configuration to the security appliance at the end of the wizard, click Finish.

Configuring Active/Active Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Active failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure Active/Active failover on the Choose the type of failover configuration screen.

ASDM User Guide

12-4

OL-10106-01

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

See Choose the Type of Failover Configuration for more information about this screen.
Step 2

Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed. See Check Failover Peer Connectivity and Compatibility for more information about this screen. If the security appliance or the failover peer are in single context mode, change them to multiple context mode on the Change Device to Multiple Mode screen. When you change the security appliance to multiple context mode, it will reboot. ASDM automatically reestablishes communication with the security appliance when it has finished rebooting. See Change Device to Multiple Mode for more information about this screen.

Step 3

Step 4

(PIX 500 series security appliance only) Select cable-based or LAN-based failover on the Select Failover Communication Media screen. See Select Failover Communication Media for more information about this screen. Assign security contexts to failover groups on the Context Configuration screen. You can add and delete contexts on this screen. See Security Context Configuration for more information about this screen.

Step 5

Step 6

Define the Failover Link on the Failover Link Configuration screen. See Failover Link Configuration for more information about this screen. (Not available on the ASA 5505 security appliance) Define the Stateful Failover link on the State Link Configuration screen. See State Link Configuration for more information about this screen. Add standby addresses to the security appliance interfaces on the Standby Address Configuration screen. See Standby Address Configuration for more information about this screen.

Step 7

Step 8

Step 9

Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen. Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Step 10

Configuring Active/Standby Failover with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring Active/Standby failover using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure Active/Standby failover on the Choose the type of failover configuration screen. Click next. See Choose the Type of Failover Configuration for more information about this screen.

ASDM User Guide OL-10106-01

12-5

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Step 2

Enter the IP address of the failover peer on the Check Failover Peer Connectivity and Compatibility screen. Click Test Compatibility. You will not be able to move to the next screen until all compatibility tests are passed. See Check Failover Peer Connectivity and Compatibility for more information about this screen.

Step 3

(PIX 500 series security appliance only) Select cable-based or LAN-based failover on the Select Failover Communication Media screen. See Select Failover Communication Media for more information about this screen. Define the Failover Link on the Failover Link Configuration screen. See Failover Link Configuration for more information about this screen. (Not available on the ASA 5505 security appliance) Define the Stateful Failover link on the State Link Configuration screen. See State Link Configuration for more information about this screen.

Step 4

Step 5

Step 6

Add standby addresses to the security appliance interfaces on the Standby Address Configuration screen. See Standby Address Configuration for more information about this screen. Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen.

Step 7

Step 8

Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Configuring VPN Load Balancing with the High Availability and Scalability Wizard
The following procedure provides a high-level overview for configuring VPN cluster load balancing using the High Availability and Scalability Wizard. Each step in the procedure corresponds with a wizard screen. Click Next after completing each step, except for the last step, before moving to the next step. Each step also contains a reference to additional information that you may need to complete the step.
Step 1

Choose Configure VPN Cluster Load Balancing failover on the Choose the type of failover configuration screen. See Choose the Type of Failover Configuration for more information about this screen.

Step 2

Configure the VPN load balancing settings on the VPN Cluster Load Balancing Configuration screen. See VPN Cluster Load Balancing Configuration for more information about this screen. Review your configuration on the Summary screen. If necessary, use the Back button to go to a previous screen and make changes. See Summary for more information about this screen. Click Finish. The failover configuration is sent to the security appliance and to the failover peer.

Step 3

Step 4

ASDM User Guide

12-6

OL-10106-01

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

Field Information for the High Availability and Scalability Wizard


The following dialogs are available in the High Availability and Scalability Wizard. You will not see every dialog box when you run through the wizard; each dialog box appears depending on the type of failover you are configuring and the hardware platform you are configuring it on.

Choose the Type of Failover Configuration Check Failover Peer Connectivity and Compatibility Change Device to Multiple Mode Security Context Configuration Failover Link Configuration State Link Configuration Standby Address Configuration VPN Cluster Load Balancing Configuration Summary

Choose the Type of Failover Configuration


The Choose the Type of Failover Configuration screen lets you select the type of failover to configure.
Fields

The Choose the Type of Failover Configuration displays the following informational fields. These are useful for determining the failover capabilities of the security appliance.

Hardware Model(Display only) Displays the security appliance model number. No. of Interfaces(Display only) Displays the number of interfaces available on the security appliance. No. of Modules(Display only) Displays the number of modules installed on the security appliance. Software Version(Display only) Displays the version of the platform software on the security appliance. Failover License(Display only) Displays the type of failover license installed on the device. You may need to purchase an upgraded license to configure failover. Firewall Mode(Display only) Displays the firewall mode (routed or transparent) and the context mode (single or multiple). Configure Active/Active FailoverConfigures the security appliance for Active/Active failover. Configure Active/Standby FailoverConfigures the security appliance for Active/Standby failover. Configure VPN Cluster Load BalancingConfigures the security appliance to participate in VPN load balancing as part of a cluster.

Choose the type of failover configuration you are configuring:


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

12-7

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Check Failover Peer Connectivity and Compatibility


The Check Failover Peer Connectivity and Compatibility screen lets you verify that the selected failover peer is reachable and compatible with the current unit. If any of the connectivity and compatibility tests fail, you must correct the problem before you can proceed with the wizard.
Fields

Peer IP AddressEnter the IP address of the peer unit. This address does not have to be the failover link address, but it must be an interface that has ASDM access enabled on it. Test CompatibilityClick this button to perform the following connectivity and compatibility tests:
Connectivity test from this ASDM to the peer unit Connectivity test from this firewall device to the peer firewall device Hardware compatibility test Software version compatibility Failover license compatibility Firewall mode compatibility

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Change Device to Multiple Mode


The Change Device to Multiple Mode dialog box appears for Active/Active failover configuration only. Active/Active failover requires the security appliance to be in multiple context mode. This dialog box lets you convert a security appliance in single context mode to multiple context mode. When you convert from single context mode to multiple context mode, the security appliance creates the system configuration and the admin context from the current running configuration.The admin context configuration is stored in the admin.cfg file. The conversion process does not save the previous startup configuration, so if the startup configuration differed from the running configuration, those differences are lost. Converting the security appliance from single context mode to multiple context mode causes the security appliance to reboot. However the High Availability and Scalability Wizard restores connectivity with the newly created admin context and reports the status in the Devices Status field in this dialog box.

ASDM User Guide

12-8

OL-10106-01

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

You need to convert both the current security appliance and the peer security appliance to multiple context mode before you can proceed.
Fields

Change device To Multiple ContextCauses the security appliance to change to multiple context mode. device is the hostname of the security appliance. Change device (peer) To Multiple ContextCauses the peer unit to change to multiple context mode. device is the hostname of the security appliance. Device Status(Display only) Displays the status of the security appliance while converting to multiple context mode.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Select Failover Communication Media


The Select Failover Communication Media appears only on PIX 500 series security appliances. This screen lets you select between using a failover cable or LAN-based connection for the failover link.
Fields

Use Failover CableChoose this option to use a dedicated failover cable for failover communication. Use LAN-based connectionChoose this option to use a network connection for failover communication.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Security Context Configuration


The Security Context Configuration screen appears for Active/Active configuration only. The Security Context Configuration screen lets you assign security contexts to failover groups. It displays the security contexts currently configured on the device and lets you add new ones or remove existing ones as needed.

ASDM User Guide OL-10106-01

12-9

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Although you can create security contexts on this screen, you cannot assign interfaces to those contexts or configure any other properties for them. To configure context properties and assign interfaces to a context, you need to use the System > Security Contexts pane.
Fields

NameDisplays the name of the security context. To change the name, click the name and type a new name. Failover GroupDisplays the failover group the context is assigned to. To change the failover group for a security context, click the failover group and select the new failover group number from the drop-down list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Failover Link Configuration


The Failover Link Configuration screen only appears if you are configuring LAN-based failover; it does not appear if you are configuring a PIX 500 series security appliance for cable-based failover.
Fields

LAN InterfaceChoose the interface to use for failover communication from the drop-down list. Logical NameType a name for the interface. Active IPType the IP address used for the failover link on the unit that has failover group 1 in the active state. Standby IPType the IP address used for the failover link on the unit that has failover group 1 in the standby state. Subnet MaskType or select a subnet mask for the Active IP and Standby IP addresses. Secret Key(Optional) Enter the key used to encrypt failover communication. If this field is left blank, failover communication, including any passwords or keys in the configuration sent during command replication, is in clear text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

12-10

OL-10106-01

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

State Link Configuration


The State Link Configuration screen does not appear in the wizard for ASDM running on the ASA 5505 platform. The State Link Configuration lets you enable Stateful Failover and configure the Stateful Failover link properties.
Fields

Use the LAN link as the State LinkChoose this option to pass state information across the LAN-based failover link. This option is not available on PIX 500 series security appliances configured for cable-based failover. Disable Stateful FailoverChoose this option to disable Stateful Failover. Configure another interface for Stateful failoverChoose this option to configure an unused interface as the Stateful Failover interface.
State InterfaceChoose the interface you want to use for Stateful Failover communication from

the drop-down list.


Logical NameType the name for the Stateful Failover interface. Active IPType the IP address for the Stateful Failover link on the unit that has failover group

1 in the active state.


Standby IPType the IP address for the Stateful Failover link on the unit that has failover group

1 in the standby state.


Subnet MaskType or select a subnet mask for the Active IP and Standby IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Standby Address Configuration


Use the Standby Address Configuration screen to assign standby addresses to the interface on the security appliance.
Fields

Device/Interface(Active/Standby failover) Displays the interfaces configured on the failover units. Click the plus sign (+) by a device name to displays the interfaces on that device. Click the minus sign (-) by a device name to hides the interfaces on that device. Device/Group/Context/Interface(Active/Active failover) Displays the interfaces configured on the failover unit. The interfaces are grouped by context and the contexts are grouped by failover group. Click the plus sign (+) by a device, failover group, or context name to expand the list. Click the minus sign (-) by a device, failover group, or context name to collapse the list.

ASDM User Guide OL-10106-01

12-11

Chapter 12 Configuring Failover with the High Availability and Scalability Wizard

Failover

Active IPDouble-click this field to edit or add an active IP address. Changes to this field also appear in the Standby IP field for the corresponding interface on the peer unit. Standby IPDouble-click this field to edit or add a standby IP address. Changes to this field also appear in the Active IP field for the corresponding interface on the peer unit. Is MonitoredCheck this check box to enable health monitoring for that interface. Uncheck the check box to disable the health monitoring. By default, health monitoring of physical interfaces is enabled and health monitoring of virtual interfaces is disabled. ASR GroupSelect the asynchronous group ID from the drop-down list. This setting is only available for physical interface. For virtual interfaces this field displays None.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

VPN Cluster Load Balancing Configuration


If you have a remote-client configuration in which you are using two or more security appliances connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance anodize availability. Use the VPN Cluster Load Balancing Configuration screen to set parameters necessary for this device to participate in a load balancing cluster.

Note

VPN load balancing runs only on security appliance models ASA 5520 and higher. VPN load balancing requires an active 3DES/AES license. The security appliance checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the security appliance prevents the enabling of load balancing and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage. Enabling load balancing involves:

Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP port (if necessary), and IPSec shared secret for the cluster. These values are identical for every device in the cluster. Configuring the participating device by enabling load balancing on the device and defining device-specific properties. These values vary from device to device.

ASDM User Guide

12-12

OL-10106-01

Chapter 12

Failover Configuring Failover with the High Availability and Scalability Wizard

Note

Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing. To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network into a virtual cluster.
Fields

VPN Load BalancingConfigures virtual cluster device parameters.


Cluster IP AddressSpecifies the single IP address that represents the entire virtual cluster.

Choose an IP address that is within the public subnet address range shared by all the security appliances in the virtual cluster.
Cluster UDP PortSpecifies the UDP port for the virtual cluster in which this device is

participating. The default value is 9023. If another application is using this port, enter the UDP destination port number you want to use for load balancing.
Enable IPSec EncryptionEnables or disables IPSec encryption. If you select this check box,

you must also specify and verify a shared secret.The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information communicated between the devices is encrypted, select this check box.

Note

When using encryption, you must have previously configured the load-balancing inside interface. If that interface is not enabled on the load-balancing inside interface, you get an error message when you try to configure cluster encryption. If the load-balancing inside interface is enabled when you configured cluster encryption, but is disabled before you configure the participation of the device in the virtual cluster, you get an error message when you select the Participate in Load Balancing Cluster check box, and encryption is not enabled for the cluster.
Shared Secret KeySpecifies the shared secret to between IPSec peers when you enable IPSec

encryption. The value you enter in the box appears as consecutive asterisk characters.
Priority Of This DeviceSpecifies the priority assigned to this device within the cluster. The

range is from 1 to 10. The priority indicates the likelihood of this device becoming the virtual cluster master, either at start-up or when an existing master fails. The higher you set the priority (for example, 10), the more likely this device becomes the virtual cluster master.
Public Interface Of This DeviceSpecifies the name or IP address of the public interface for

this device.
Private Interface Of This DeviceSpecifies the name or IP address of the private interface for

this device.

ASDM User Guide OL-10106-01

12-13

Chapter 12 Field Information for the Failover Panes

Failover

Note

If the devices in the virtual cluster are powered up at different times, the first device to be powered up assumes the role of virtual cluster master. Because every virtual cluster requires a master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster has a virtual master. If none exists, that device takes on the role. Devices powered up and added to the cluster later become secondary devices. If all the devices in the virtual cluster are powered up simultaneously, the device with the highest priority setting becomes the virtual cluster master. If two or more devices in the virtual cluster are powered up simultaneously, and both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Summary
The Summary screen displays the results of the configuration steps you performed in the previous wizard panels.
Fields

The configuration appears in the center of the screen. Verify your settings and click Finish to send your configuration to the device. If you are configuring failover, the configuration is also sent to the failover peer. If you need to change a setting, click Back until you reach the screen where you need to make the change. Make the change and click Next until you return to the Summary screen.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Field Information for the Failover Panes


What displays on the failover pane depends upon the mode you are in (single or multiple context mode) and whether you are in the system execution space or in a security context. This section contains the following topics:

Failover - Single Mode Failover-Multiple Mode, Security Context

ASDM User Guide

12-14

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Failover-Multiple Mode, System

Failover - Single Mode


Configuration > Properties > Failover The Failover pane contains the tabs where you can configure Active/Standby failover in single context mode. For more information about failover, see Understanding Failover. For more information about configuring the settings on each tab of the Failover pane, see the following information. Note that the Interfaces tabs changes based on whether you are in routed firewall mode or transparent firewall mode.

Failover: Setup Failover: Interfaces (Routed Firewall Mode) Failover: Interfaces (Transparent Firewall Mode) Failover: Criteria Failover: MAC Addresses

Failover: Setup
Configuration > Properties > Failover > Setup Use this tab to enable failover on the security appliance. You also designate the failover link and the state link, if using Stateful Failover, on this tab. For more information about configuring failover in general, see Understanding Failover.
Fields

Enable FailoverChecking this check box enables failover and lets you configure a standby security appliance.

Note

The speed and duplex settings for the failover interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces pane before enabling failover. ASDM displays a dialog box asking if you want to configure the peer unit when you enable failover. This dialog box also appears when the Preferred Role setting or, on the PIX security appliance platform, the Enable LAN rather than serial cable failover setting changes.
Peer IP AddressEnter an IP address on the peer unit that ASDM can connect to. This field

appears on the Do you want to configure the failover peer firewall dialog box.

Use 32 hexadecimal character keyCheck this check box to enter a hexadecimal value for the encryption key in the Shared Key box. Uncheck this check box to enter an alphanumeric shared secret in the Shared Key box. Shared KeySpecifies the failover shared secret or key for encrypted and authenticated communications between failover pairs. If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).

ASDM User Guide OL-10106-01

12-15

Chapter 12 Field Information for the Failover Panes

Failover

If you unchecked the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

Enable LAN rather than serial cable failover(PIX security appliance platform only) Check this check box to enable LAN Failover. Uncheck this check box to use the dedicated serial cable as the failover link. LAN FailoverContains the fields for configuring LAN Failover.
InterfaceSpecifies the interface used for failover communication. Failover requires a

dedicated interface, however you can share the interface with Stateful Failover. Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane.
Active IPSpecifies the IP address for the failover interface on the active unit. Subnet MaskSpecifies the mask for the failover interface on the primary and secondary unit. Logical NameSpecifies the logical name of the interface used for failover communication. Standby IPSpecifies the IP address used by the secondary unit to communicate with the

primary unit
Preferred RoleSpecifies whether the preferred role for this security appliance is as the

primary or secondary unit in a LAN failover.

State FailoverContains the fields for configuring Stateful Failover.

Note

Stateful Failover is not available on the ASA 5505 platform. This area does not appear on ASDM running on an ASA 5505 security appliance.
InterfaceSpecifies the interface used for state communication. You can choose an

unconfigured interface or subinterface, the LAN Failover interface, or the Use Named option.

Note

We recommend that you use two separate, dedicated interfaces for the LAN Failover interface and the Stateful Failover interface. If you choose an unconfigured interface or subinterface, you must supply the Active IP, Subnet Mask, Standby IP, and Logical Name for the interface. If you choose the LAN Failover interface, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used. If you choose the Use Named option, the Logical Name field becomes a drop-down list of named interfaces. Choose the interface from this list. The Active IP, Subnet Mask, and Standby IP values do not need to be specified. The values specified for the interface are used. Be sure to specify a standby IP address for the selected interface on the Interfaces tab.

Note

Because Stateful Failover can generate a large amount of traffic, performance for both Stateful Failover and regular traffic can suffer when you use a named interface.

ASDM User Guide

12-16

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Active IPSpecifies the IP address for the Stateful Failover interface on the primary unit. This

field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.
Subnet MaskSpecifies the mask for the Stateful Failover interfaces on the primary and

secondary units. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.
Logical NameSpecifies the logical interface used for failover communication. If you selected

the Use Named option in the Interface drop-down list, this field displays a list of named interfaces. This field is dimmed if the LAN Failover interface is selected in the Interface drop-down list.
Standby IPSpecifies the IP address used by the secondary unit to communicate with the

primary unit. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.
Enable HTTP replicationSelecting this check box enables Stateful Failover to copy active

HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover: Interfaces (Routed Firewall Mode)


Configuration > Properties > Failover > Interfaces Use this tab to define the standby IP address for each interface on the security appliance and to specify whether the status of the interface should be monitored. For more information about configuring failover in general, see Understanding Failover.
Fields

InterfaceLists the interfaces on the security appliance and identifies their active IP address, standby IP address, and monitoring status.
Interface Name columnIdentifies the interface name. Active IP columnIdentifies the active IP address for this interface. Standby IP columnIdentifies the IP address of the corresponding interface on the standby

failover unit.
Is Monitored columnSpecifies whether this interface is monitored for failure.

ASDM User Guide OL-10106-01

12-17

Chapter 12 Field Information for the Failover Panes

Failover

EditDisplays the Edit Failover Interface Configuration (Routed Firewall Mode) dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration (Routed Firewall Mode)


Configuration > Properties > Failover > Interfaces > Edit Failover Interface Configuration Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Active IP AddressIdentifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface. Subnet MaskIdentifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface. Standby IP AddressSpecifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

12-18

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover: Interfaces (Transparent Firewall Mode)


Configuration > Properties > Failover > Interfaces Use this tab to define the standby management IP address and to specify whether the status of the interfaces on the security appliance should be monitored.
Fields

InterfaceLists the interfaces on the security appliance and identifies their monitoring status.
Interface Name columnIdentifies the interface name. Is Monitored columnSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration (Transparent Firewall Mode) dialog box for the selected interface. Management IP AddressIdentifies the active and standby management IP addresses for the security appliance or for a context in transparent firewall mode.
ActiveIdentifies the active management IP address. StandbySpecifies the management IP address on the standby failover unit.

Management NetmaskIdentifies the mask associated with the active and standby management IP addresses.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration (Transparent Firewall Mode)


Configuration > Properties > Failover > Interfaces > Edit Failover Interface Configuration

ASDM User Guide OL-10106-01

12-19

Chapter 12 Field Information for the Failover Panes

Failover

Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Failover: Criteria
Configuration > Properties > Failover > Criteria Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.
Fields

Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

ASDM User Guide

12-20

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Failover Poll TimesContains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit FailoverThe amount of time between hello messages among units. The range is between

1 and 15 seconds or between 200 and 999 milliseconds.


Unit Hold TimeSets the time during which a unit must receive a hello message on the failover

link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored InterfacesThe amount of time between polls among interfaces. The range is

between 1and 15 seconds or 500 to 999 milliseconds.


Interface Hold TimeSets the time during which a data interface must receive a hello message

on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover: MAC Addresses


Configuration > Properties > Failover > MAC Addresses The MAC Addresses tab lets you configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair.

Note

This tab is not available on the ASA 5505 platform. In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic. You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses, then the failover pair uses the burned-in NIC address as the MAC address.

Note

You cannot configure a virtual MAC address for the failover or state links. The MAC and IP addresses for those links do not change during failover.

ASDM User Guide OL-10106-01

12-21

Chapter 12 Field Information for the Failover Panes

Failover

Fields

MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical Interface columnIdentifies the physical interface for which failover virtual MAC

addresses are configured.


Active MAC Address columnIdentifies the MAC address of the active security appliance

(usually primary).
Standby MAC Address columnIdentifies the MAC address of the standby security appliance

(usually secondary).

AddDisplays the Add Interface MAC Address dialog box. You cannot assign virtual MAC addresses to the LAN failover and Stateful Failover interfaces. See Add/Edit Interface MAC Address for more information. EditDisplays the Edit Interface MAC Address dialog box for the selected interface. See Add/Edit Interface MAC Address for more information. DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Interface MAC Address


Configuration > Properties > Failover > MAC Addresses > Add/Edit Interface MAC Address Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for an interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.
Active InterfaceSpecifies the MAC address of the interface on the active security appliance

(usually primary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).

ASDM User Guide

12-22

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Standby InterfaceSpecifies the MAC address of the interface on the standby security

appliance (usually secondary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Failover-Multiple Mode, Security Context


The fields displayed on the Failover pane in multiple context mode change depending upon whether the context is in transparent or routed firewall mode. This section contains the following topics:

Failover - Routed Failover - Transparent

Failover - Routed
Configuration > Properties > Failover Use this pane to define the standby IP address for each interface in the security context and to specify whether the status of the interface should be monitored.
Fields

Interface tableLists the interfaces on the security appliance and identifies their active IP address, standby IP address, and monitoring status.
Interface Name columnIdentifies the interface name. Active IP columnIdentifies the active IP address for this interface. Standby IP columnIdentifies the IP address of the corresponding interface on the standby

failover unit.
Is Monitored columnSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

12-23

Chapter 12 Field Information for the Failover Panes

Failover

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration


Configuration > Properties > Failover > Edit Failover Interface Configuration Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Active IP AddressIdentifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface. Subnet MaskIdentifies the mask for this interface. This field does not appear if an IP address has not been assigned to the interface. Standby IP AddressSpecifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined. NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

12-24

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

For More Information

For more information about failover in general, see Understanding Failover.

Failover - Transparent
Configuration > Properties > Failover Use this pane to define the standby IP address for the management interface for the security context and to specify whether the status of the interfaces on the security context should be monitored.
Fields

InterfaceLists the interfaces for the security context and identifies their monitoring status.
Interface NameIdentifies the interface name. Is MonitoredSpecifies whether this interface is monitored for failure.

EditDisplays the Edit Failover Interface Configuration dialog box for the selected interface. Management IP AddressIdentifies the active and standby management IP addresses for the security context.
ActiveIdentifies the management IP address for the active failover unit. StandbySpecifies the management IP address for the standby failover unit.

Management NetmaskIdentifies the mask associated with the management address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Edit Failover Interface Configuration


Configuration > Properties > Failover > Interfaces > Edit Failover Interface Configuration Use the Edit Failover Interface Configuration dialog box to specify whether the status of the interface should be monitored.
Fields

Interface NameIdentifies the interface name. Monitor interface for failureSpecifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. Monitored failover interfaces can have the following status:
UnknownInitial status. This status can also mean the status cannot be determined.

ASDM User Guide OL-10106-01

12-25

Chapter 12 Field Information for the Failover Panes

Failover

NormalThe interface is receiving traffic. TestingHello messages are not heard on the interface for five poll times. Link DownThe interface is administratively down. No LinkThe physical link for the interface is down. FailedNo traffic is received on the interface, yet traffic is heard on the peer interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

For More Information

For more information about failover in general, see Understanding Failover.

Failover-Multiple Mode, System


System > Configuration > Failover This pane includes tabs for configuring the system-level failover settings in the system context of a security appliance in multiple context mode. In multiple mode, you can configure Active/Standby or Active/Active failover. Active/Active failover is automatically enabled when you create failover groups in the device manager. For both types of failover, you need to provide system-level failover settings in the system context, and context-level failover settings in the individual security contexts. For more information about configuring failover in general, see Understanding Failover. Seethe following topics for more information:

Failover > Setup Tab Failover > Criteria Tab Failover > Active/Active Tab Failover > MAC Addresses Tab

Failover > Setup Tab


System > Configuration > Failover > Setup Tab Use this tab to enable failover on a security appliance in multiple context mode. You also designate the failover link and the state link, if using Stateful Failover, on this tab.
Fields

Enable FailoverChecking this check box enables failover and lets you configure a standby security appliance.

ASDM User Guide

12-26

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Note

The speed and duplex settings for an interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces pane before enabling failover. Use 32 hexadecimal character keyCheck this check box to enter a hexadecimal value for the encryption key in the Shared Key field. Uncheck this check box to enter an alphanumeric shared secret in the Shared Key field. Shared KeySpecifies the failover shared secret or key for encrypted and authenticated communications between failover pairs. If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f). If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

Enable LAN rather than serial cable failover(PIX security appliance platform only) Check this check box to enable LAN failover. Uncheck this check box to use the dedicated serial link as the failover link. LAN FailoverContains the fields for configuring LAN Failover.
InterfaceSpecifies the interface used for failover communication. Failover requires a

dedicated interface, however, you can use the same interface for Stateful Failover. Only unconfigured interfaces or subinterfaces that have not been assigned to a context are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane or assign that interface to a context.
Active IPSpecifies the IP address for the failover interface on the active unit. Subnet MaskSpecifies the mask for the failover interface on the active unit. Logical NameSpecifies the logical name for the failover interface. Standby IPSpecifies the IP address of the standby unit. Preferred RoleSpecifies whether the preferred role for this security appliance is as the

primary or secondary unit in a LAN failover.

State FailoverContains the fields for configuring Stateful Failover.


InterfaceSpecifies the interface used for failover communication. You can choose an

unconfigured interface or subinterface or the LAN Failover interface. If you choose the LAN Failover interface, the interface needs enough capacity to handle both the LAN Failover and Stateful Failover traffic. Also, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used.

Note

We recommend that you use two separate, dedicated interfaces for the LAN Failover interface and the Stateful Failover interface.

Active IPSpecifies the IP address for the Stateful Failover interface on the active unit. Subnet MaskSpecifies the mask for the Stateful Failover interface on the active unit.

ASDM User Guide OL-10106-01

12-27

Chapter 12 Field Information for the Failover Panes

Failover

Logical NameSpecifies the logical name for the Stateful Failover interface. Standby IPSpecifies the IP address of the standby unit. Enable HTTP replicationChecking this check box enables Stateful Failover to copy active

HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover > Criteria Tab


System > Configuration > Failover > Criteria Tab Use this tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

Note

If you are configuring Active/Active failover, you do not use this tab to define the interface policy; instead, you define the interface policy for each failover group using the Failover > Active/Active Tab. With Active/Active failover, the interface policy settings defined for each failover group override the settings on this tab. If you disable Active/Active failover, then the settings on this tab are used.
Fields

Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

Failover Poll TimesContains the fields for defining how often hello messages are sent on the failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages are received.
Unit FailoverThe amount of time between hello messages among units. The range is between

1 and 15 seconds or between 200 and 999 milliseconds.

ASDM User Guide

12-28

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Unit Hold TimeSets the time during which a unit must receive a hello message on the failover

link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.
Monitored InterfacesThe amount of time between polls among interfaces. The range is

between 1and 15 seconds or 500 to 999 milliseconds.


Interface Hold TimeSets the time during which a data interface must receive a hello message

on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover > Active/Active Tab


System > Configuration > Failover > Active/Active Tab Use this tab to enable Active/Active failover on the security appliance by defining failover groups. In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple mode. A failover group is simply a logical group of security contexts. You can create two failover groups on the security appliance. You must create the failover groups on the active unit in the failover pair. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Note

When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.
Fields

Failover GroupsLists the failover groups currently defined on the security appliance.
Group NumberSpecifies the failover group number. This number is used when assigning

contexts to failover groups.


Preferred RoleSpecifies the unit in the failover pair, primary or secondary, on which the

failover group appears in the active state when both units start up simultaneously or when the preempt option is specified. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

ASDM User Guide OL-10106-01

12-29

Chapter 12 Field Information for the Failover Panes

Failover

Preempt EnabledSpecifies whether the unit that is the preferred failover device for this

failover group should become the active unit after rebooting.


Preempt DelaySpecifies the number of seconds that the preferred failover device should wait

after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.
Interface PolicySpecifies either the number of monitored interface failures or the percentage

of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.
Interface Poll TimeSpecifies the amount of time between polls among interfaces. The range

is between 1 and 15 seconds.


Replicate HTTPIdentifies whether Stateful Failover should copy active HTTP sessions to the

standby firewall for this failover group. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

AddDisplays the Add Failover Group dialog box. This button is only enabled if less than 2 failover groups exist. See Add/Edit Failover Group for more information. EditDisplays the Edit Failover Group dialog box for the selected failover group. See Add/Edit Failover Group for more information. DeleteRemoves the currently selected failover group from the failover groups table. This button is only enabled if the last failover group in the list is selected.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Failover Group


System > Configuration > Failover > Active/Active > Add/Edit Failover Group Use the Add/Edit Failover Group dialog box to define failover groups for an Active/Active failover configuration.
Fields

Preferred RoleSpecifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

ASDM User Guide

12-30

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Preempt after booting with optional delay ofChecking this check box causes the unit that is the preferred failover device for a failover group to become the active unit after rebooting. Checking this check box also enables the Preempt after booting with optional delay of field in which you can specify a period of time that the device should wait before becoming the active unit. Preempt after booting with optional delay ofSpecifies the number of seconds that a unit should wait after rebooting before taking over as the active unit for any failover groups for which it is the preferred failover device. The range is between 0 and 1200 seconds. Interface PolicyContains the fields for defining the policy for failover when monitoring detects an interface failure. These settings override any interface policy settings on the Criteria tab.
Number of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the value you set with this command, then the security appliance fails over. The range is between 1 and 250 failures.
Percentage of failed interfaces that triggers failoverWhen the number of failed monitored

interfaces exceeds the percentage you set with this command, then the security appliance fails over.

Poll time interval for monitored interfacesThe amount of time between polls among interfaces. The range is between 1 and 15 seconds. Enable HTTP replicationChecking this check box enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab. MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical InterfaceDisplays the physical interface for which failover virtual MAC addresses

are configured.
Active MAC AddressDisplays the MAC address for the interface and failover group on the

unit where the failover group is active.


Standby MAC AddressDisplays the MAC address for the interface and failover group on the

unit where the failover group is in the standby state.

AddDisplays the Add Interface MAC Address dialog box. You cannot assign virtual MAC addresses to the LAN failover and Stateful Failover interfaces. See Add/Edit Interface MAC Address for more information. EditDisplays the Edit Interface MAC Address dialog box for the selected interface. See Add/Edit Interface MAC Address for more information. DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

12-31

Chapter 12 Field Information for the Failover Panes

Failover

For More Information

For more information about failover in general, see Understanding Failover.

Add/Edit Interface MAC Address


System > Configuration > Failover > Active/Active > Add/Edit Failover Group > Add/Edit MAC Address Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for the interfaces in a failover group. If you do not specify a virtual MAC address for an interface, the interface is given a default virtual MAC address as follows:

Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01. Standby unit default MAC address: 00a0.c9:physical_port_number.failover_group_id02.

Note

If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address. These MAC addresses override the physical MAC addresses for the interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.
Active InterfaceSpecifies the MAC address for the interface and failover group on the unit

where the failover group is active. Each interface may have up to two MAC addresses, one for each failover group, which override the physical MAC address. Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Standby InterfaceSpecifies the MAC address for the interface and failover group on the unit

where the failover group is in the standby state. Each interface may have up to two MAC addresses, one for each failover group, which override the physical MAC address. Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

ASDM User Guide

12-32

OL-10106-01

Chapter 12

Failover Field Information for the Failover Panes

Failover > MAC Addresses Tab


System > Configuration > Failover > MAC Addresses Tab The MAC Addresses tab lets you configure the virtual MAC addresses for the interfaces in an Active/Standby failover pair. In Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic. You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses, then the failover pair uses the burned-in NIC address as the MAC address.

Note

You cannot configure a virtual MAC address for the failover or state links. The MAC and IP addresses for those links do not change during failover. In Active/Active failover, the MAC addresses configured on this tab are not in effect. Instead, the MAC addresses defined in the failover groups are used.
Fields

MAC AddressesLists physical interfaces on the security appliance for which an active and standby virtual MAC address has been configured.
Physical InterfaceIdentifies the physical interface for which failover virtual MAC addresses

are configured.
Active MAC AddressIdentifies the MAC address on the active security appliance (usually

primary).
Standby MAC AddressIdentifies the MAC address on the standby security appliance (usually

secondary).

AddDisplays the Add/Edit Interface MAC Address dialog box. EditDisplays the Add/Edit Interface MAC Address dialog box for the selected interface. DeleteRemoves the currently selected interface from the MAC addresses table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

ASDM User Guide OL-10106-01

12-33

Chapter 12 Field Information for the Failover Panes

Failover

Add/Edit Interface MAC Address


System > Configuration > Failover > MAC Addresses > Add/Edit Interface MAC Address Use the Add/Edit Interface MAC Address dialog box to define the active and standby virtual MAC addresses for an interface.
Fields

Physical InterfaceSpecifies the physical interface for which you are defining failover virtual MAC addresses. Because the MAC addresses do not change for the LAN failover and Stateful Failover interfaces during failover, you cannot choose these interfaces. MAC AddressesContains the fields for specifying the active and standby virtual MAC addresses for the interface.
Active InterfaceSpecifies the MAC address of the interface on the active security appliance

(usually primary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Standby InterfaceSpecifies the MAC address of the interface on the standby security

appliance (usually secondary). Enter the MAC address in hexadecimal format (for example, 0123.4567.89AB).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

ASDM User Guide

12-34

OL-10106-01

C H A P T E R

13

Configuring Logging
Once you have enabled logging and set up the logging parameters using the Logging Setup panel, the Event Lists panel lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters panel lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail panels configure syslog and E-Mail setup.

Logging Setup
Configuration > Properties > Logging > Logging Setup The Logging Setup panel lets you enable system logging on the security appliance and configure other logging parameters.
Fields

Enable loggingTurns on logging for the main security appliance. Enable logging on the failover standby unitTurns on logging for the standby security appliance, if available. Send debug messages as syslogsRedirects all the debug trace output to the syslog. The syslog message will not show up in the console if this option is enabled. Therefore, in order to see debug messages, you must have logging enabled at the console and have it configured as the destination for the debug syslog message number and logging level. The syslog message number used is 711011. Default logging level for this syslog is debug. Send syslogs in EMBLEM formatEnables EMBLEM format logging for every logging destination. Buffer SizeSpecifies the size of the internal buffer to which syslogs will be saved if the logging buffer is enabled. When the buffer fills up, it will be overwritten. The default is 4096 bytes. The range is 4096 to 1048576. Save Buffer To FTP ServerTo save the buffer contents to the FTP server before it is overwritten, use this check box. To remove the FTP configuration, uncheck this box. Configure FTP Parameters buttonConfigures the FTP parameters used to save the buffer content. Save Buffer To FlashTo save the buffer contents to the Flash before it is overwritten, use this check box. This option is only available in routed or transparent single mode. Configure Flash UsageSpecifies the maximum space to be used in the Flash for logging and the minimum free space to be preserved (in KB). This option is only available in routed or transparent single mode.

ASDM User Guide OL-10106-01

13-1

Chapter 13 Logging Setup

Configuring Logging

Queue SizeSpecifies the queue size for syslogs intended for viewing in ASDM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configure FTP Settings


Configuration > Properties > Logging > Logging Setup > Configure FTP Settings The Configure FTP Settings dialog box lets you specify the configuration for the FTP server used to save the buffer contents.
Fields

IP AddressIP address of the FTP server. PathDirectory path on the FTP server to store the saved file. UsernameUser login to the FTP server. PasswordPassword used with the username for the FTP server. Confirm PasswordConfirms the password from the password field.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configure Logging Flash Usage


Configuration > Properties > Logging > Logging Setup > Configure Logging Flash Usage The Configure Logging Flash Usage panel lets you specify the limits for saving buffer contents to Flash.
Fields

Maximum Flash to Be Used by LoggingSpecifies the maximum space that logging can use on the Flash (in KB). Minimum Free Space to Be PreservedSpecifies the minimum free space that logging will preserve on the Flash.

ASDM User Guide

13-2

OL-10106-01

Chapter 13

Configuring Logging E-Mail Setup

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

E-Mail Setup
Configuration > Properties > Logging > E-Mail Setup The E-Mail Setup panel lets you set up a source e-mail address as well as a list of recipients for specified syslogs to be sent as e-mails. You can filter the syslogs sent to a destination e-mail address by severity. The table shows which entries have been set up. The syslog severity filter used for the destination e-mail address will be the higher of the severity specified in this section and the global filter set for all e-mail recipients in the Logging Filters section.
Fields

Source E-Mail addressSpecifies the e-mail address that will be used as the source address when syslogs are sent as e-mails. Destination E-Mail AddressSpecifies the e-mail address of the recipient of the syslog message. Syslog SeveritySpecifies the severity of the syslogs sent to this recipient.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit E-Mail Recipient


Configuration > Properties > Logging > E-Mail Setup > Add/Edit E-Mail Recipient The Add/Edit E-Mail Recipient dialog box lets you set up a destination e-mail address for a particular severity of syslog messages to be sent. The syslog severity filter used for the destination e-mail address will be the higher of the severity specified in this section and the global filter set for all e-mail recipients in the Logging Filters panel.
Fields

Destination E-MailSpecifies the e-mail address of the recipient of the syslog message. Syslog SeveritySpecifies the severity of the syslogs sent to this recipient.

ASDM User Guide OL-10106-01

13-3

Chapter 13 Event Lists

Configuring Logging

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Event Lists
Configuration > Properties > Logging > Event Lists The Event Lists panel lets you define a set of syslogs to filter for logging. Once you have enabled logging and set up the logging parameters using the Logging Setup panel, the Event Lists panel lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters panel lets you specify a logging destination for event lists. You can use three criteria to define an event list:

Class Severity Message ID.

The class associates related syslog messages so you do not have to specify the system log messages individually. For example, the auth class lets you specify all the system log messages that are related to user authentication. Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event. The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.
Fields

NameLists the name of the event list. Event ClassLists the event class. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing

ASDM User Guide

13-4

OL-10106-01

Chapter 13

Configuring Logging Event Lists

ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem vpnIKE and IPSec vpncVPN client vpnlbVPN Load Balancing

SeverityLists the level of logging messages. Severity levels include the following:
Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Message IDsLists a syslog message ID or range of syslog message IDs to include in the filter. For example, 101001-101010.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Event List


Configuration > Properties > Logging > Event Lists > Add/Edit Event List (You can get to this dialog through various paths.) The Add/Edit Event List dialog box lets you create or edit an event list and specify which syslogs to include in the event list filter. You can use three criteria to define an event list:

Class Severity Message ID.

The class associates related syslog messages so you do not have to specify the syslogs individually. For example, the auth class lets you specify all the syslog messages that are related to user authentication.

ASDM User Guide OL-10106-01

13-5

Chapter 13 Event Lists

Configuring Logging

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event. The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.
Fields

NameLists the name of the event list. Event ClassLists the event class. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem vpnIKE and IPSec vpncVPN client vpnlbVPN Load Balancing

SeverityLists the level of logging messages. Severity levels include the following:
Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Message IDsLists a syslog message ID or range of syslog message IDs to include in the filter. For example, 101001-101010.

ASDM User Guide

13-6

OL-10106-01

Chapter 13

Configuring Logging Event Lists

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Class and Severity Filter


...Add/Edit Event List > Add/Edit Class and Severity Filter (You can get to this dialog through various paths.) The Add/Edit Class and Severity Filter dialog box lets you specify the event class and the severity level to include in the event list filter. The class associates related syslog messages so you do not have to specify the syslogs individually. For example, the auth class lets you specify all the syslog messages that are related to user authentication. Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.
Fields

Event ClassSpecifies the event class. Event classes include:


AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface haFailover idsIntrusion Detection System ipIP Stack npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem vpnIKE and IPSec vpncVPN client vpnlbVPN Load Balancing

ASDM User Guide OL-10106-01

13-7

Chapter 13 Event Lists

Configuring Logging

SeveritySpecifies the level of logging messages. Severity levels include:


Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Syslog Message ID Filter


Configuration > Properties > Logging > Event Lists > Add/Edit Event List > Add/Edit Syslog Message ID Filter Configuration > Properties > Logging > Logging Filters > Edit Logging Filters > Add Event List > Add/Edit Syslog Message ID Filter The Add/Edit Syslog Message ID Filter dialog box lets you specify the syslog message IDs to include in the event list filter.
Fields

Message IDsSpecifies the syslog message ID or range of IDs. Use a hyphen to specify a range. For example, 101001-101010.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

13-8

OL-10106-01

Chapter 13

Configuring Logging Logging Filters

Logging Filters
Configuration > Properties > Logging > Logging Filters The Logging Filters panel lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists panel, or for only the syslogs that you specify using the Edit Logging Filters panel. Syslogs from specific or all event classes can be specified using the Edit Logging Filters panel.
Fields

Logging DestinationLists the name of the logging destination to which you can apply a filter. Logging destinations are as follows:
Internal Buffer Console Telnet Sessions Syslog Servers SNMP Trap E-Mail ASDM

Syslogs From All Event ClassesLists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Syslogs From Specific Event ClassesLists event class and severity set up as the filter.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Logging Filters


Configuration > Properties > Logging > Logging Filters > Edit Logging Filters The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.
Fields

Logging Destination statusSpecifies the logging destination for this filter. Filter on severityFilters on the severity of the logging messages.
Filter on severitySpecifies the level of logging messages on which to filter.

Use event listSpecifies to use an event list.


Use event listsSpecifies the event list to use.

ASDM User Guide OL-10106-01

13-9

Chapter 13 Logging Filters

Configuring Logging

NewClick to add a new event list.

Disable logging from all event classesDisables all logging to the specified destination. Event ClassSpecifies the event class. Event classes include:
AllAll event classes authUser Authentication bridgeTransparent firewall caPKI Certification Authority configCommand Interface eapExtensible Authentication Protocol (EAP). Logs the following types of events to support

Network Admission Control: EAP session state changes, EAP status query events, and a hexadecimal dump of EAP header and packet contents.
eapoudpExtensible Authentication Protocol (EAP) over UDP. Logs EAPoUDP events to

support Network Admission Control, and generates a complete record of EAPoUDP header and packet contents.
haFailover idsIntrusion Detection System ipIP Stack nacNetwork Admission Control. Logs the following types of events: initializations, exception

list matches, ACS transactions, clientless authentications, default ACL applications, and revalidations.
npNetwork Processor ospfOSPF Routing ripRIP Routing rmResource Manager sessionUser Session snmpSNMP sysSystem vpnIKE and IPSec vpncVPN client vpnlbVPN Load Balancing

SeveritySpecifies the level of logging messages. Severity levels include:


Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

ASDM User Guide

13-10

OL-10106-01

Chapter 13

Configuring Logging Rate Limit

Event ClassSpecifies the event class and severity. Event classes include one or all of the available items. SeveritySpecifies the level of logging messages.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rate Limit
Configuration > Properties > Logging > Rate_Limit The Rate Limit panel lets you specify the number of system log messages that the firewall can send to your syslog server. To make use of the syslog server(s) you must also enable logging using the Logging Setup panel. You can specify a rate limit for message logging levels, or be more specific and specify the rate of messages limited to a specific system log message.
Fields

Rate Limits for syslog logging levels

Logging LevelDisplays the message severity level. Levels are defined as follows:
Disabled (no logging) Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

No of MessagesDisplays the number of messages sent to the syslog server. To allow an unlimited number of messages, leave both the Number of Messages and Time Interval fields blank. Time Interval (Seconds)Displays the how often, in seconds, the syslog server is updated. To allow an unlimited number of messages, leave both the Number of Messages and Time Interval fields blank. EditChoose a server from the table and click this button to open the Edit Rate Limit dialog box, where you can edit the properties of the specified logging level. Individually rate limited syslog messages
Message IDEnter the system log message ID for the system log message you wish to limit.

ASDM User Guide OL-10106-01

13-11

Chapter 13 Rate Limit

Configuring Logging

No of MessagesDisplays the number of messages sent to the syslog server. Time Interval (Seconds)Displays how often, in seconds, the syslog server is updated.

ApplySends changes made in PDM to the firewall unit and applies them to the running configuration. Use the File menu to write a copy of the running configuration to Flash memory, a TFTP server, or a failover standby firewall unit. See Configuration Changes. ResetDiscards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Rate Limit for Syslog Logging Level


Configuration > Properties > Logging > Edit_Rate_Limit The Edit Rate Limit for Syslog Logging Level field lets you specify the number of messages the firewall can send to a syslog server, and the amount of time between updates to that server.
Fields

Rate Limit for syslog logging levels

Logging LevelDisplays the specified message severity level. If you are modifying a specific message ID rate limit, you may specify the logging level. Levels are defined as follows:
Disabled (no logging) Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

No of MessagesSpecifies the number of messages sent to the syslog server. Time Interval (seconds)Specifies the amount of time, in seconds, the syslog server is updated with messages at this level. OKAccepts changes and returns to the previous panel. CancelDiscards changes and returns to the previous panel. HelpProvides more information.

ASDM User Guide

13-12

OL-10106-01

Chapter 13

Configuring Logging Syslog Servers

ResetDiscards changes and reverts the panel to the information displayed when it was opened or the last time Refresh was clicked while open.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Rate Limit for Syslog Message


Configuration > Properties > Logging > Rate Limit > Add/Edit The Add/Edit Rate Limit for Syslog Message dialog box lets you assign rate limits to a specific system log message ID.
Fields

Syslog Message IDSpecifies the system log message ID of the system log message you want to limit. Number of MessagesSpecifies the number of messages sent to the syslog server. Time IntervalSpecifies how often, in seconds, the syslog server is updated.

Note: To allow an unlimited number of messages, leave both Number of Messages and Time Interval boxes blank.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Syslog Servers
Configuration > Properties > Logging > Syslog Servers The Syslog Servers panel lets you specify the syslog servers to which the security appliance will send syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup panel and set up the appropriate filters for destinations using the Logging Filters panel.

ASDM User Guide OL-10106-01

13-13

Chapter 13 Syslog Servers

Configuring Logging

Restrictions

There is a limit of four syslog servers that can be set up per context.
Fields

InterfaceDisplays the interface used to communicate with the syslog server. IP AddressDisplays the IP address of the interface that will be used. Protocol/PortDisplays the protocol and port used by the syslog server. EMBLEMDisplays whether to log messages in Cisco EMBLEM format (UDP only) or not. FiltersDisplays the filter interfaces specified. If specified, only messages that are associated with the interfaces listed are sent to the host. You may specify one or multiple interfaces to filter. Queue SizeSpecifies the number of messages that are allowed to be queued on the security appliance if any syslog server is busy. A zero value means an unlimited number of messages might be queued. Allow user traffic to pass when TCP syslog server is downSpecifies whether or not to restrict all traffic if any syslog server is down.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Syslog Server


Configuration > Properties > Logging > Syslog Servers > Add/Edit Syslog Server The Add Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup panel and set up the appropriate filters for destinations using the Logging Filters panel. Note: There is a limit of four syslog servers that can be set up per context.
Fields

InterfaceSpecifies the interface used to communicate with the syslog server. IP AddressSpecifies the IP address that will be used. ProtocolDisplays the protocol used by the syslog server, either TCP or UDP. PortSpecifies the port used by the syslog server. Log messages in Cisco EMBLEM format (UDP only)Specifies whether to log messages in Cisco EMBLEM format (UDP only) or not. FiltersSpecifies a filter interface. Only messages that are associated with the interface listed are sent to the host. You may specify one or multiple interfaces. Select Multiple buttonLets you choose multiple interfaces for the filter list.

ASDM User Guide

13-14

OL-10106-01

Chapter 13

Configuring Logging Syslog Setup

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Specify Filter Interfaces


Configuration > Properties > Logging > Syslog Servers > Add/Edit Syslog Server > Specify Filter Interfaces The Specify Filter Interfaces dialog box lets you choose multiple interfaces to indicate which messages are sent to the host. Only messages that are associated with the interfaces listed are sent to the host.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Syslog Setup
Configuration > Properties > Logging > Syslog Setup The Syslog Setup panel lets you set the facility code to include in syslogs, include timestamp in syslog, view syslog ID levels, modify syslog ID levels, and suppress syslog messages.
Fields

Facility code to include in syslogsSpecifies a syslog facility for the host to use as a basis to file the messages. The default is LOCAL(4)20, which is what most UNIX systems expect. However, because your network devices share the eight available facilities, you might need to change this value for syslog. Include timestamp in syslogsIncludes date and time in every syslog sent. Syslog ID Table ViewSpecifies the information to be displayed in the Syslog ID Table. Options are defined as follows:
View all syslog IDsDisplays the entire list of syslog IDs. View suppressed syslog IDs onlyDisplays only those syslog IDs that have been configured as

suppressed.
View syslog IDs with changed levels onlyDisplays only those syslog IDs with logging levels

that have changed from their default values.

ASDM User Guide OL-10106-01

13-15

Chapter 13 Syslog Setup

Configuring Logging

View suppressed or changed level syslog IDs onlyDisplays only those syslog IDs with

logging levels that either have been configured as suppressed or have changed from their default values.

Advanced buttonLets you configure syslog messages to include a device ID.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Syslog ID Settings


Configuration > Properties > Logging > Syslog Setup > Edit Syslog ID Settings The Edit dialog box lets you modify the logging level or suppression setting for specified syslog messages.
Fields

Syslog ID(s)This text area is read-only. The values displayed in this area are determined by the entries specified in the Syslog ID Table located in the Syslog Setup panel. Suppress Message(s)Check this check box to suppress messages for the syslog ID(s) displayed in the Syslog ID(s) list. Logging LevelChoose the level of logging messages to be sent for the syslog ID(s) displayed in the Syslog ID(s) list. Levels are defined as follows:
Emergency (level 0, system unusable) Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

13-16

OL-10106-01

Chapter 13

Configuring Logging Syslog Setup

Advanced Syslog Configuration


Configuration > Properties > Logging > Syslog Setup > Edit Syslog ID Settings > Advanced Syslog Configuration The Advanced Syslog Configuration dialog box lets you configure syslog messages to include a device ID. If this feature is enabled, the device ID will be included in all non-EMBLEM formatted syslog messages.
Fields

Enable Syslog Device IDEnables the syslog ID feature which includes a device ID in all non-EMBLEM formatted syslog messages. HostnameSpecifies that the hostname will be used as the device ID. IP AddressSpecifies the IP address of the interface that will be used.
Interface NameSpecifies the interface name corresponding to the specified IP address.

StringSpecifies that a user-defined string will be used as the device ID.


User-defined IDSpecifies an alpha numeric user-defined string.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

13-17

Chapter 13 Syslog Setup

Configuring Logging

ASDM User Guide

13-18

OL-10106-01

C H A P T E R

14

Configuring Dynamic And Static Routing


The Routing area lets you edit a static route to ensure that the security appliance correctly forwards network packets destined to the host or network. You can also use a static route to override any dynamic routes that are discovered for this host or network by specifying a static route with a lower metric than the discovered dynamic routes. To create a static route for a host or network, you must define the IP address and metric for the hop gateway to which the security appliance will forward packets destined to the selected host or network. You can also define multiple static routes for a host or network. This section contains the following topics:

Dynamic Routing Static Routes Proxy ARPs

Dynamic Routing
The Dynamic Routing area contains the following topics:

OSPF RIP

OSPF
OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements rather than routing table updates. Because only LSAs are exchanged, rather than entire routing tables, OSPF networks converge more quickly than RIP networks. OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all routing protocols when possible because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information. If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then you need to run two OSPF processesone process for the public areas and one for the private areas. A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).

ASDM User Guide OL-10106-01

14-1

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.

Note

Only type 3 LSAs can be filtered. If you configure the security appliance as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will get flooded to the entire AS including public areas. If NAT is employed but OSPF is only running in public areas, then routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface. You can have two OSPF routing processes and one RIP routing process running on the security appliance at the same time. For more information about enabling and configuring OSPF, see the following:

Setup Interface Static Neighbor Virtual Link Filtering Redistribution Summary Address

Setup
Configuration > Routing > Dynamic Routing > OSPF > Setup The Setup pane lets you enable OSPF processes, configure OSPF areas and networks, and define OSPF route summarization. For more information about configuring these areas, see the following:

Setup > Process Instances Tab Setup > Area/Networks Tab Setup > Route Summarization Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

14-2

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Setup > Process Instances Tab


Configuration > Routing > Dynamic Routing > OSPF > Setup > Process Instances Tab You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.
Fields

OSPF Process 1 and 2 areasEach area contains the settings for a specific OSPF process. Enable this OSPF ProcessCheck the check box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Uncheck this check box to remove the OSPF process. OSPF Process IDEnter a unique numeric identifier for the OSPF process. This process ID is used internal and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535. AdvancedOpens the Edit OSPF Process Advanced Properties dialog box, where you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit OSPF Process Advanced Properties


Configuration > Routing > Dynamic Routing > OSPF > Setup > Process Instances > Edit OSPF Process Advanced Properties You can edit process-specific settings, such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings, in the Edit OSPF Process Advanced Properties dialog box.
Fields

OSPF ProcessDisplays the OSPF process you are configuring. You cannot change this value. Router IDTo used a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID. Ignore LSA MOSPFCheck this check box to suppress the sending of system log messages when the security appliance receives Type 6 (MOSPF) LSA packets. This setting is unchecked by default. RFC 1583 CompatibleCheck this check box to calculate summary route costs per RFC 1583. Uncheck this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically.This setting is selected by default.

ASDM User Guide OL-10106-01

14-3

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Adjacency ChangesContains settings that define the adjacency changes that cause system log messages to be sent.
Log Adjacency ChangesCheck this check box to cause the security appliance to send a system

log message whenever an OSPF neighbor goes up or down. This setting is selected by default.
Log Adjacency Changes DetailCheck this check box to cause the security appliance to send

a system log message whenever any state change occurs, not just when a neighbor goes up or down. This setting is unchecked by default.

Administrative Route DistancesContains the settings for the administrative distances of routes based on the route type.
Inter AreaSets the administrative distance for all routes from one area to another. Valid values

range from 1 to 255. The default value is 100.


Intra AreaSets the administrative distance for all routes within an area. Valid values range

from 1 to 255. The default value is 100.


ExternalSets the administrative distance for all routes from other routing domains that are

learned through redistribution. Valid values range from 1 to 255. The default value is 100.

TimersContains the settings used to configure LSA pacing and SPF calculation timers.
SPF Delay TimeSpecifies the time between when OSPF receives a topology change and when

the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.
SPF Hold TimeSpecifies the hold time between consecutive SPF calculations.Valid values

range from 1 to 65534. The default value is 10.


LSA Group PacingSpecifies the interval at which LSAs are collected into a group and

refreshed, checksummed, or aged. Valid values range from 10 to 1800. The default value is 240.

Default Information OriginateContains the settings used by an ASBR to generate a default external route into an OSPF routing domain.
Enable Default Information OriginateCheck this check box to enable the generation of the

default route into the OSPF routing domain.


Always advertise the default routeCheck this check box to always advertise the default route.

This option is unchecked by default.


Metric ValueSpecifies the OSPF default metric. Valid values range from 0 to 16777214. The

default value is 1.
Metric TypeSpecifies the external link type associated with the default route advertised into

the OSPF routing domain. Valid values are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.
Route Map(Optional) The name of the route map to apply. The routing process generates the

default route if the route map is satisfied.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

14-4

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Setup > Area/Networks Tab


Configuration > Routing > Dynamic Routing > OSPF > Setup > Area/Networks Tab The Area/Networks tab displays the areas, and the networks they contain, for each OSPF process on the security appliance.
Fields

Area/NetworksDisplays information about the areas and the area networks configured for each OSPF process. Double-clicking a row in the table opens the Add/Edit OSPF Area dialog box for the selected area.
OSPF ProcessDisplays the OSPF process the area applies to. Area IDDisplays the area ID. Area TypeDisplays the area type. The area type is one of the following values: Normal, Stub,

NSSA.
NetworksDisplays the area networks. AuthenticationDisplays the type of authentication set for the area. The authentication type is

one of the following values: None, Password, MD5.


OptionsDisplays any options set for the area type. CostDisplays the default cost for the area.

AddOpens the Add/Edit OSPF Area dialog box. Use this button to add a new area configuration. EditOpens the Add/Edit OSPF Area dialog box. Use this button to change the parameters of the selected area. DeleteRemoves the selected area from the configuration.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit OSPF Area


Configuration > Routing > Dynamic Routing > OSPF > Setup > Area/Networks > Add/Edit OSPF Area You define area parameters, the networks contained by the area, and the OSPF process associated with the area in the Add/Edit OSPF Area dialog box.
Fields

OSPF ProcessWhen adding a new area, choose the OSPF process ID for the OSPF process for which the area is being. If there is only one OSPF process enabled on the security appliance, then that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

ASDM User Guide OL-10106-01

14-5

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Area IDWhen adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area. Area TypeContains the settings for the type of area being configured.
NormalChoose this option to make the area a standard OSPF area. This option is selected by

default when you first create an area.


StubChoosing this option makes the area a stub area. Stub areas do not have any routers or

areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you have the option of preventing summary LSAs (Type 3 and 4) from being flooded into the area by unchecking the Summary check box.
SummaryWhen the area being defined is a stub area, unchecking this check box prevents

LSAs from being sent into the stub area. This check box is selected by default for stub areas.
NSSAChoose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs.

When you create a NSSA, you have the option of preventing summary LSAs from being flooded into the area by unchecking the Summary check box. You can also disable route redistribution by unchecking the Redistribute check box and enabling Default Information Originate.
RedistributeUncheck this check box to prevent routes from being imported into the NSSA.

This check box is selected by default.


SummaryWhen the area being defined is a NSSA, unchecking this check box prevents LSAs

from being sent into the stub area. This check box is selected by default for NSSAs.
Default Information OriginateCheck this check box to generate a Type 7 default into the

NSSA. This check box is unchecked by default.


Metric ValueSpecifies the OSPF metric value for the default route. Valid values range from

0 to 16777214. The default value is 1.


Metric TypeThe OSPF metric type for the default route. The choices are 1 (Type 1) or 2 (Type

2). The default value is 2.

Area NetworksContains the settings for defining an OSPF area.


Enter IP Address and MaskContains the settings used to define the networks in the area.

IP AddressEnter the IP address of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area. NetmaskChoose the network mask for the IP address or host to be added to the area. If adding a host, choose the 255.255.255.255 mask.
AddAdds the network defined in the Enter IP Address and Mask area to the area. The added

network appears in the Area Networks table.


DeleteDeletes the selected network from the Area Networks table. Area NetworksDisplays the networks defined for the area.

IP AddressDisplays the IP address of the network. NetmaskDisplays the network mask for the network.

AuthenticationContains the settings for OSPF area authentication.


NoneChoose this option to disable OSPF area authentication. This is the default setting. PasswordChoose this option to use a clear text password for area authentication. This option

is not recommended where security is a concern.


MD5Choose this option to use MD5 authentication.

ASDM User Guide

14-6

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Default CostSpecify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Setup > Route Summarization Tab


Configuration > Routing > Dynamic Routing > OSPF > Setup > Route Summarization Tab In OSPF, an ABR will advertise networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the ABR to advertise a summary route that covers all the individual networks within the area that fall into the specified range. To define summary address for external routes being redistributed into an OSPF area, see Summary Address.
Fields

Route SummarizationDisplays information about route summaries defined on the security appliance. Double-clicking a row in the table opens the Add/Edit Route Summarization dialog box for the selected route summary.
OSPF ProcessDisplays the OSPF process ID for the OSPF process associated with the route

summary.
Area IDDisplays the area associated with the route summary. IP AddressDisplays the summary address. Network MaskDisplays the summary mask. AdvertiseDisplays yes when the route summaries are advertised when they match the

address/mask pair or no when route summaries are suppressed when they match the address/mask pair.

AddOpens the Add/Edit Route Summarization dialog box. Use this button to define a new route summarization. EditOpens the Add/Edit Route Summarization dialog box. Use this button to change the parameters of the selected route summarization. DeleteRemoves the selected route summarization from the configuration.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

14-7

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Route Summarization


Configuration > Routing > Dynamic Routing > OSPF > Setup > Route Summarization > Add/Edit Route Summarization Use the Add Route Summarization dialog box to add a new entry to the Route Summarization table. Use the Edit Route Summarization dialog box to change an existing entry.
Fields

OSPF ProcessChoose the OSPF process the route summary applies to. You cannot change this value when editing an existing route summary entry. Area IDChoose the area ID the route summary applies to. You cannot change this value when editing an existing route summary entry. IP AddressEnter the network address for the routes being summarized. Network MaskChoose one of the common network masks from the list or type the mask in the field. AdvertiseCheck this check box to set the address range status to advertise. This causes Type 3 summary LSAs to be generated. Uncheck this check box to suppress the Type 3 summary LSA for the specified networks. This check box is checked by default.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Filtering
Configuration > Routing > Dynamic Routing > OSPF > Filtering The Filtering pane displays the ABR Type 3 LSA filters that have been configured for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.
Benefits

OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.

ASDM User Guide

14-8

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Restrictions

Only Type-3 LSAs that originate from an ABR are filtered.


Fields

The Filtering table displays the following information. Double-clicking a table entry opens the Add/Edit Filtering Entry dialog box for the selected entry.

OSPF ProcessDisplays the OSPF process associated with the filter entry. Area IDDisplays the ID of the area associated with the filter entry. Filtered NetworkDisplays the network address being filtered. Traffic DirectionDisplays Inbound if the filter entry applies to LSAs coming in to an OSPF area or Outbound if it applies to LSAs coming out of an OSPF area. Sequence #Displays the sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used. ActionDisplays Permit if LSAs matching the filter are allowed or Deny if LSAs matching the filter are denied. Lower RangeDisplays the minimum prefix length to be matched. Upper RangeDisplays the maximum prefix length to be matched. AddOpens the Add/Edit Filtering Entry dialog box for adding a new entry to the Filter table. EditOpens the Add/Edit Filtering Entry dialog box for modifying the selected filter. DeleteRemoves the selected filter from the Filter table.

You can perform the following actions on entries in the Filtering table:

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Filtering Entry


Configuration > Routing > Dynamic Routing > OSPF > Filtering > Add/Edit Filtering Entry The Add/Edit Filtering Entry dialog box lets you add new filters to the Filter table or to modify an existing filter. Some of the filter information cannot be changed when you edit an existing filter.
Fields

OSPF ProcessChoose the OSPF process associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting. Area IDChoose the ID of the area associated with the filter entry. If you are editing an existing filter entry, you cannot modify this setting. Filtered NetworkEnter the address and mask of the network being filtered using CIDR notation (a.b.c.d/m).

ASDM User Guide OL-10106-01

14-9

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Traffic DirectionChoose the traffic direction being filtered. Choose Inbound to filter LSAs coming into an OSPF area or Outbound to filter LSAs coming out of an OSPF area. If you are editing an existing filter entry, you cannot modify this setting. Sequence #Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used. ActionChoose Permit to allow the LSA traffic or Deny to block the LSA traffic. OptionalContains the optional settings for the filter.
Lower RangeSpecify the minimum prefix length to be matched. The value of this setting must

be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.
Upper RangeEnter the maximum prefix length to be matched. The value of this setting must

be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interface
Configuration > Routing > Dynamic Routing > OSPF > Interface The Interface pane lets you configure interface-specific OSPF authentication routing properties. For more information about configuring these properties, see the following:

Interface > Authentication Tab Interface > Properties Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interface > Authentication Tab


Configuration > Routing > Dynamic Routing > OSPF > Interface > Authentication Tab The Authentication tab displays the OSPF authentication information for the security appliance interfaces.

ASDM User Guide

14-10

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Fields

Authentication PropertiesDisplays the authentication information for the security appliance interfaces. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.
InterfaceDisplays the interface name. Authentication TypeDisplays the type of OSPF authentication enabled on the interface. The

authentication type can be one of the following values: NoneOSPF authentication is disabled. PasswordClear text password authentication is enabled. MD5MD5 authentication is enabled. AreaThe authentication type specified for the area is enabled on the interface. Area authentication is the default value for interfaces. However, area authentication is disabled by default. So, unless you previously specified an area authentication type, interfaces showing Area authentication have authentication disabled.

EditOpens the Edit OSPF Interface Properties dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit OSPF Interface Authentication


Configuration > Routing > Dynamic Routing > OSPF > Interface > Authentication > Edit OSPF Interface Authentication The Edit OSPF Interface Authentication dialog box lets you configure the OSPF authentication type and parameters for the selected interface.
Fields

InterfaceDisplays the name of the interface for which authentication is being configured. You cannot edit this field. AuthenticationContains the OSPF authentication options.
NoneChoose this option to disable OSPF authentication. PasswordChoose this option to use clear text password authentication. This is not

recommended where security is a concern.


MD5Choose this option to use MD5 authentication (recommended). Area(Default) Choose this option to use the authentication type specified for the area (see

Add/Edit OSPF Area for information about configuring area authentication). Area authentication is disabled by default. So, unless you have previously specified an area authentication type, interfaces set to area authentication have authentication disabled until you configure area authentication.

ASDM User Guide OL-10106-01

14-11

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Authentication PasswordContains the settings for entering the password when password authentication is enabled.
Enter PasswordEnter a text string of up to 8 characters. Re-enter PasswordReenter the password.

MD5 IDs and KeysContains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.
Enter MD5 ID and KeyContains the settings for entering MD5 key information.

Key IDEnter a numerical key identifier. Valid values range from 1 to 255. KeyAn alphanumeric character string of up to 16 bytes.
AddAdds the specified MD5 key to the MD5 ID and Key table. DeleteRemoves the selected MD5 key and ID from the MD5 ID and Key table. MD5 ID and KeyDisplays the configured MD5 keys and key IDs.

Key IDDisplays the key ID for the selected key. KeyDisplays the key for the selected key ID.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interface > Properties Tab


Configuration > Routing > Dynamic Routing > OSPF > Interface > Properties Tab The Properties tab displays the OSPF properties defined for each interface in a table format.
Fields

OSPF Interface PropertiesDisplays interface-specific OSPF properties. Double-clicking a row in the table opens the Edit OSPF Interface Properties dialog box for the selected interface.
InterfaceDisplays the name of the interface that the OSPF configuration applies to. BroadcastDisplays No if the interface is set to non-broadcast (point-to-point). Displays

Yes if the interface is set to broadcast. Yes is the default setting for Ethernet interfaces.
CostDisplays the cost of sending a packet through the interface. PriorityDisplays the OSPF priority assigned to the interface. MTU IgnoreDisplays No if MTU mismatch detection is enabled. Displays Yes if the

MTU mismatch detection is disabled.


Database FilterDisplays Yes if outgoing LSAs are filtered during synchronization and

flooding. Displays No if filtering is not enabled.

EditOpens the Edit OSPF Interface Properties dialog box for the selected interface.

ASDM User Guide

14-12

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit OSPF Interface Properties


Configuration > Routing > Dynamic Routing > OSPF > Interface > Properties > Edit OSPF Interface Properties
Fields

InterfaceDisplays the name of the interface for which you are configuring OSPF properties. You cannot edit this field. BroadcastCheck this check box to specify that the interface is a broadcast interface. This check box is selected by default for Ethernet interfaces. Uncheck this check box to designate the interface as a point-to-point, non-broadcast interface. Specifying an interface as point-to-point, non-broadcast lets you transmit OSPF routes over VPN tunnels. When an interface is configured as point-to-point, non-broadcast, the following restrictions apply:
You can define only one neighbor for the interface. You need to manually configure the neighbor (see Static Neighbor). You need to define a static route pointing to the crypto endpoint (see Static Routes). If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router

cannot be run on the same interface.


You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure

that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

CostSpecify the cost of sending a packet through the interface. The default value is 10. PrioritySpecify the OSPF router priority. When two routers connect to a network, both attempt to become the designated router. The devices with the higher router priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router. Valid values for this setting range from 0 to 255.The default value is 1. Entering 0 for this setting makes the router ineligible to become the designated router or backup designated router. This setting does not apply to interfaces that are configured as point-to-point non-broadcast interfaces.

MTU IgnoreOSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange DBD packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.

ASDM User Guide OL-10106-01

14-13

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Database FilterCheck this check box to filter outgoing LSA interface during synchronization and flooding. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. In a fully meshed topology, this can waste bandwidth and lead to excessive link and CPU usage. Checking this check box prevents flooding OSPF LSA on the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit OSPF Interface Advanced Properties


Configuration > Routing > Dynamic Routing > OSPF > Interface > Properties > Edit OSPF Interface Properties > Edit OSPF Interface Advanced Properties The Edit OSPF Interface Advanced Properties dialog box lets you change the values for the OSPF hello interval, retransmit interval, transmit delay, and dead interval. Typically, you only need to change these values from the defaults if you are experiencing OSPF problems on your network.
Fields

Hello IntervalSpecifies the interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds. Retransmit IntervalSpecifies the time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds. Transmit DelaySpecifies the estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second. Dead IntervalSpecifies the interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

14-14

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Redistribution
Configuration > Routing > Dynamic Routing > OSPF > Redistribution The Redistribution pane displays the rules for redistributing routes from one routing domain to another.
Fields

The Redistribution table displays the following information. Double-clicking a table entry opens the Add/Edit OSPF Redistribution Entry dialog box for the selected entry.

OSPF ProcessDisplays the OSPF process associated with the route redistribution entry. ProtocolDisplays the source protocol the routes are being redistributed from. Valid entries are the following:
StaticThe route is a static route. ConnectedThe route was established automatically by virtue of having IP enabled on the

interface. These routes are redistributed as external to the AS.


OSPFThe route is an OSPF route from another process.

MatchDisplays the conditions used for redistributing routes from one routing protocol to another. SubnetsDisplays Yes if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed. Metric ValueDisplays the metric that is used for the route. This column is blank for redistribution entries if the default metric is used. Metric TypeDisplays 1 if the metric is a Type 1 external route, 2 if the metric is Type 2 external route. Tag ValueA 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295. Route MapDisplays the name of the route map to apply to the redistribution entry.

You can perform the following actions on the Redistribution table entries:

AddOpens the Add/Edit OSPF Redistribution Entry dialog box for adding a new redistribution entry. EditOpens the Add/Edit OSPF Redistribution Entry dialog box for modifying the selected redistribution entry. DeleteRemoves the selected redistribution entry from the Redistribution table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

14-15

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit OSPF Redistribution Entry


Configuration > Routing > Dynamic Routing > OSPF > Redistribution > Add/Edit OSPF Redistribution Entry The Add/Edit OSPF Redistribution Entry dialog box lets you add a new redistribution rule to or edit an existing redistribution rule in the Redistribution table. Some of the redistribution rule information cannot be changed when you are editing an existing redistribution rule.
Fields

OSPF ProcessChoose the OSPF process associated with the route redistribution entry. If you are editing an existing redistribution rule, you cannot change this setting. ProtocolChoose the source protocol the routes are being redistributed from. You can choose one of the following options:
StaticThe route is a static route. ConnectedThe route was established automatically by virtue of having IP enabled on the

interface. Connected routes are redistributed as external to the AS.


OSPFThe route is an OSPF route from another process.

OSPFChoose the OSPF process ID for the route being redistributed.

MatchDisplays the conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:
InternalThe route is internal to a specific AS. External 1Routes that are external to the autonomous system, but are imported into OSPF as

Type 1 external routes.


External 2Routes that are external to the autonomous system, but are imported into OSPF as

Type 2 external routes.


NSSA External 1Routes that are external to the autonomous system, but are imported into

OSPF as Type 2 NSSA routes.


NSSA External 2Routes that are external to the autonomous system, but are imported into

OSPF as Type 2 NSSA routes.

Metric ValueSpecify the metric value for the routes being redistributed. Valid values range from 1 to 16777214. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified. Metric TypeChoose 1 if the metric is a Type 1 external route, 2 if the metric is a Type 2 external route.

ASDM User Guide

14-16

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Tag ValueThe tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295. Use SubnetsChoose this check box to enable the redistribution of subnetted routes. Uncheck this check box to cause only routes that are not subnetted to be redistributed. Route MapEnter the name of the route map to apply to the redistribution entry.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Static Neighbor
Configuration > Routing > Dynamic Routing > OSPF > Static Neighbor The Static Neighbor pane displays manually defined neighbors; it does not display discovered neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Static Neighbor table.
Fields

Static NeighborDisplays information for the static neighbors defined for each OSPF process. Double-clicking a row in the table opens the Add/Edit OSPF Neighbor Entry dialog box.
OSPF ProcessDisplays the OSPF process associated with the static neighbor. NeighborDisplays the IP address of the static neighbor. InterfaceDisplays the interface associated with the static neighbor.

AddOpens the Add/Edit OSPF Neighbor Entry dialog box. Use this button to define a new static neighbor. EditOpens the Add/Edit OSPF Neighbor Entry dialog box. Use this button to change the settings for a static neighbor. DeleteRemoves the selected entry from the Static Neighbor table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

14-17

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Add/Edit OSPF Neighbor Entry


Configuration > Routing > Dynamic Routing > OSPF > Static Neighbor > Add/Edit OSPF Neighbor Entry The Add/Edit OSPF Neighbor Entry dialog box lets you define a new static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.
Restrictions

You cannot define the same static neighbor for two different OSPF processes. You need to define a static route for each static neighbor (see Static Routes).

Fields

OSPF ProcessChoose the OSPF process associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value. NeighborEnter the IP address of the static neighbor. InterfaceChoose the interface associated with the static neighbor. If you are editing an existing static neighbor, you cannot change this value.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Summary Address
Configuration > Routing > Dynamic Routing > OSPF > Summary Address The Summary Address pane displays information about the summary addresses configured for each OSPF routing process. Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table. Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.
Fields

The following information appears in the Summary Address table. Double-clicking an entry in the table opens the Add/Edit OSPF Summary Address Entry dialog box for the selected entry.

OSPF ProcessDisplays the OSPF process associated with the summary address. IP AddressDisplays the IP address of the summary address. NetmaskDisplays the network mask of the summary address.

ASDM User Guide

14-18

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

AdvertiseDisplays Yes if the summary routes are advertised. Displays No if the summary route is not advertised. TagDisplays a 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. AddOpens the Add/Edit OSPF Summary Address Entry dialog box for adding new summary address entries. EditOpens the Add/Edit OSPF Summary Address Entry dialog box for editing the selected entry. DeleteRemoves the selected summary address entry from the Summary Address table.

You can perform the following actions on the entries in the Summary Address table:

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit OSPF Summary Address Entry


Configuration > Routing > Dynamic Routing > OSPF > Summary Address > Add/Edit OSPF Summary Address Entry The Add/Edit OSPF Summary Address Entry dialog box lets you add new entries to or modify existing entries in the Summary Address table. Some of the summary address information cannot be changed when editing an existing entry.
Fields

OSPF ProcessChoose the OSPF process associated with the summary address. You cannot change this information when editing an existing entry. IP AddressEnter the IP address of the summary address. You cannot change this information when editing an existing entry. NetmaskEnter the network mask for the summary address, or choose the network mask from the list of common masks. You cannot change this information when editing an existing entry. AdvertiseCheck this check box to advertise the summary route. Uncheck this check box to suppress routes that fall under the summary address. By default this check box is selected. Tag(Optional) The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

14-19

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Virtual Link
Configuration > Routing > Dynamic Routing > OSPF > Virtual Link If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.
Fields

The Virtual Link table displays the following information. Doubling-clicking an entry in the table opens the Add/Edit Virtual Link dialog box for the selected entry.

OSPF ProcessDisplays the OSPF process associated with the virtual link. Area IDDisplays the ID of the transit area. Peer Router IDDisplays the router ID of the virtual link neighbor. AuthenticationDisplays the type of authentication used by the virtual link:
NoneNo authentication is used. PasswordClear text password authentication is used. MD5MD5 authentication is used.

You can perform the following actions on the entries in the Virtual Link table:

AddOpens the Add/Edit Virtual Link dialog box for adding a new entry to the Virtual Link table. EditOpens the Add/Edit Virtual Link dialog box for the selected entry. DeleteRemoves the selected entry from the Virtual Link table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Virtual Link


Configuration > Routing > Dynamic Routing > OSPF > Virtual Link > Add/Edit Virtual Link The Add/Edit Virtual Link dialog box lets you define new virtual links or change the properties of existing virtual links.

ASDM User Guide

14-20

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Fields

OSPF ProcessChoose the OSPF process associated with the virtual link. If you are editing an existing virtual link, you cannot change this value. Area IDChoose the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a Stub area. If you are editing an existing virtual link, you cannot change this value. Peer Router IDEnter the router ID of the virtual link neighbor. If you are editing an existing virtual link, you cannot change this value. AdvancedOpens the Advanced OSPF Virtual Link Properties dialog box. You can configure the OSPF properties for the virtual link in this area. These properties include authentication and packet interval settings.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Advanced OSPF Virtual Link Properties


Configuration > Routing > Dynamic Routing > OSPF > Virtual Link > Add/Edit Virtual Link > Advanced OSPF Virtual Link Properties The Advanced OSPF Virtual Link Properties dialog box lets you configure OSPF authentication and packet intervals.
Fields

AuthenticationContains the OSPF authentication options.


NoneChoose this option to disable OSPF authentication. PasswordChoose this option to use clear text password authentication. This is not

recommended where security is a concern.


MD5Choose this option to use MD5 authentication (recommended).

Authentication PasswordContains the settings for entering the password when password authentication is enabled.
Enter PasswordEnter a text string of up to 8 characters. Re-enter PasswordReenter the password.

MD5 IDs and KeysContains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.
Enter MD5 ID and KeyContains the settings for entering MD5 key information.

Key IDEnter a numerical key identifier. Valid values range from 1 to 255. KeyAn alphanumeric character string of up to 16 bytes.
AddAdds the specified MD5 key to the MD5 ID and Key table.

ASDM User Guide OL-10106-01

14-21

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

DeleteRemoves the selected MD5 key and ID from the MD5 ID and Key table. MD5 ID and KeyDisplays the configured MD5 keys and key IDs.

Key IDDisplays the key ID for the selected key. KeyDisplays the key for the selected key ID.

IntervalsContains the settings for modifying packet interval timing.


Hello IntervalSpecifies the interval, in seconds, between hello packets sent on an interface.

The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.
Retransmit IntervalSpecifies the time, in seconds, between LSA retransmissions for

adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.
Transmit DelaySpecifies the estimated time, in seconds, required to send an LSA packet on

the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is 1 second.
Dead IntervalSpecifies the interval, in seconds, in which no hello packets are received,

causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

RIP
Configuration > Routing > Dynamic Routing > RIP RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcasts with neighboring devices to dynamically learn about and advertise routes. The security appliance support both RIP version 1 and RIP version 2. RIP version 1 does not send the subnet mask with the routing update. RIP version 2 sends the subnet mask with the routing update and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that the security appliance receives reliable routing information from a trusted source.

ASDM User Guide

14-22

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

You can have two OSPF routing processes and one RIP routing process running on the security appliance at the same time.
Limitations

RIP has the following limitations:


The security appliance cannot pass RIP updates between interfaces. RIP Version 1 does not support variable-length subnet masks. RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered unreachable. RIP convergence is relatively slow compared to other routing protocols. You can only enable a single RIP process on the security appliance.

RIP Version 2 Notes

The following information applies to RIP Version 2 only:


If using neighbor authentication, the authentication key and key ID must be the same on all neighbor devices that provide RIP version 2 updates to the interface. With RIP version 2, the security appliance transmits and receives default route updates using the multicast address 224.0.0.9. In passive mode, it receives route updates at that address. When RIP version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP version 2 configuration is removed from an interface, that multicast address is unregistered.

Global Setup
Configuration > Routing > Dynamic Routing > RIP >Global Setup Use the Global Setup pane to enable RIP on the security appliance and to configure global RIP protocol parameters. You can only enable a single RIP process on the security appliance.
Fields

Enable RIP RoutingCheck this check box to enable RIP routing on the security appliance. When you enable RIP, it is enabled on all interfaces. Checking this check box also enables the other fields on this pane. Uncheck this check box to disable RIP routing on the security appliance. Enable Auto-summarizationClear this check box to disable automatic route summarization. Check this check box to reenable automatic route summarization. RIP Version 1 always uses automatic summarization. You cannot disable automatic summarization for RIP Version 1. If you are using RIP Version 2, you can turn off automatic summarization by unchecking this check box. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised. Enable RIP versionCheck this check box to specify the vesion of RIP used by the security appliance. If this check boxis cleared, then the security appliance sends RIP Version 1 updates and accepts RIP Version 1 & Version 2 updates. This setting can be overridden on a per-interface basis in the Interface pane.
Version 1Specifies that the security appliance only sends and receives RIP Version 1 updates.

Any version 2 updates received are dropped.


Version 2Specifies that the security appliance only sends and receives RIP Version 2 updates.

Any version 1 updates received are dropped.

ASDM User Guide OL-10106-01

14-23

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Enable default information originateCheck this check box to generate a default route into the RIP routing process. You can configure a route map that must be satisfied before the default route can be generated.
Route-mapEnter the name of the route map to apply. The routing process generates the

default route if the route map is satisfied.

IP Network to AddDefines a network for the RIP routing process. The network number specified must not contain any subnet information. There is no limit to the number of network you can add to the security appliance configuration. RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates.
AddClick this button to add the specified network to the list of networks. DeleteClick this button to removed the selected network from the list of networks.

Configure interfaces as passive globallyCheck this check box to set all interfaces on the security appliance to passive RIP mode. The security appliance listens for RIP routing broadcasts on all interfaces and uses that information to populate the routing tables but do not broadcast routing updates. To set specific interfaces to passive RIP, use the Passive Interfaces table. Passive Interfaces tableLists the configured interfaces on the security appliance. Check the check box in the Passive column for those interfaces you want to operate in passive mode. The other interfaces will still send and receive RIP broadcasts.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Interface
Configuration > Routing > Dynamic Routing > RIP > Interface The Interface pane allows you to configure interface-specific RIP settings, such as the version of RIP the interface sends and receives and the authentication method, if any, used for the RIP broadcasts.
Fields

Interface table(Display only) Each row displays the interface-specific RIP settings for an interface. Double-clicking a row for that entry opens the Edit RIP Interface Entry dialog box for that interface. EditOpens the Edit RIP Interface Entry dialog box for the interface selected in the Interface table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

14-24

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit RIP Interface Entry


Configuration > Routing > Dynamic Routing > RIP > Interface > Edit RIP Interface Entry The Edit RIP Interface Entry dialog box allows you to configurethe interface-specific RIP settings.
Fields

Override Global Send VersionCheck this check box to specify the RIP version sent by the interface. You can select the following options:
Version 1 Version 2 Version 1 & 2

Unchecking this check box restores the global setting.

Override Global Receive VersionCheck this check box to specify the RIP version accepted by the interface. If a RIP updated from an unsuppored version of RIP is received by the interface, it is dropped. You can select the following options:
Version 1 Version 2 Version 1 & 2

Unchecking this check box restores the global setting.

Enable AuthenticationCheck this check box to enable RIP authentication. Uncheck this check box to disable RIP broadcast authentication.
KeyThe key used by the authentication method. Can conting up to 16 characters. Key IDThe key ID. Valid values are from 0 to 255. Authentication ModeYou can select the following authentication modes:

MD5Uses MD5 for RIP message authentication. TextUses cleartext for RIP message authentication (not recommended).
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

14-25

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Filter Rules
Configuration > Routing > Dynamic Routing > RIP > Filter Rules Filter rules allow you to filter the network received in RIP routing updates or sent in RIP routing updates. Each filter rule consists of one or more network rules.
Fields

Filter Rules tableDisplays the configured RIP filter rules. AddClicling this button opens the Add/Edit Filter Rule dialog box. The new filter rule is added to the bottom of the list. EditClicking this button opens the Add/Edit Filter Rule dialog box for the selected filter rule. DeleteClicking this button deletes the selected filter rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Filter Rule


Configuration > Routing > Dynamic Routing > RIP > Filter Rules > Add/Edit Fitler Rule Use the Add/Edit Filter Rule pane to create filter rules. You can create filter rules that apply to all interfaces or that apply to a specific interface.
Fields

DirectionSelect one of the following directions for the filter to act upon:
InFilters networks on incoming RIP updates. OutFilters networks from outgoing RIP updates.

InterfaceYou can select a specific interface for the filter rule, or you can select the All Interfaces option to apply the filter to all interfaces. Action(Display only) Displays Permit if the specified network is not filtered from incoming or outgoing RIP advertisements. Displays Deny if the specified network is to be filtered from incoming or outgoing RIP advertisements. IP Address(Display only) Displays the IP address of the network being filtered. Netmask(Display only) Displays the network mask applied to the IP address. InsertClick this button to add a network rule above the selected rule in the list. Clicking this button opens the Network Rule dialog box. EditClick this button to edit the selected rule. Clicking this button opens the Network Rule dialog box. AddClick this button to add a network rule below the selected rule in the list. Clicking this button opens the Network Rule dialog box.

ASDM User Guide

14-26

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Dynamic Routing

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Network Rule
Configuration > Routing > Dynamic Routing > RIP > Filter Rules > Add/Edit Fitler Rule > Network Rule The Network Rule pane allows you to configure permit and deny rules for specific networks in a filter rule.
Fields

ActionSelect Permit to allow the specified network to be advertised in RIP updates or accepted into the RIP routing process. Select Deny to prevent the specified network from being advertised in RIP updates or accepted into the RIP routing process. IP AddressType IP address of the network being permitted or denied. NetmaskSpecify the network mask applied to the network IP address. You can type a network mask into this field or select one of the common masks from the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Route Redistribution
Configuration > Routing > Dynamic Routing > RIP > Route Redistribution The Route Redistribution pane displays the routes that are being redistributed from other routing processes into the RIP routing process.
Fields

Protocol(Display only) Displays the routing protocol being redistributed into the RIP routing process:
StaticStatic routes. ConnectedDirectly connected networks. OSPFNetworks discovered by the specified OSPF routing process.

MetricThe RIP metric being applied to the redistributed routes.

ASDM User Guide OL-10106-01

14-27

Chapter 14 Dynamic Routing

Configuring Dynamic And Static Routing

Match(Display only) Displays the type of OSPF routes being redistributed into the RIP routing process. If the Match column is blank for an OSPF redistribution rule, Internal, External 1, and External 2 routes are redistributed into the RIP routing process. Route Map(Display only) Displays the name of the route map, if any, being applied to the redistribution. Route maps are used to specify with greater detail which routes from the specified routing process are redistributed into RIP.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Route Redistribution


Configuration > Routing > Dynamic Routing > RIP > Route Redistribution > Add/Edit Route Redistribution Use the Add Route Redistribution dialog box to add a new redistribution rule. Use the Edit Route Redistribution dialog box to change an existing rule.
Fields

ProtocolChoose the routing protocol to redistribute into the RIP routing process:
StaticStatic routes. ConnectedDirectly connected networks. OSPF and OSPF IDRoutes discovered by the OSPF routing process. If you choose OSPF, you

must also enter the OSPF process ID. Additionally, you can select the specific types of OSPF routes to redistribute from the Match area.

Route MapSpecifies the name of a route map that must be satisfied before the route can be redistributed into the RIP routing process. Configure Metric TypeCheck this checkbox to specify a metric for the redistributed routes. If not specified, the routes are assigned a metric of 0.
TransparentChoose this option ValueChoose this to assign a specific metric value. You can enter a value from 0 to 16.

MatchIf you are redistributing OSPF routes into the RIP routing process, you can choose specific types of OSPF routes to redistribute by checking the check box next to the route type. If you do not check any route types, Internal, External 1, and External 2 routes are redistributed by default.
InternalRoutes internal to the AS are redistributed. External 1Type 1 routes external to the AS are redistribued. External 2Type 2 routes external to the AS are redistributed. NSSA External 1Type 1 routes external to an NSSA are redistributed. NSSA External 2Type 2 routes external to an NSSA are redistributed.

ASDM User Guide

14-28

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Static Routes

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Static Routes
Multiple context mode does not support dynamic routing, so you must define static routes for any networks to which the security appliance is not directly connected. In transparent firewall mode, for traffic that originates on the security appliance and is destined for a non-directly connected network, you need to configure either a default route or static routes so the security appliance knows out of which interface to send traffic. Traffic that originates on the security appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is on the outside interface, the default route cannot direct traffic to any inside networks that are not directly connected to the security appliance. You can also use static route in conjunction with dynamic routing protocols to provide a floating static route that is used when the dynamically discovered route goes down. If you create a static route with an administrative distance greater than the administrative distance of the dynamic routing protocol, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table. Static routes remain in the routing table even if the specified gateway becomes unavailable (see Static Route Tracking, page 14-30, for the exception to this). If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the associated interface on the security appliance goes down. They are reinstated when the interface comes back up. You can define up to three equal cost routes to the same destination per interface. ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses. The default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route. You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

ASDM User Guide OL-10106-01

14-29

Chapter 14 Static Routes

Configuring Dynamic And Static Routing

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, youwill receive an error message. You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and that cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported. For more information about viewing and configuring static and default routes with ASDM, see Field Information for Static Routes, page 14-31.

Static Route Tracking


It is not always possible to use dynamic routing protocols on the security appliance, such as when the security appliance is in multiple context mode or transparent mode. In these cases, you must use static routes. One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway goes down. They are only removed from the routing table if the associated interface on the security appliance goes down. The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. This allows you to, for example, define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable. The security appliance does this by associating a static route with a monitoring target that you define. It monitors the target using ICMP echo requests. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route. When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests. The target can be any network object that responds to ICMP echo requests. Consider choosing:

the ISP gateway (for dual ISP support) address the next hop gateway address (if you are concerned about the availability of the gateway) a server, such as a AAA server, that the security appliance needs to communicate with a persistent network object on the destination network (a desktop or notebook computer that may be shut down at night is not a good choice)

For more information about configuring static route tracking, see Configuring Static Route Tracking, page 14-30. To monitor the static route tracking process, see interface connection, page 40-9.

Configuring Static Route Tracking


This procedure provides an overview of configuring static route tracking. For specific information about the various fields used to configure this feature, see Field Information for Static Routes, page 14-31 To configure tracking for a static route, perform these steps:
Step 1 Step 2

Choose a target of interest. Make sure the target responds to echo requests. Open the Static Routes page. Go to Configuration > Routing > Static Routes.

ASDM User Guide

14-30

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Static Routes

Step 3

Click Add to configure a static route that is to be used based on the availability of your selected target of interest. You must enter the Interface, IP Address, Mask, Gateway, and Metric for this route. See Add/Edit Static Route, page 14-32, for more information about these fields. Choose Tracked in the Options area for this route. Configure the tracking properties. You must enter a unique Track ID, a unique SLA ID, and the IP address of your target of interest. See Add/Edit Static Route, page 14-32, for more information about these fields. (Optional) To configure the monitoring properties, click Monitoring Options in the Add Static Route dialog box. See Route Monitoring Options, page 14-33, for more information about the monitoring properties. Click OK to save your changes. The monitoring process begins as soon as you save the tracked route.

Step 4 Step 5

Step 6

Step 7

Step 8

Create a secondary route. The secondary route is a static route to the same destination as the tracked route, but through a different interface or gateway. You must assign this route a higher administrative distance (metric) than your tracked route.

Field Information for Static Routes


For information about a specific pane, see the following topics:

Static Routes, page 14-31 Add/Edit Static Route, page 14-32 Route Monitoring Options, page 14-33

Static Routes
Configuration > Routing > Dynamic Routing > Static Routes The Static Route pane lets you create static routes that will access networks connected to a router on any interface. To enter a default route, set the IP address and mask to 0.0.0.0, or the shortened form of 0. If an IP address from one security appliance interface is used as the gateway IP address, the security appliance will ARP the designated IP address in the packet instead of ARPing the gateway IP address. Leave the Metric at the default of 1 unless you are sure of the number of hops to the gateway router.
Fields

The Static Route pane shows the Static Route table:


Interface(Display only) Lists the internal or external network interface name enabled in Interfaces. IP Address(Display only) Lists the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. Netmask(Display only) Lists the network mask address that applies to the IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0. Gateway IP(Display only) Lists the IP address of the gateway router, which is the next hop address for this route.

ASDM User Guide OL-10106-01

14-31

Chapter 14 Static Routes

Configuring Dynamic And Static Routing

Metric(Display only) Lists the administrative distance of the route. The default is 1 if a metric is not specified. Options(Display only) Displays any options specified for thestatic route.
NoneNo options are specified for the static route. TunneledSpecifies route as the default tunnel gateway for VPN traffic. Used only for default

route. You can only configure one tunneled route per device. The tunneled option is not supported under transparent mode.
TrackedSpecifies that the route is tracked. The tracking object ID and the address of the

tracking target are also displayed. The tracked option is only supported in single, routed mode.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Static Route


Configuration >Routing > Static Routes > Add/Edit Static Route Startup Wizard > Static Routes >Add/Edit Static Route Use the Add/Edit Static Route dialog box to configure the static route properties. This dialog box is availble from both the Static Routes screen in the Startup Wizard and the Configuration > Routing > Static Route pane.
Fields

Interface NameSelect the egress interface for the route. IP AddressSpecifies the internal or external network IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 IP address can be abbreviated as 0. MaskSpecifies the network mask address that applies to the IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0. Gateway IPSpecifies the IP address of the gateway router, which is the next hop address for this router. MetricLets you specify the the administrative distance of the route. The default is 1 if a metric is not specified.

The following options are available for static routes. You can select only one of these options for a static route. By default, no option (None) is selected.

NoneNo options are specified for the static route. TunneledUsed only for default route. Only one default tunneled gateway is allowed per security appliance. Tunneled option is not supported under transparent mode. TrackedSelect this option to specify that the route is tracked. Specifying this option starts the route tracking process.
Track IDA unique identifier for the route tracking process.

ASDM User Guide

14-32

OL-10106-01

Chapter 14

Configuring Dynamic And Static Routing Static Routes

Track IP Address/DNS NameEnter the IP address or hostname of the target being tracked.

Typically, this would be the IP address of the next hop gateway for the route, but it could be any network object available off of that interface.
SLA IDA unique identifier for the SLA monitoring process. Monitor OptionsClick this button to open the Route Monitoring Options dialog box. In the

Route Monitoring Options dialog box you can configure the parameters of the tracked object monitoring process.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Route Monitoring Options


Configuration > Routing > Static Routes > Add/Edit Static Route > Route Monitoring Options Use the Route Monitoring Options dialog box to change the tracking object monitoring properties.
Fields

FrequencyEnter how often, in seconds, the security appliance should test for the presence of the tracking target. The default value is 60 seconds. Valid values are from 1 to 604800 seconds. ThresholdEnter the amount of time, in milliseconds, that indicates an over-threshold event. This value cannot be more than the timeout value. TimeoutEnter the amount of time, in milliseconds, the route monitoring operation should wait for a response from the request packets. The default value is 5000 milliseconds. Valid values are from 0 to 604800000 milliseconds. Data SizeEnter the size of data payload to use in the echo request packets. The default value is 28. Valid values are from 0 to 16384.

Note

This setting specifies the size of the payload only; it does not specify the size of the entire packet.

ToSEnter a value for the type of service byte in the IP header of the echo request. The default value is 0. Valid values are from 0 to 255. Number of PacketsThe number of echo requests to send for each test. The default value is 1. Valid values are from 1 to 100.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

14-33

Chapter 14 Proxy ARPs

Configuring Dynamic And Static Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Proxy ARPs
Configuration > Routing > Proxy ARPs In rare circumstances, you might want to disable proxy ARP for global addresses. When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking Who is this IP address? The device owning the IP address replies, I own that IP address; here is my MAC address. Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses.
Fields

InterfaceLists the interface names. Proxy ARP EnabledShows whether proxy ARP is enabled or disabled for NAT global addresses, Yes or No. EnableEnables proxy ARP for the selected interface. By default, proxy ARP is enabled for all interfaces. DisableDisables proxy ARP for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

14-34

OL-10106-01

C H A P T E R

15

Configuring Multicast Routing


Configuration > Routing > Multicast The Multicast panelets you enable multicast routing on the security appliance. Enabling multicast routing enables IGMP and PIM on all interfaces by default. IGMP is used to learn whether members of a group are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages. PIM is used to maintain forwarding tables to forward multicast datagrams.
Fields

Enable Multicast RoutingCheck this check box to enable IP multicast routing on the security appliance. Uncheck this check box to disable IP multicast routing. By default, multicast is disabled. Enabling multicast enables multicast on all interfaces. You can disable multicast on a per-interface basis.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IGMP
IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses group address (Class D IP addresses). Host group addresses can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet. For more information about configuring IGMP on the security appliance, see the following:

Access Group Join Group Protocol Static Group

ASDM User Guide OL-10106-01

15-1

Chapter 15 IGMP

Configuring Multicast Routing

Access Group
Configuration > Routing > Multicast > IGMP > Access Group Access groups control the multicast groups that are allowed on an interface.
Fields

Access GroupsDisplays the access groups defined for each interface. The table entries are processed from the top down. Place more specific entries near the top of the table and more generic entries further down. For example, place an access group entry that permits a specific multicast group near the top of the table and an access group entry below that denies a range of multicast groups, including the group in the permit rule. The group is permitted because the permit rule is enforced before the deny rule. Double-clicking an entry in the table opens the Add/Edit Access Group dialog box for the selected entry.
InterfaceDisplays the interface the access group is associated with. ActionDisplays Permit if the multicast group address is permitted by the access rule.

Displays Deny if the multicast group address is denied by the access rule.
Multicast Group AddressDisplays the multicast group address that the access rule applies to. NetmaskDisplays the network mask for the multicast group address.

Insert BeforeOpens the Add/Edit Access Group dialog box. Use this button to add a new access group entry before the selected entry in the table. Insert AfterOpens the Add/Edit Access Group dialog box. Use this button to add a new access group entry after the selected entry in the table. AddOpens the Add/Edit Access Group dialog box. Use this button to add a new access group entry at the bottom of the table. EditOpens the Add/Edit Access Group dialog box. Use this button to change the information for the selected access group entry. DeleteRemoves the selected access group entry from the table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Access Group


Configuration > Routing > Multicast > IGMP > Access Group > Add/Edit Access Group The Add Access Group dialog box lets you add a new access group to the Access Group Table. The Edit Access Group dialog box lets you change information for an existing access group entry. Some fields may be locked when editing existing entries.

ASDM User Guide

15-2

OL-10106-01

Chapter 15

Configuring Multicast Routing IGMP

Fields
InterfaceChoose the interface the access group is associated with. You cannot change the

associated interface when you are editing an existing access group.


ActionChoose permit to allow the multicast group on the selected interface. Choose deny

to filter the multicast group from the selected interface.


Multicast Group AddressEnter the address of the multicast group the access group applies to. NetmaskEnter the network mask for the multicast group address or choose one of the

common network masks from the list.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Join Group
Configuration > Routing > Multicast > IGMP > Join Group You can configure the security appliance to be a member of a multicast group. The Join Group pane displays the multicast groups the security appliance is a member of.

Note

If you simply want to forward multicast packets for a specific group to an interface without the security appliance accepting those packets as part of the group, see Static Group.
Fields

Join GroupDisplays the multicast group membership for each interface.


InterfaceDisplays the name of the security appliance interface. Multicast Group AddressDisplays the address of a multicast group that the interface belongs

to.

AddOpens the Add/Edit IGMP Join Group dialog box. Use this button to add a new multicast group membership to an interface. EditOpens the Add/Edit IGMP Join Group dialog box. Use this button to edit an existing multicast group membership entry.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

15-3

Chapter 15 IGMP

Configuring Multicast Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit IGMP Join Group


Configuration > Routing > Multicast > IGMP > Join Group > Add/Edit IGMP Join Group Use the Add IGMP Join Group dialog box to configure an interface to be a member of a multicast group. Use the Edit IGMP Join Group dialog box to change existing membership information.
Fields

InterfaceChoose the name of the security appliance interface that you are configuring multicast group membership for. If you are editing an existing entry, you cannot change this value. Multicast Group AddressEnter the address of a multicast group in this field. The group address must be from 224.0.0.0 to 239.255.255.255.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Protocol
Configuration > Routing > Multicast > IGMP > Protocol The Protocol pane displays the IGMP parameters for each interface on the security appliance.
Fields

ProtocolDisplays the IGMP parameters set on each interface. Double-clicking a row in the table opens the Configure IGMP Parameters dialog box for the selected interface.
InterfaceDisplays the name of the interface. EnabledDisplays Yes if IGMP is enabled on the interface. Displays No if IGMP is

disabled on the interface.


VersionDisplays the version of IGMP enabled on the interface. Query IntervalDisplays the interval, in seconds, at which the designated router sends IGMP

host-query messages.
Query TimeoutDisplays the period of time before which the security appliance takes over as

the querier for the interface after the previous querier has stopped doing so.

ASDM User Guide

15-4

OL-10106-01

Chapter 15

Configuring Multicast Routing IGMP

Response TimeDisplays the maximum response time, in seconds, advertised in IGMP

queries. Changes to this setting are valid only for IGMP Version 2.
Group LimitDisplays the maximum number of groups permitted on an interface. Forward InterfaceDisplays the name of the interface that the selected interface forwards

IGMP host reports to.

EditOpens the Configure IGMP Parameters dialog box for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Configure IGMP Parameters


Configuration > Routing > Multicast > IGMP > Protocol > Configure IGMP Parameters The Configure IGMP Parameters dialog box lets you disable IGMP and change IGMP parameters on the selected interface.
Fields

InterfaceDisplays the name of the interface being configured. You cannot change the information displayed in this field. Enable IGMPCheck this check box to enable IGMP on the interface. Uncheck the check box to disable IGMP on the interface. If you enabled multicast routing on the security appliance, then IGMP is enabled by default. VersionChoose the version of IGMP to enable on the interface. Choose 1 to enable IGMP Version 1, or 2 to enable IGMP Version 2. Some feature require IGMP Version 2. By default, the security appliance uses IGMP Version 2. Query IntervalEnter the interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds. Query TimeoutEnter the period of time, in seconds, before which the security appliance takes over as the querier for the interface after the previous querier has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds. Response TimeEnter the maximum response time, in seconds, advertised in IGMP queries. If the security appliance does not receive any host reports within the designated response time, the IGMP group is pruned. Decreasing this value lets the security appliance prune groups faster. Valid values range from 1 to 12 seconds. The default value is 10 seconds. Changing this value is only valid only for IGMP Version 2. Group LimitEnter the maximum number of host that can join on an interface. Valid values range from 1 to 500. The default value is 500. Forward InterfaceChoose the name of an interface to forward IGMP host reports to. Choose None to disable host report forwarding. By default, host reports are not forwarded.

ASDM User Guide OL-10106-01

15-5

Chapter 15 IGMP

Configuring Multicast Routing

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Static Group
Configuration > Routing > Multicast > IGMP > Static Group Sometimes, hosts on a network may have a configuration that prevents them from answering IGMP queries. However, you still want multicast traffic to be forwarded to that network segment. There are two methods to pull multicast traffic down to a network segment:

Use the Join Group pane to configure the interface as a member of the multicast group. With this method, the security appliance accepts the multicast packets in addition to forwarding them to the specified interface. Use the Static Group pane configure the security appliance to be a statically connected member of a group. With this method, the security appliance does not accept the packets itself, but only forwards them. Therefore, this method allows fast switching. The outgoing interface appears in the IGMP cache, but itself is not a member of the multicast group.

Fields

Static GroupDisplays the statically assigned multicast groups for each interface.
InterfaceDisplays the name of the security appliance interface. Multicast Group AddressDisplays the address of a multicast group assigned to the the

interface.

AddOpens the Add/Edit IGMP Static Group dialog box. Use this button to assign a new static group to an interface. EditOpens the Add/Edit IGMP Static Group dialog box. Use this button to edit an existing static group membership.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit IGMP Static Group


Configuration > Routing > Multicast > IGMP > Static Group > Add/Edit IGMP Static Group

ASDM User Guide

15-6

OL-10106-01

Chapter 15

Configuring Multicast Routing Multicast Route

Use the Add IGMP Static Group dialog box to statically assign a multicast group to an interface. Use the Edit IGMP Static Group dialog box to change existing static group assignments.
Fields

InterfaceChoose the name of the security appliance interface that you are configuring a multicast group for. If you are editing an existing entry, you cannot change this value. Multicast Group AddressEnter the address of a multicast group in this field. The group address must be from 224.0.0.0 to 239.255.255.255.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Multicast Route
Configuration > Routing > Multicast > MRoute Defining static multicast routes lets you separate multicast traffic from unicast traffic. For example, when a path between a source and destination does not support multicast routing, the solution is to configure two multicast devices with a GRE tunnel between them and to send the multicast packets over the tunnel. Static multicast routes are local to the security appliance and are not advertised or redistributed.
Fields

Multicast RouteDisplays the statically-defined multicast routes on the security appliance. Double-clicking an entry in the table opens the Add/Edit Multicast Route dialog box for that entry.
Source AddressDisplays the IP address and mask, in CIDR notation, of the multicast source. Source InterfaceDisplays the incoming interface for the multicast route. Destination InterfaceDisplays the outgoing interface for the multicast route. Admin DistanceDisplays the administrative distance of the static multicast route.

AddOpens the Add/Edit Multicast Route dialog box. Use this button to add a new static route. EditOpens the Add/Edit Multicast Route dialog box. Use this button to change the selected static multicast route. DeleteUse this button to remove the selected static route.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

15-7

Chapter 15 PIM

Configuring Multicast Routing

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Multicast Route


Configuration > Routing > Multicast > MRoute > Add/Edit Multicast Route Use the Add Multicast Route dialog box to add a new static multicast route to the security appliance. Use the Edit Multicast Route dialog box to change an existing static multicast route.
Fields

Source AddressEnter the IP address of the multicast source. You cannot change this value when editing an exiting static multicast route. Source MaskEnter the network mask for the IP address of the multicast source or chose a common mask from the list. You cannot change this value when editing an exiting static multicast route. Source InterfaceChoose the incoming interface for the multicast route. Destination Interface(Optional) Choose the outgoing interface for the multicast route. If you specify the destination interface, the route is forwarded through the selected interface. If you do not choose a destination interface, then RPF is used to forward the route. Admin DistanceEnter the administrative distance of the static multicast route. If the static multicast route has the same administrative distance as the unicast route, then the static multicast route takes precedence.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

PIM
Routers use PIM to maintaining forwarding tables for forwarding multicast datagrams. When you enable multicast routing on the security appliance, PIM is enabled on all interfaces by default. You can disable PIM on a per-interface basis. For more information about configuring PIM, see the following:

Protocol Rendezvous Points Route Tree

ASDM User Guide

15-8

OL-10106-01

Chapter 15

Configuring Multicast Routing PIM

Request Filter

Protocol
Configuration > Routing > Multicast > PIM > Protocol The Protocol pane displays the interface-specific PIM properties.
Fields

ProtocolDisplays the PIM settings for each interface. Double-clicking an entry in the table opens the Edit PIM Protocol dialog box for that entry.
InterfaceDisplays the name of the security appliance interfaces. PIM EnabledDisplays Yes if PIM is enabled on the interface, No if PIM is not enabled. DR PriorityDisplays the interface priority. Hello IntervalDisplays the frequency, in seconds, at which the interface sends PIM hello

messages.
Join-Prune IntervalDisplays the frequency, in seconds, at which the interface sends PIM join

and prune advertisements.

EditOpens the Edit PIM Protocol dialog box for the selected entry.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit PIM Protocol


Configuration > Routing > Multicast > PIM > Protocol > Edit PIM Protocol The Edit PIM Protocol dialog box lets you change the PIM properties for the selected interface.
Fields

InterfaceDisplay only. Displays the name of the selected interface. You cannot edit this value. PIM EnabledCheck this check box to enable PIM on the selected interface. Uncheck this check box to disable PIM on the selected interface. DR PrioritySets the designated router priority for the selected interface. The router with the highest DR priority on subnet becomes the designated router. Valid values range from 0 to 4294967294. The default DR priority is 1. Setting this value to 0 makes the security appliance interface ineligible to become the default router. Hello IntervalEnter the frequency, in seconds, at which the interface sends PIM hello messages. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.

ASDM User Guide OL-10106-01

15-9

Chapter 15 PIM

Configuring Multicast Routing

Join-Prune IntervalEnter the frequency, in seconds, at which the interface sends PIM join and prune advertisements. Valid values range from 10 to 600 seconds. The default value is 60 seconds.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Rendezvous Points
Configuration > Routing > Multicast > PIM > Rendezvous Points When you configure PIM, you must choose one or more routers to operate as the RP. An RP is a single, common root of a shared distribution tree and is statically configured on each router. First hop routers use the RP to send register packets on behalf of the source multicast hosts. You can configure a single RP to serve more than one group. If a specific group is not specified, the RP for the group is applied to the entire IP multicast group range (224.0.0.0/4). You can configure more than one RP, but you cannot have more than one entry with the same RP.
Fields

Generate IOS compatible register messagesCheck this check box if your RP is a Cisco IOS router. The security appliance software accepts register messages with the checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS software methodaccepting register messages with the checksum on the entire PIM message for all PIM message types. Rendezvous PointsDisplays the RPs configured on the security appliance.
Rendezvous PointDisplays the IP address of the RP. Multicast GroupsDisplays the multicast groups associated with the RP. Displays --All

Groups-- if the RP is associated with all multicast groups on the interface.


Bi-directionalDisplays Yes if the specified multicast groups are to operate in bidirectional

mode. Displays No if the specified groups are to operate in sparse mode.


AddOpens the Add/Edit Rendezvous Point dialog box. Use this button to add a new RP entry. EditOpens the Add/Edit Rendezvous Point dialog box. Use this button to change an existing RP entry. DeleteRemoves the selected RP entry from the Rendezvous Point table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

15-10

OL-10106-01

Chapter 15

Configuring Multicast Routing PIM

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Rendezvous Point


Configuration > Routing > Multicast > PIM > Rendezvous Points >Add/Edit Rendezvous Point The Add Rendezvous Point dialog box lets you add a new entry to the Rendezvous Point table. The Edit Rendezvous Point dialog box lets you change an existing RP entry.
Restrictions

You cannot use the same RP address twice. You cannot specify All Groups for more than one RP.

Fields

Rendezvous Point IP AddressEnter the IP address of the RP. This is a unicast address. When editing an existing RP entry, you cannot change this value. Use bi-directional forwardingCheck this check box if you want the specified multicast groups to operation in bidirectional mode. In bidirectional mode, if the security appliance receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a Prune message back to the source. Uncheck this check box if you want the specified multicast groups to operate in sparse mode.

Note

The security appliance always advertises the bidir capability in the PIM hello messages regardless of the actual bidir configuration. Use this RP for All Multicast GroupsChoose this option to use the specified RP for all multicast groups on the interface. Use this RP for the Multicast Groups as specified belowChoose this option to designate the multicast groups to use with specified RP. Multicast GroupsDisplays the multicast groups associated with the specified RP. The table entries are processed from the top down. You can create an RP entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements. Double-click an entry to open the Multicast Group dialog box for the selected entry.
ActionDisplays Permit if the multicast group is included or deny if the multicast group

is excluded.
Multicast Group AddressDisplays the address of the multicast group. NetmaskDisplays the network mask of the multicast group address.

Insert BeforeOpens the Multicast Group dialog box. Use this button to add a new multicast group entry before the selected entry in the table.

ASDM User Guide OL-10106-01

15-11

Chapter 15 PIM

Configuring Multicast Routing

Insert AfterOpens the Multicast Group dialog box. Use this button to add a new multicast group entry after the selected entry in the table. AddOpens the Multicast Group dialog box. Use this button to add a new multicast group entry at the bottom of the table. EditOpens the Multicast Group dialog box. Use this button to change the information for the selected multicast group entry. DeleteRemoves the selected multicast group entry from the table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Multicast Group
Configuration > Routing > Multicast > PIM > Rendezvous Points > Add/Edit Rendezvous Point > Multicast Group (You can get to this dialog through various paths.) Multicast groups are lists of access rules that define which multicast addresses are part of the group. A multicast group can contain a single multicast address or a range of multicast addresses. Use the Add Multicast Group dialog box to create a new multicast group rule. Use the Edit Multicast Group dialog box to modify an existing multicast group rule.
Fields

ActionChoose Permit to create a group rule that allows the specified multicast addresses; choose Deny to create a group rule that filters the specified multicast addresses. Multicast Group AddressEnter the multicast address associated with the group. NetmaskEnter or choose the network mask for the multicast group address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Request Filter
Configuration > Routing > Multicast > PIM > Request Filter

ASDM User Guide

15-12

OL-10106-01

Chapter 15

Configuring Multicast Routing PIM

When the security appliance is acting as an RP, you can restrict specific multicast sources from registering with it. This prevents unauthorized sources from registering with the RP. The Request Filter pane lets you define the multicast sources from which the security appliance will accept PIM register messages.
Fields

Multicast GroupsDisplays the request filter access rules. The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements. Double-click an entry to open the Request Filter Entry dialog box for the selected entry.
ActionDisplays Permit if the multicast source is allowed to register or deny if the

multicast source is excluded.


SourceDisplays the address of the source of the register message. DestinationDisplays the multicast destination address.

Insert BeforeOpens the Request Filter Entry dialog box. Use this button to add a new multicast group entry before the selected entry in the table. Insert AfterOpens the Request Filter Entry dialog box. Use this button to add a new multicast group entry after the selected entry in the table. AddOpens the Request Filter Entry dialog box. Use this button to add a new multicast group entry at the bottom of the table. EditOpens the Request Filter Entry dialog box. Use this button to change the information for the selected multicast group entry. DeleteRemoves the selected multicast group entry from the table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Request Filter Entry


Configuration > Routing > Multicast > PIM > Request Filter > Request Filter Entry The Request Filter Entry dialog box lets you define the multicast sources that are allowed to register with the security appliance when the security appliance acts as an RP. You create the filter rules based on the source IP address and the destination multicast address.
Fields

ActionChoose Permit to create a rule that allows the specified source of the specified multicast traffic to register with the security appliance; choose Deny to create a rule that prevents the specified source of the specified multicast traffic from registering with the security appliance.

ASDM User Guide OL-10106-01

15-13

Chapter 15 PIM

Configuring Multicast Routing

Source IP AddressEnter the IP address for the source of the register message. Source NetmaskEnter or choose the network mask for the source of the register message. Destination IP AddressEnter the multicast destination address. Destination NetmaskEnter or choose the network mask for the multicast destination address.

Modes

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Route Tree
Configuration > Routing > Multicast > PIM > Route Tree By default, PIM leaf routers join the shortest-path tree immediately after the first packet arrives from a new source. This reduces delay, but requires more memory than shared tree. You can configure whether the security appliance should join shortest-path tree or use shared tree, either for all multicast groups or only for specific multicast addresses.
Fields

Use Shortest Path Tree for All GroupsChoose this option to use shortest-path tree for all multicast groups. Use Shared Tree for All GroupsChoose this option to use shared tree for all multicast groups. Use Shared Tree for the Groups specified belowChoose this option to use shared tree for the groups specified in the Multicast Groups table. Shortest-path tree is used for any group not specified in the Multicast Groups table. Multicast GroupsDisplays the multicast groups to use Shared Tree with. The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements. Double-click an entry to open the Multicast Group dialog box for the selected entry.
ActionDisplays Permit if the multicast group is included or deny if the multicast group

is excluded.
Multicast Group AddressDisplays the address of the multicast group. NetmaskDisplays the network mask of the multicast group address.

Insert BeforeOpens the Multicast Group dialog box. Use this button to add a new multicast group entry before the selected entry in the table. Insert AfterOpens the Multicast Group dialog box. Use this button to add a new multicast group entry after the selected entry in the table. AddOpens the Multicast Group dialog box. Use this button to add a new multicast group entry at the bottom of the table.

ASDM User Guide

15-14

OL-10106-01

Chapter 15

Configuring Multicast Routing PIM

EditOpens the Multicast Group dialog box. Use this button to change the information for the selected multicast group entry. DeleteRemoves the selected multicast group entry from the table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

15-15

Chapter 15 PIM

Configuring Multicast Routing

ASDM User Guide

15-16

OL-10106-01

C H A P T E R

16

Firewall Mode Overview


This chapter describes how the firewall works in each firewall mode. To set the mode at the CLI, see the Setting Transparent or Routed Firewall Mode at the CLI section on page 2-5. The security appliance can run in two firewall modes:

Routed mode Transparent mode

In routed mode, the security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts. In transparent mode, the security appliance acts like a bump in the wire, or a stealth firewall, and is not a router hop. The security appliance connects the same network on its inside and outside interfaces. No dynamic routing protocols or NAT are used. However, like routed mode, transparent mode also requires access lists to allow any traffic through the security appliance, except for ARP packets, which are allowed automatically. Transparent mode can allow certain types of traffic in an access list that are blocked by routed mode, including unsupported routing protocols. Transparent mode can also optionally use EtherType access lists to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface, in addition to a dedicated management interface, if available for your platform.

Note

In transparent firewall mode, you do not set the IP address for each interface, but rather for the whole security appliance or context. (The exception is for the Management 0/0 management-only interface, for which you can set an IP address; this interface does not pass through traffic.) The security appliance uses the overall management IP address as the source address for packets originating on the security appliance. The management IP address must be on the same subnet as the connected network. This chapter includes the following sections:

Routed Mode Overview, page 16-1 Transparent Mode Overview, page 16-8

Routed Mode Overview


IP Routing Support, page 16-2 Network Address Translation, page 16-2

ASDM User Guide OL-10106-01

16-1

Chapter 16 Routed Mode Overview

Firewall Mode Overview

How Data Moves Through the Security Appliance in Routed Firewall Mode, page 16-3

IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP (in passive mode). Multiple context mode supports static routes only. We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the security appliance for extensive routing needs.

Network Address Translation


NAT substitutes the local address on a packet with a global address that is routable on the destination network. By default, NAT is not required. If you want to enforce a NAT policy that requires hosts on a higher security interface (inside) to use NAT when communicating with a lower security interface (outside), you can enable NAT control (see the nat-control command).

Note

NAT control was the default behavior for software versions earlier than Version 7.0. If you upgrade a security appliance from an earlier version, then the nat-control command is automatically added to your configuration to maintain the expected behavior. Some of the benefits of NAT include the following:

You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. NAT can resolve IP routing problems by supporting overlapping IP addresses.

Figure 16-1 shows a typical NAT scenario, with a private network on the inside. When the inside user sends a packet to a web server on the Internet, the local source address of the packet is changed to a routable global address. When the web server responds, it sends the response to the global address, and the security appliance receives the packet. The security appliance then translates the global address to the local address before sending it on to the user.

ASDM User Guide

16-2

OL-10106-01

Chapter 16

Firewall Mode Overview Routed Mode Overview

Figure 16-1

NAT Example

Web Server www.example.com

Outside 209.165.201.2 Originating Packet Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 Inside Responding Packet Dest Addr Translation 209.165.201.10 10.1.2.27

10.1.2.27

How Data Moves Through the Security Appliance in Routed Firewall Mode
This section describes how data moves through the security appliance in routed firewall mode, and includes the following topics:

An Inside User Visits a Web Server, page 16-4 An Outside User Visits a Web Server on the DMZ, page 16-5 An Inside User Visits a Web Server on the DMZ, page 16-6 An Outside User Attempts to Access an Inside Host, page 16-7 A DMZ User Attempts to Access an Inside Host, page 16-8

ASDM User Guide OL-10106-01

92405

16-3

Chapter 16 Routed Mode Overview

Firewall Mode Overview

An Inside User Visits a Web Server


Figure 16-2 shows an inside user accessing an outside web server.
Figure 16-2 Inside to Outside

www.example.com

Outside

209.165.201.2 Source Addr Translation 10.1.2.27 209.165.201.10 10.1.2.1 10.1.1.1

Inside

DMZ

User 10.1.2.27

Web Server 10.1.1.3

The following steps describe how data moves through the security appliance (see Figure 16-2):
1. 2.

The user on the inside network requests a web page from www.example.com. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface would be unique; the www.example.com IP address does not have a current address translation in a context.

3.

The security appliance translates the local source address (10.1.2.27) to the global address 209.165.201.10, which is on the outside interface subnet. The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet.

4.

The security appliance then records that a session is established and forwards the packet from the outside interface.

ASDM User Guide

16-4

92404

OL-10106-01

Chapter 16

Firewall Mode Overview Routed Mode Overview

5.

When www.example.com responds to the request, the packet goes through the security appliance, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the global destination address to the local user address, 10.1.2.27. The security appliance forwards the packet to the inside user.

6.

An Outside User Visits a Web Server on the DMZ


Figure 16-3 shows an outside user accessing the DMZ web server.
Figure 16-3 Outside to DMZ

User

Outside

209.165.201.2

Dest Addr Translation 10.1.1.13 209.165.201.3

10.1.2.1

10.1.1.1

Inside

DMZ

Web Server 10.1.1.3

The following steps describe how data moves through the security appliance (see Figure 16-3):
1. 2.

A user on the outside network requests a web page from the DMZ web server using the global destination address of 209.165.201.3, which is on the outside interface subnet. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the classifier knows that the DMZ web server address belongs to a certain context because of the server address translation.

3.

The security appliance translates the destination address to the local address 10.1.1.3.

92406

ASDM User Guide OL-10106-01

16-5

Chapter 16 Routed Mode Overview

Firewall Mode Overview

4. 5.

The security appliance then adds a session entry to the fast path and forwards the packet from the DMZ interface. When the DMZ web server responds to the request, the packet goes through the security appliance and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the local source address to 209.165.201.3. The security appliance forwards the packet to the outside user.

6.

An Inside User Visits a Web Server on the DMZ


Figure 16-4 shows an inside user accessing the DMZ web server.
Figure 16-4 Inside to DMZ

Outside

209.165.201.2

10.1.2.1

10.1.1.1

Inside

DMZ

User 10.1.2.27

Web Server 10.1.1.3

The following steps describe how data moves through the security appliance (see Figure 16-4):
1. 2.

A user on the inside network requests a web page from the DMZ web server using the destination address of 10.1.1.3. The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface is unique; the web server IP address does not have a current address translation.

ASDM User Guide

16-6

92403

OL-10106-01

Chapter 16

Firewall Mode Overview Routed Mode Overview

3. 4. 5.

The security appliance then records that a session is established and forwards the packet out of the DMZ interface. When the DMZ web server responds to the request, the packet goes through the fast path, which lets the packet bypass the many lookups associated with a new connection. The security appliance forwards the packet to the inside user.

An Outside User Attempts to Access an Inside Host


Figure 16-5 shows an outside user attempting to access the inside network.
Figure 16-5 Outside to Inside

www.example.com

Outside

209.165.201.2

10.1.2.1

10.1.1.1

Inside

DMZ

User 10.1.2.27

The following steps describe how data moves through the security appliance (see Figure 16-5):
1.

A user on the outside network attempts to reach an inside host (assuming the host has a routable IP address). If the inside network uses private addresses, no outside user can reach the inside network without NAT. The outside user might attempt to reach an inside user by using an existing NAT session.

2. 3.

The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). The packet is denied, and the security appliance drops the packet and logs the connection attempt. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session.

92407

ASDM User Guide OL-10106-01

16-7

Chapter 16 Transparent Mode Overview

Firewall Mode Overview

A DMZ User Attempts to Access an Inside Host


Figure 16-6 shows a user in the DMZ attempting to access the inside network.
Figure 16-6 DMZ to Inside

Outside

209.165.201.2

10.1.2.1

10.1.1.1

Inside

DMZ

User 10.1.2.27

Web Server 10.1.1.3

The following steps describe how data moves through the security appliance (see Figure 16-6):
1. 2. 3.

A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to route the traffic on the internet, the private addressing scheme does not prevent routing. The security appliance receives the packet and because it is a new session, the security appliance verifies if the packet is allowed according to the security policy (access lists, filters, AAA). The packet is denied, and the security appliance drops the packet and logs the connection attempt.

Transparent Mode Overview


This section describes transparent firewall mode, and includes the following topics:

Transparent Firewall Features, page 16-9 Using the Transparent Firewall in Your Network, page 16-10 Transparent Firewall Guidelines, page 16-10 Unsupported Features in Transparent Mode, page 16-11 How Data Moves Through the Transparent Firewall, page 16-12

ASDM User Guide

16-8

92402

OL-10106-01

Chapter 16

Firewall Mode Overview Transparent Mode Overview

Transparent Firewall Features


Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a bump in the wire, or a stealth firewall, and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP readdressing is unnecessary. Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration. Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection. In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost all traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic). The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.

TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF BPDU multicast address equal to 0100.0CCC.CCCD Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Note

The transparent mode security appliance does not pass CDP packets. For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the security appliance. Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using an EtherType access list. For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. When the security appliance runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet.

ASDM User Guide OL-10106-01

16-9

Chapter 16 Transparent Mode Overview

Firewall Mode Overview

Using the Transparent Firewall in Your Network


Figure 16-7 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 16-7 Transparent Firewall Network

Internet

10.1.1.1 Management IP 10.1.1.2

Network A

10.1.1.3

192.168.1.2
92411

Network B

Transparent Firewall Guidelines


Follow these guidelines when planning your transparent firewall network:

A management IP address is required; for multiple context mode, an IP address is required for each context. Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255). You can configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address.

The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.

ASDM User Guide

16-10

OL-10106-01

Chapter 16

Firewall Mode Overview Transparent Mode Overview

In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

Each directly connected network must be on the same subnet. Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway. For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts. For multiple context mode, each context typically uses a different subnet. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint. You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance. You can also optionally use an EtherType access list to allow non-IP traffic through.

Unsupported Features in Transparent Mode


Table 16-1 lists the features are not supported in transparent mode.
Table 16-1 Unsupported Features in Transparent Mode

Feature Dynamic DNS DHCP relay

Description The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because you can allow DHCP traffic to pass through using two extended access lists: one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction. You can, however, add static routes for traffic originating on the security appliance. You can also allow dynamic routing protocols through the security appliance using an extended access list. You also cannot allow IPv6 using an EtherType access list. You can allow multicast traffic through the security appliance by allowing it in an extended access list. NAT is performed on the upstream router. The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance using an extended access list, but it does not terminate non-management connections. WebVPN is also not supported.

Dynamic routing protocols

IPv6 Multicast NAT QoS VPN termination for through traffic

ASDM User Guide OL-10106-01

16-11

Chapter 16 Transparent Mode Overview

Firewall Mode Overview

How Data Moves Through the Transparent Firewall


Figure 16-8 shows a typical transparent firewall implementation with an inside network that contains a public web server. The security appliance has an access list so that the inside users can access Internet resources. Another access list lets the outside users access only the web server on the inside network.
Figure 16-8 Typical Transparent Firewall Data Path

www.example.com

Internet

209.165.201.2 Management IP 209.165.201.6

209.165.200.230

Host 209.165.201.3

Web Server 209.165.200.225

This section describes how data moves through the security appliance, and includes the following topics:

An Inside User Visits a Web Server, page 16-13 An Outside User Visits a Web Server on the Inside Network, page 16-14 An Outside User Attempts to Access an Inside Host, page 16-15

ASDM User Guide

16-12

92412

OL-10106-01

Chapter 16

Firewall Mode Overview Transparent Mode Overview

An Inside User Visits a Web Server


Figure 16-9 shows an inside user accessing an outside web server.
Figure 16-9 Inside to Outside

www.example.com

Internet

209.165.201.2 Management IP 209.165.201.6

Host 209.165.201.3

The following steps describe how data moves through the security appliance (see Figure 16-9):
1. 2.

The user on the inside network requests a web page from www.example.com. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface.

3. 4.

The security appliance and records that a session is established. If the destination MAC address is in its table, the security appliance forwards the packet out of the outside interface. The destination MAC address is that of the upstream router, 209.186.201.2. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.

5.

When the web server responds to the request, the security appliance adds the web server MAC address to the MAC address table, if required, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the inside user.

6.

92408

ASDM User Guide OL-10106-01

16-13

Chapter 16 Transparent Mode Overview

Firewall Mode Overview

An Outside User Visits a Web Server on the Inside Network


Figure 16-10 shows an outside user accessing the inside web server.
Figure 16-10 Outside to Inside

Host

Internet

209.165.201.2 Management IP 209.165.201.6

209.165.201.1

209.165.200.230

Web Server 209.165.200.225

The following steps describe how data moves through the security appliance (see Figure 16-10):
1. 2.

A user on the outside network requests a web page from the inside web server. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface.

3. 4.

The security appliance records that a session is established. If the destination MAC address is in its table, the security appliance forwards the packet out of the inside interface. The destination MAC address is that of the downstream router, 209.186.201.1. If the destination MAC address is not in the security appliance table, the security appliance attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped.

ASDM User Guide

16-14

92409

OL-10106-01

Chapter 16

Firewall Mode Overview Transparent Mode Overview

5.

When the web server responds to the request, the security appliance adds the web server MAC address to the MAC address table, if required, and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance forwards the packet to the outside user.

6.

An Outside User Attempts to Access an Inside Host


Figure 16-11 shows an outside user attempting to access a host on the inside network.
Figure 16-11 Outside to Inside

Host

Internet

209.165.201.2

Management IP 209.165.201.6

Host 209.165.201.3

The following steps describe how data moves through the security appliance (see Figure 16-11):
1. 2.

A user on the outside network attempts to reach an inside host. The security appliance receives the packet and adds the source MAC address to the MAC address table, if required. Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy (access lists, filters, AAA). For multiple context mode, the security appliance first classifies the packet according to a unique interface.

3. 4.

The packet is denied, and the security appliance drops the packet. If the outside user is attempting to attack the inside network, the security appliance employs many technologies to determine if a packet is valid for an already established session.

92410

ASDM User Guide OL-10106-01

16-15

Chapter 16 Transparent Mode Overview

Firewall Mode Overview

ASDM User Guide

16-16

OL-10106-01

C H A P T E R

17

Configuring Access Rules


Access Rules
Configuration > Security Policy > Access Rules The Access Rules window shows your entire network security policy expressed in rules. When you choose the Access Rules option, this window lets you define access control lists to control the access of a specific host or network to another host/network, including the protocol or port that can be used. Conduits and outbound lists have been superceded by access lists. By default on the security appliance, traffic from a higher security level (for example, inside) can access a lower security level (for example, outside): there is an implicit access list on the inside interface allowing all outbound IP traffic from the inside network. (The security appliance denies traffic destined for the inside network from the outside network using the Adaptive Security Algorithm. Adaptive Security Algorithm is a stateful approach to security. Every inbound packet is checked against the Adaptive Security Algorithm and against connection state information in memory.) The implicit access list appears in ASDM, but you cannot edit it. To limit outbound traffic, you can add an access list (in which case, the implicit access list is removed). Every inbound packet is checked using the Adaptive Security Algorithm unless a connection is already established. By default on the security appliance, no traffic can pass through the firewall unless you add an access list to allow it. To allow traffic that is normally denied by the Adaptive Security Algorithm, you can add an access list; for example, you can allow public access to a web server on a DMZ network by adding an access list to the outside interface.
Restrictions

At the end of each access list, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry, it will be denied. ACEs are referred to as rules in this topic.
Prerequisites

If desired, create network groups on the Addresses tab.


Fields

Note: You can adjust the table column widths by moving your cursor over a column line until it turns into a double arrow. Click and drag the column line to the desired size.

AddAdds a new access rule. EditEdits an access rule.

ASDM User Guide OL-10106-01

17-1

Chapter 17 Access Rules

Configuring Access Rules

DeleteDeletes an access rule. Move UpMoves a rule up. Rules are assessed in the order they appear in this table, so the order can matter if you have overlapping rules. Move DownMoves a rule down. CutCuts a rule. CopyCopies the parameters of a rule so you can start a new rule with the same parameters using the Paste button. PasteOpens an Add/Edit Rule dialog box with the copied or cut parameters of a rule prefilled. You can then make any modifications and add it to the table. The Paste button adds the rule above the selected rule. The Paste After item, available from the Paste drop-down list, adds the rule after the selected rule. FindFilters the display to show only matching rules. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter drop-down listChoose the criteria to filter on, either Interface, Source, Destination,

Service, or Rule Query. A rule query is a collection of multiple criteria that you can save and use repeatedly.
Filter fieldFor the Interface type, this field becomes a drop-down list so you can choose an

interface name. For the Rule Query type, the drop-down list includes all defined rule queries. The Source and Destination types accept an IP address. You can type one manually, or browse for one by clicking the ... button and launching the Browse Address dialog box. The Service type accepts a TCP, UDP, TCP-UDP, ICMP, or IP protocol type. You can type one manually, or browse for one by clicking the ... button and launching the Browse Service Groups dialog box. The Filter field accepts multiple entries separated by a comma or space. Wildcards are also allowed.
FilterRuns the filter. ClearClears the matches and displays all. Rule QueryOpens the Rule Queries dialog box so you can manage named rule queries.

Show Rule Flow DiagramShows the Rule Flow Diagram area under the rule table. This diagram shows the networks, type of traffic, interface name, direction of flow, and action. Packet TraceOpens the Packet Tracer tool with the parameters pre-filled with the characteristics of the selected rule.

The following description summarizes the columns in the Access Rules table. You can edit the contents of these columns by double-clicking on a table row. Rules are displayed in the order of execution. If you right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.)

NoIndicates the order of evaluation for the rule. EnabledIndicates whether the rule is enabled or disabled. SourceSpecifies the IP address, network object group, interface IP, or any, from which traffic is permitted or denied to the destination specified in the Destination Type field. An address column might contain an interface name with the word any, such as inside:any. This means that any host on the inside interface is affected by the rule. DestinationSpecifies the IP address, network object group, interface IP, or any, to which traffic is permitted or denied from the source specified in the Source Type field. An address column might contain an interface name with the word any, such as outside:any. This means that any host on the

ASDM User Guide

17-2

OL-10106-01

Chapter 17

Configuring Access Rules Access Rules

outside interface is affected by the rule. Also in detail mode, an address column might contain IP addresses in square brackets, for example [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the access list. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

ServiceShows the service or protocol specified by the rule. ActionThe action that applies to the rule, either Permit or Deny. LoggingIf you enable logging for the access list, this column shows the logging level and the interval in seconds between log messages. TimeDisplays the time range during which the rule is applied. DescriptionShows the description you entered when you added the rule. An implicit rule includes the following description: Implicit outbound rule. AddressesTab that lets you add, edit, delete, or find IP names or network object groups. IP address objects are automatically created based on source and destination entries during rule creation so that they can easily be selected in the creation of subsequent rules. They cannot be added, edited, or deleted manually. ServicesTab that lets you add, edit, delete, or find services. Time RangesTab that lets you add, edit, or delete time ranges.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Queries
Configuration > Security Policy > Rule Queries The Rule Queries dialog box lets you manage named rule queries that you can use in the Filter field when searching for Rules.
Fields

AddAdds a rule query. EditEdits a rule query. DeleteDeletes a rule query. NameLists the names of the rule queries. DescriptionLists the descriptions of the rule queries.

ASDM User Guide OL-10106-01

17-3

Chapter 17 Access Rules

Configuring Access Rules

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

New/Edit Rule Query


Configuration > Security Policy > Rule Queries > New/Edit Rule Query The New/Edit Rule Query dialog box lets you add or edit a named rule query that you can use in the Filter field when searching for Rules.
Fields

NameEnter a name for this rule query. DescriptionEnter a description for this rule query. Match CriteriaThis area lists the criteria you want to filter on.
any of the following criteriaSets the rule query to match any of the listed criteria. all of the following criteriaSets the rule query to match all of the listed criteria. FieldLists the type of criteria. For example, an interface or source. ValueLists the value of the criteria, for example, inside. RemoveRemoves the selected criteria.

Define New CriteriaThis area lets you define new criteria to add to the match criteria.
FieldChoose a type of criteria, including Interface, Source, Destination, Service, Action, or

another Rule Query to be nested in this rule query.


ValueEnter a value to search on. For the Interface type, this field becomes a drop-down list

so you can choose an interface name. For the Action type, the drop-down list includes Permit and Deny. For the Rule Query type, the drop-down list includes all defined rule queries. The Source and Destination types accept an IP address. You can type one manually, or browse for one by clicking the ... button and launching the Browse Address dialog box. The Service type accepts a TCP, UDP, TCP-UDP, ICMP, or IP protocol type. You can type one manually, or browse for one by clicking the ... button and launching the Browse Service Groups dialog box.
AddAdds the criteria to the Match Criteria table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

17-4

OL-10106-01

Chapter 17

Configuring Access Rules Access Rules

Add/Edit Access Rule


Configuration > Security Policy > Access Rules > Add/Edit Access Rule The Add/Edit Rule dialog box lets you create a new rule, or modify an existing rule.
Fields

InterfaceSpecifies the interface to which the rule applies. ActionDetermines the action type of the new rule. Select either permit or deny.
PermitPermits all matching traffic. DenyDenies all matching traffic.

DirectionDetermines which direction of traffic the rule is applied.


IncomingSelects incoming traffic to the source interface. OutgoingSelects outgoing traffic from the destination interface.

Source TypeSpecifies the IP address, network object group, interface IP, or any, from which traffic is permitted or denied to the destination specified in the Destination Type field.
IP AddressSpecifies the IP address from which traffic is permitted or denied to the

destination specified in the Destination Type field. IP addressSpecifies the IP address. ...Lets you select, add, edit, delete, or find an existing IP address object, IP name, network object group, or all. NetmaskSpecifies the netmask.
Network Object GroupSpecifies the network object group from which traffic is permitted or

denied to the destination specified in the Destination Type field. Group NameSpecifies the network object group name. ...Lets you select, add, edit, delete, or find an existing IP address object, IP name, network object group, or all.
Interface IPSpecifies the interface IP, or any, from which traffic is permitted or denied to the

destination specified in the Destination Type field.


InterfaceSpecifies the interface.

Destination TypeSpecifies the IP address, network object group, interface IP, or any, to which traffic is permitted or denied from the source specified in the Source Type field.
IP AddressSpecifies the IP address to which traffic is permitted or denied from the

destination specified in the Source Type field. IP addressSpecifies the IP address. ...Lets you select, add, edit, delete, or find an existing IP address object, IP name, network object group, or all. NetmaskSpecifies the netmask.
Network Object GroupSpecifies the network object group to which traffic is permitted or

denied from the source specified in the Source Type field. Group NameSpecifies the network object group name. ...Lets you select, add, edit, delete, or find an existing IP address object, IP name, network object group, or all.

ASDM User Guide OL-10106-01

17-5

Chapter 17 Access Rules

Configuring Access Rules

Interface IPSpecifies the interface IP, or any, to which traffic is permitted or denied from the

source specified in the Source Type field.


InterfaceSpecifies the interface.

Protocol and Service: TCP and UDPSelects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the access list uses to match packets.
ServiceChoose this option to specify a port number, a range of ports, or a well-known service

name from a list of services, such as HTTP or FTP. The operator drop-down list specifies how the access list matches the port. Choose one of the following operators: = Equals the port number. not = Does not equal the port number. > Greater than the port number. < Less than the port number. rangeEqual to one of the port numbers in the range.
GroupChoose this option to specify a service group from the Service Group drop-down list,

The browse button displays the Browse Source Port dialog box, which lets you select, add, edit, delete or find a source type from a preconfigured list.

Protocol and Service: IPSpecifies the IP protocol for the rule in the IP protocol field. Protocol and Service: ICMPSpecifies the ICMP type for the rule in the ICMP type field or the ICMP group.
The browse button displays the Browse ICMP dialog box, which lets you select, add, edit, delete

or find a source type from a preconfigured list.


Rule Flow DiagramShows the networks, type of traffic, interface name, direction of flow, and action. OptionsEnables logging for the access list and sets logging options. Logging options:
Use default logging behavior. Enable logging for the rule. Sets the level and interval for permit and deny logging. See Log

Options for more information. Syslog LevelSpecifies emergencies, alerts, critical, errors, warnings, notifications, informational, or debugging. Log IntervalSpecifies the interval for logging.
Disable logging for the rule. Time RangeSelect a time range defined for this rule from the drop-down list.

The browse button displays the Browse Time Range dialog box, which lets you select, add, edit, or delete a time range from a preconfigured list.
Description(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

17-6

OL-10106-01

Chapter 17

Configuring Access Rules Access Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Service Groups


Configuration > Security Policy > Access Rules > Add/Edit Access Rule > Manage Service Groups The Manage Service Groups dialog box lets you associate multiple TCP, UDP, or TCP-UDP services (ports) in a named group. You can then use the service group in an access or IPSec rule, a conduit, or other functions within ASDM and the CLI. The term service refers to higher layer protocols associated with application level services having well known port numbers and literal names such as ftp, telnet, and smtp. The security appliance permits the following TCP literal names: bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, www. The Name of a service group must be unique to all four types of object groups. For example, a service group and a network group may not share the same name. Multiple service groups can be nested into a group of groups and used the same as a single group. When a service object group is deleted, it is removed from all service object groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty.
Fields

TCPSelect this option to add TCP services or port numbers to an object group. UDPSelect this option to add UDP services or port numbers to an object group. TCP-UDPSelect this option to add services or port numbers that are common to TCP and UDP to an object group. Service Group tableThis table contains a descriptive name for each service object group. To modify or delete a group on this list, select the group and click Edit or Delete. To add a new group to this list, click Add.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

17-7

Chapter 17 Access Rules

Configuring Access Rules

Add/Edit Service Group


Configuration > Security Policy > Access Rules > Add/Edit Access Rule > Manage Service Groups > Add/Edit Service Group The Add/Edit Service Group dialog box lets you manage a group of TCP/UDP services/ports.
Fields

Service Group NameSpecifies the name of the service group. The name must be unique for all object groups. A service group name cannot share a name with a network group. DescriptionSpecifies a description of the service group. ServiceLets you select services for the service group from a predefined drop-down list. Range/Port #Lets you specify a range of ports for the service group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced Access Rule Configuration


Configuration > Security Policy > Access Rules > Advanced Access Rule Configuration The Advanced Access Rule Configuration dialog box lets you to set global access list logging options. When you enable logging, if a packet matches the ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval (see Log Options). The security appliance generates a system log message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry. A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the security appliance places a limit on the number of concurrent deny flows; the limit is placed only on deny flows (and not permit flows) because they can indicate an attack. When the limit is reached, the security appliance does not create a new deny flow until the existing flows expire. If someone initiates a denial of service attack, the security appliance can create a very large number of deny flows in a very short period of time. Restricting the number of deny-flows prevents unlimited consumption of memory and CPU resources.
Prerequisites

These settings only apply if you enable the newer logging mechanism for the access control entry (also known as a rule) for the access list. See Log Options for more information.
Fields

Maximum Deny-flowsThe maximum number of deny flows permitted before the security appliance stops logging, between 1 and the default value. The default is 4096.

ASDM User Guide

17-8

OL-10106-01

Chapter 17

Configuring Access Rules Access Rules

Alert IntervalThe amount of time (1-3600 seconds) between system log messages (number 106101) that identify that the maximum number of deny flows was reached. The default is 300 seconds. Per User Override tableSpecifies the state of the per user override feature. If the per user override feature is enabled on the inbound access list, the access list provided by a RADIUS server replaces the access list configured on that interface. If the per user override feature is disabled, the access list provided by the RADIUS server is combined with the access list configured on that interface. If the inbound access list is not configured for the interface, per user override cannot be configured.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Log Options
Configuration > Security Policy > Access Rules > Add/Edit Access Rule > Log Options (You can get to this dialog box through multiple paths.) The Log Options dialog box lets you set logging options for each access control entry (also called a rule) for an access control list. Conduits and outbound lists do not support logging. See Advanced Access Rule Configuration to set global logging options. This dialog box lets you use the older logging mechanism (only denied traffic is logged), to use the newer logging mechanism (permitted and denied traffic is logged, along with additional information such as how many packet hits), or to disable logging. The Log option consumes a certain amount of memory when enabled. To help control the risk of a potential Denial of Service attack, you can configure the Maximum Deny-flow setting by choosing Advanced in the Access Rules window.
Fields

Use default logging behaviorUses the older access list logging mechanism: the security appliance logs system log message number 106023 when a packet is denied. Use this option to return to the default setting. Enable logging for the ruleEnables the newer access list logging mechanism: the security appliance logs system log message number 106100 when a packet matches the ACE (either permit or deny). If a packet matches the ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval (see the Logging Interval field that follows). The security appliance generates a system log message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.
Logging LevelSelects the level of logging messages to be sent to the syslog server from this

drop-down list. Levels are defined as follows:

ASDM User Guide OL-10106-01

17-9

Chapter 17 Access Rules

Configuring Access Rules

Emergency (level 0)The security appliance does not use this level. Alert (level 1, immediate action needed) Critical (level 2, critical condition) Error (level 3, error condition) Warning (level 4, warning condition) Notification (level 5, normal but significant condition) Informational (level 6, informational message only) Debugging (level 7, appears during debugging only)
Logging IntervalSets the amount of time in seconds (1-600) the security appliance waits

before sending the flow statistics to the syslog. This setting also serves as the timeout value for deleting a flow if no packets match the ACE. The default is 300 seconds.

Disable logging for the ruleDisables all logging for the ACE.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

17-10

OL-10106-01

C H A P T E R

18

Configuring EtherType Rules


Ethertype Rules (Transparent Mode Only)
Configuration > Security Policy > Ethertype Rules The EtherType Rules window shows access rules based on packet EtherTypes. EtherType rules are used to configure non-IP related traffic policies through the security appliance when operating in transparent mode. In transparent mode, you can apply both extended and EtherType access rules to an interface. EtherType rules take precedence over the extended access rules.
Fields

AddAdds a new EtherType rule. Choose the type of rule you want to add from the drop-down list. EditEdits an EtherType rule. DeleteDeletes an EtherType rule. Move UpMoves a rule up. Rules are assessed in the order they appear in this table, so the order can matter if you have overlapping rules. Move DownMoves a rule down. CutCuts a rule. CopyCopies the parameters of a rule so you can start a new rule with the same parameters using the Paste button. PasteOpens an Add/Edit Rule dialog box with the copied or cut parameters of the rule prefilled. You can then make any modifications and add it to the table. The Paste button adds the rule above the selected rule. The Paste After item, available from the Paste drop-down list, adds the rule after the selected rule.

The following description summarizes the columns in the EtherType Rules table. You can edit the contents of these columns by double-clicking on a table cell. Double-clicking on a column header sorts the table in ascending alphanumeric order, using the selected column as the sort key. If you right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.)

NoIndicates the order of evaluation for the rule. ActionPermit or deny action for this rule. EthervalueEtherType value: IPX, BPDU, MPLS-Unicast, MPLS-Multicast, or a 16-bit hexadecimal value between 0x600 (1536) and 0xffff by which an EtherType can be identified. InterfaceInterface to which the rule is applied.

ASDM User Guide OL-10106-01

18-1

Chapter 18 Ethertype Rules (Transparent Mode Only)

Configuring EtherType Rules

Direction AppliedDirection for this rule: incoming traffic or outgoing traffic. DescriptionOptional text description of the rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

Add/Edit EtherType Rule


Configuration > Security Policy > Ethertype Rules > Add/Edit Ethertype Rules The Add/Edit EtherType Rules dialog box lets you add or edit an EtherType rule.
Fields

ActionPermit or deny action for this rule. InterfaceInterface name for this rule. Apply rule toDirection for this rule: incoming traffic or outgoing traffic. EthervalueEtherType value: BPDU, IPX, MPLS-Unicast, MPLS-Multicast, any (any value between 0x600 and 0xffff), or a 16-bit hexadecimal value between 0x600 (1536) and 0xffff by which an EtherType can be identified. DescriptionOptional text description of the rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

ASDM User Guide

18-2

OL-10106-01

C H A P T E R

19

Configuring AAA Rules


This chapter describes how to enable AAA (pronounced triple A) for network access. For information about AAA for management access, see the AAA Access section on page 11-1 This chapter includes the following sections:

AAA Performance, page 19-1 Configuring AAA Rules, page 19-1 Configuring a RADIUS Server for Authorization, page 19-13

AAA Performance
The security appliance uses cut-through proxy to significantly improve performance compared to a traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model. The security appliance cut-through proxy challenges a user initially at the application layer and then authenticates against standard AAA servers or the local database. After the security appliance authenticates the user, it shifts the session flow, and all traffic flows directly and quickly between the source and destination while maintaining session state information.

Configuring AAA Rules


This section describes how to configure AAA rules, and includes the following topics:

AAA Rules, page 19-1 Add/Edit Authentication Rule, page 19-4 Add/Edit Authorization Rule, page 19-7 Add/Edit Accounting Rule, page 19-10 Add/Edit MAC Exempt Rule, page 19-12 Advanced AAA Configuration, page 19-12

AAA Rules
Configuration > Security Policy > AAA Rules

ASDM User Guide OL-10106-01

19-1

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

The Security Policy pane shows your network security policy expressed in rules. This window includes tabs for AAA Rules, as well as for other rules. This topic describes AAA Rules. For an overview of AAA services, see Chapter 10, Configuring AAA Servers. When you choose the AAA Rules tab, you can define authentication, authorization, or accounting (AAA) rules, as well as MAC exempt rules. AAA tells the security appliance who the user is, what the user can do, and what the user did. You can use authentication alone, or with authorization. Authorization always requires authentication. For example, if you authenticate outside users who access any server on the inside network, then authentication alone is adequate. However, if you want to limit the inside servers that a particular user accesses, you can configure an authorization server to specify which servers and services that user is allowed to access. AAA provides a greater level of protection and control for user access than using access lists alone. For example, you can create an access list allowing all outside users to access a server on the DMZ network. But if you want only registered users to Telnet to the server, you can configure AAA to allow only authenticated and/or authorized users to make it past the security appliance. If the server also has its own authentication and authorization, the user enters a second set of user name and password (in the case of FTP, the user must enter both usernames and passwords separated by an at sign (@)). Each AAA rule identifies the following characteristics for matching traffic:

The source and destination network The action (authentication, authorization, or accounting; a rule can also exempt a MAC address from AAA) The AAA server group The service type (for example, Telnet or FTP)

Restrictions

ASDM does not support a mixed configuration of AAA rules that:


Specify the source and destination addresses Match access lists for the source and destination addresses If your configuration already contains AAA rules, then you can add only AAA rules of the same kind. If you have not configured any AAA rules, then ASDM allows you to add only rules that match access lists. To convert your rules to match access lists, you must delete all of your AAA rules in ASDM, then re-add them (with no rules configured, ASDM defaults to access list mode). In ASDM, the configuration of AAA rules is the same in both modes.

For FTP authentication, the user must enter the name and password in the following format: security appliance_name@ftp_name security appliance_password@ftp_password

The security appliance forwards the FTP name and password to the FTP server after successful authentication on the security appliance. Other services such as Telnet and HTTP (if configured for authentication) require you to enter a second name and password at the destination server prompt. Some services are not reliably authenticated, such as mail or SMTP. If you specify that all services need to be authenticated, then the user must first authenticate with Telnet, FTP, HTTP, or HTTPS (or another service that reliably provides an authentication prompt), and then use the other services. AAA authorization rules support TACACS+ servers, but not other servers. However, you can use the local database to authorize users for security appliance commands. AAA accounting rules are not supported using the local database as the AAA Server Group.

ASDM User Guide

19-2

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring AAA Rules

Prerequisites
1. 2. 3. 4.

Define each host or server in the Configuration > Features > Properties > AAA Setup > AAA Server Groups pane. Add users to the local database. (See Configuration > Features > Properties > Administration > User Accounts.) Be sure that users can access the specified network (by an Access Rules if required). Set up the AAA server correctly.

Fields

AddAdds a new AAA rule. Choose the type of rule you want to add from the drop-down list. EditEdits an AAA rule. DeleteDeletes a AAA rule. Move UpMoves a rule up. Rules are assesed in the order they appear in this table, so the order can matter if you have overlapping rules. Move DownMoves a rule down. CutCuts a rule. CopyCopies a rules parameters so you can start a new rule with the same parameters using the Paste button. PasteOpens an Add/Edit Rule dialog box with the copied or cut rules paramaters prefilled. You can then make any modifications and add it to the table. The Paste button adds the rule above the selected rule. The Paste After item, available from the Paste drop-down list, adds the rule after the selected rule. FindFilters the display to show only matching rules. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter drop-down listChoose the criteria to filter on, either Interface, Source, Destination,

Service, Action, or Rule Query. A rule query is a collection of multiple criteria that you can save and use repeatedly.
Filter fieldFor the Interface type, this field becomes a drop-down list so you can choose an

interface name, or All Interfaces. For the Action type, the drop-down list includes Permit and Deny. For the Rule Query type, the drop-down list includes all defined rule queries. The Source and Destination types accept an IP address. You can type one manually, or browse for one by clicking the ... button and launching the Browse Address dialog box. The Service type accepts a TCP, UDP, TCP-UDP, ICMP, or IP protocol type. You can type one manually, or browse for one by clicking the ... button and launching the Browse Service Groups dialog box.
FilterRuns the filter. ClearClears the Filter field. Rule QueryOpens the Rule Queries dialog box so you can manage named rule queries.

Show Rule Flow DiagramShows the Rule Flow Diagram area under the rule table. This diagram shows the networks, type of traffic, interface name, direction of flow, and action (for example, Authenticate or Do Not Authenticate). Packet TraceOpens the Packet Tracer tool with the paramters pre-filled with the characteristics of the selected rule.

ASDM User Guide OL-10106-01

19-3

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

The following description summarizes the columns in the AAA Rules table. You can edit the contents of these columns by double-clicking on a table cell. Double-clicking on a column header sorts the table in ascending alphanumeric order, using the selected column as the sort key. If you right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.)

NoIndicates the order of evaluation for the rule. EnabledIndicates whether the rule is enabled or disabled. ActionSpecifies the type of AAA rule. SourceLists the IP addresses that are subject to AAA when traffic is sent to the IP addresses listed in the Destination column. DestinationLists the IP addresses that are subject to AAA when traffic is sent from the IP addresses listed in the Source column. ServiceShows the service or protocol specified by the rule. ActionShows the action specified by the rule, including Authenticate, Do Not Authenticate, Authorize, Do Not Authorize, and so on. Server GroupSpecifies the AAA Server Group tag. Configure AAA server groups in Properties > AAA Setup > AAA Server Groups. To create new AAA rules, a server group must exist and have one or more servers in it. TimeSpecifies the name of the time range in effect for this rule. DescriptionThe description you entered when you added the rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Authentication Rule


The security appliance lets you configure network access authentication using AAA servers or the local database. A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See Timeouts for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP. Although you can configure the security appliance to require authentication for network access to any protocol or service, users can authenticate directly with HTTP(S), Telnet, or FTP only. A user must first authenticate with one of these services before the security appliance allows other traffic requiring authentication.

ASDM User Guide

19-4

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring AAA Rules

If you do not want to allow HTTP(S), Telnet, or FTP through the security appliance but want to authenticate other types of traffic, you can configure virtual Telnet. With virtual Telnet, the user Telnets to a given IP address configured on the security appliance and the security appliance provides a Telnet prompt. For Telnet, HTTP(S), and FTP, the security appliance generates an authentication prompt. If the destination server also has its own authentication, the user enters another username and password. For HTTP authentication, the security appliance checks local ports when static NAT is configured. If it detects traffic destined for local port 80, regardless of the global port, the security appliance intercepts the HTTP connection and enforces authentication. For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant access lists permit the traffic. Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the security appliance allows HTTP connection to complete. If the local port is different than port 80, then users do not see the authentication page. Instead, the security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service.

Note

If you use HTTP authentication without using secure HTTP client authentication (see Advanced AAA Configuration), the username and password are sent in clear text to the destination web server, and not just to the AAA server. For example, if you authenticate inside users when they access outside web servers, anyone on the outside can learn valid usernames and passwords. We recommend that you use secure HTTP client authentication whenever you enable HTTP authentication. For FTP, a user has the option of entering the security appliance username followed by an at sign (@) and then the FTP username (name1@name2). For the password, the user enters the security appliance password followed by an at sign (@) and then the FTP password (password1@password2). For example, enter the following text.
name> jamiec@jchrichton password> letmein@he110

This feature is useful when you have cascaded firewalls that require multiple logins. You can separate several names and passwords by multiple at signs (@).
Fields

Interface and ActionChoose the interface, action, and AAA server group.

InterfaceChoose the interface on which to apply this rule. ActionChoose Authenticate or Do not Authenticate. AAA Server GroupChoose a AAA server group or the local database. You must add the server group in Properties > AAA Setup > AAA Server Groups. Add Server/UserClick this button to add a server to the selected AAA server group, or a user to the local database. TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:

SourceSpecify the source address for traffic you want to authenticate.

ASDM User Guide OL-10106-01

19-5

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

box.
NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

DestinationSpecify the destination address for traffic you want to authenticate.

TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:
IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

box.
NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

Protocol and ServiceSpecify the port or protocol for traffic you want to authenticate.

ProtocolChoose the protocol for the traffic, either tcp, udp, ip, icmp, or other. If you choose tcp or udp, then you see the following fields:
Source PortSet the source port for the traffic you want to authenticate.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group.
Destination PortSet the destination port for the traffic you want to authenticate.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. If you choose icmp, then you see the following fields:

ASDM User Guide

19-6

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring AAA Rules

ICMP TypeClick this radio button to enter an ICMP type. Either type a number, or choose a

well-known type from the drop-down list.


ICMP GroupClick this radio button to specify a service group, created on Service Groups.

Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. If you choose other, then you see the following fields:
ProtocolClick this radio button to enter an IP protocol type. Either type a number, or choose

a well-known type from the drop-down list.


Protocol GroupClick this radio button to specify a service group, created on Service Groups.

Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. Rule Flow DiagramShows the Rule Flow Diagram for this rule. This diagram shows the networks, type of traffic, interface name, direction of flow, and action (for example, Authenticate or Do Not Authenticate). OptionsSet options for this rule.

Time RangeChoose the name of an existing time range from the drop-down list. A time range enables a rule only during the specified times. Create a time range on Configuring Time Ranges. DescriptionEnter a description for this rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Authorization Rule


You can configure the security appliance to perform network access authorization with TACACS+.

Note

When you configure the security appliance to authenticate users for network access using RADIUS, you are also implicitly enabling RADIUS authorizations. RADIUS authorization does not require a separate authorization rule, like TACACS+. See the Configuring a RADIUS Server for Authorization section on page 19-13 for more information about using RADIUS for authorization. Authentication and authorization rules are independent; however, any unauthenticated traffic matched by an authorization rule will be denied. For authorization to succeed, a user must first authenticate with the security appliance. Because a user at a given IP address only needs to authenticate one time for all rules and types, if the authentication session has not expired, authorization can occur even if the traffic is matched by an authentication statement.

ASDM User Guide OL-10106-01

19-7

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

After a user authenticates, the security appliance checks the authorization rules for matching traffic. If the traffic matches the authorization rule, the security appliance sends the username to the TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for that traffic, based on the user profile. The security appliance enforces the authorization rule in the response. See the documentation for your TACACS+ server for information about configuring network access authorizations for a user.
Fields

Interface and ActionChoose the interface, action, and AAA server group.

InterfaceChoose the interface on which to apply this rule. ActionChoose Authorize or Do not Authorize. AAA Server GroupChoose a AAA server group or the local database. You must add the server group in Properties > AAA Setup > AAA Server Groups. Add Server/UserClick this button to add a server to the selected AAA server group, or a user to the local database. TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:
IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

SourceSpecify the source address for traffic you want to authorize.

box.
NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

DestinationSpecify the destination address for traffic you want to authorize.

TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:
IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

box.
NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

Protocol and ServiceSpecify the port or protocol for traffic you want to authorize.

ASDM User Guide

19-8

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring AAA Rules

ProtocolChoose the protocol for the traffic, either tcp, udp, ip, icmp, or other. If you choose tcp or udp, then you see the following fields:
Source PortSet the source port for the traffic you want to authorize.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group.
Destination PortSet the destination port for the traffic you want to authorize.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. If you choose icmp, then you see the following fields:
ICMP TypeClick this radio button to enter an ICMP type. Either type a number, or choose a

well-known type from the drop-down list.


ICMP GroupClick this radio button to specify a service group, created on Service Groups.

Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. If you choose other, then you see the following fields:
ProtocolClick this radio button to enter an IP protocol type. Either type a number, or choose

a well-known type from the drop-down list.


Protocol GroupClick this radio button to specify a service group, created on Service Groups.

Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. Rule Flow DiagramShows the Rule Flow Diagram for this rule. This diagram shows the networks, type of traffic, interface name, direction of flow, and action (for example, authorize or Do Not Authorize). OptionsSet options for this rule.

Time RangeChoose the name of an existing time range from the drop-down list. A time range enables a rule only during the specified times. Create a time range on Configuring Time Ranges. DescriptionEnter a description for this rule.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

19-9

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Accounting Rule


The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.
Fields

Interface and ActionChoose the interface, action, and AAA server group.

InterfaceChoose the interface on which to apply this rule. ActionChoose Account or Do not Account. AAA Server GroupChoose a AAA server group or the local database. You must add the server group in Properties > AAA Setup > AAA Server Groups. Add Server/UserClick this button to add a server to the selected AAA server group, or a user to the local database. TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:
IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

SourceSpecify the source address for traffic you want to authenticate.

box.
NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

DestinationSpecify the destination address for traffic you want to account.

TypeChoose the type of address you want to use, including any, IP address, Network Object Group, or Interface IP. If you choose IP address, the you see the following fields:
IP AddressEnter it manually or click the ... button to choose from the Browse Address dialog

box.

ASDM User Guide

19-10

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring AAA Rules

NetmaskChoose a subnet mask from the drop-down list.

If you choose Network Object Group, you see the following field:
Group NameChoose a group name from the drop-down list, or click the ... button to bring up

the Browse Address dialog box. From the Browse Address dialog box, you can add a network object group. If you choose Interface IP, you see the following field:
InterfaceChoose an interface from the drop-down list.

Protocol and ServiceSpecify the port or protocol for traffic you want to account.

ProtocolChoose the protocol for the traffic, either tcp or udp.


Source PortSet the source port for the traffic you want to account.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group.
Destination PortSet the destination port for the traffic you want to account.

ServiceClick this radio button to enter a port or range of ports. Choose an operator from the drop-down list, including = (equal), != (not equal), > (greater than), < (less than), and range. Either type a number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers. GroupClick this radio button to specify a service group, created on Service Groups. Choose a group name from the drop-down list, or click the ... button to bring up the Browse Service Groups dialog box. From the Browse Service Groups dialog box, you can add a service group. Rule Flow DiagramShows the Rule Flow Diagram for this rule. This diagram shows the networks, type of traffic, interface name, direction of flow, and action (for example, Account or Do Not Account). OptionsSet options for this rule.

Time RangeChoose the name of an existing time range from the drop-down list. A time range enables a rule only during the specified times. Create a time range on Configuring Time Ranges. DescriptionEnter a description for this rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

19-11

Chapter 19 Configuring AAA Rules

Configuring AAA Rules

Add/Edit MAC Exempt Rule


The security appliance can exempt from authentication and authorization any traffic from specific MAC addresses. For example, if the security appliance authenticates TCP traffic originating on a particular network but you want to allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to exempt from authentication and authorization any traffic from the server specified by the rule. The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry, be sure to enter the deny entry before the permit entry.
Fields

ActionChoose MAC Exempt or No MAC Exempt. The MAC Exempt option allows traffic from the MAC address without having to authenticate or authorize. The No MAC Exempt option specifies a MAC address that is not exempt from authentication or authorization. You might need to add a deny entry if you permit a range of MAC addresses using a MAC address mask such as ffff.ffff.0000, and you want to force a MAC address in that range to be authenticated and authorized. MAC AddressSpecifies the source MAC address in 12-digit hexadecimal form; that is, nnnn.nnnn.nnnn. MAC MaskSpecifies the portion of the MAC address that should be used for matching. For example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced AAA Configuration


Configuration > Security Policy > AAA Rules > Advanced AAA Configuration Enables or disables secure HTTP and Proxy Limit features. This screen appears when you choose Advanced on the Configuration > Features > Security Policy window.
Fields

Secure HTTPSpecifies whether to enable or disable Secure HTTP (HTTPS).


Enable Secure HTTPRequires the security appliance to authenticate with the HTTP client,

such as a web browser, using secure HTTP (HTTPS). If you do not enable this feature, the security appliance uses HTTP, and passwords are in clear text.

Note

If you check Enable Secure HTTP, but have not configured HTTP authentication in the AAA rules, this check box has no effect.

ASDM User Guide

19-12

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring a RADIUS Server for Authorization

Proxy LimitSpecifies Proxy Limit parameters.


Enable Proxy LimitLimits the number of concurrent proxy connections allowed per user. The

maximum is 128. If you do not enable this feature, no limit is imposed.


Proxy LimitThe default 1s 16.Specifies the number of concurrent proxy connections allowed.

The range is 1-128.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configuring a RADIUS Server for Authorization


When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept message sent by a RADIUS server. When you configure the security appliance to authenticate users for network access, you are also implicitly enabling RADIUS authorizations; therefore, this section contains no information about configuring RADIUS authorization on the security appliance. It does provide information about how the security appliance handles access list information received from RADIUS servers. You can configure a RADIUS server to download an access list to the security appliance or an access list name at the time of authentication. The user is authorized to do only what is permitted in the user-specific access list.

Note

If you have used the access-group command to apply access lists to interfaces, be aware of the following effects of the per-user-override keyword on authorization by user-specific access lists:

Without the per-user-override keyword, traffic for a user session must be permitted by both the interface access list and the user-specific access list. With the per-user-override keyword, the user-specific access list determines what is permitted.

For more information, see the access-group command entry in the Cisco Security Appliance Command Reference.

This section includes the following topics:


Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-13 Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-17

Configuring a RADIUS Server to Send Downloadable Access Control Lists


This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics:

ASDM User Guide OL-10106-01

19-13

Chapter 19 Configuring a RADIUS Server for Authorization

Configuring AAA Rules

About the Downloadable Access List Feature and Cisco Secure ACS, page 19-14 Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-15 Configuring Any RADIUS Server for Downloadable Access Lists, page 19-16 Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-17

About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the appropriate access lists for each user. It provides the following capabilities:

Unlimited access list sizeDownloadable access lists are sent using as many RADIUS packets as required to transport the full access list from Cisco Secure ACS to the security appliance. Simplified and centralized management of access listsDownloadable access lists enable you to write a set of access lists once and apply it to many user or group profiles and distribute it to many security appliances.

This approach is most useful when you have very large access list sets that you want to apply to more than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group management makes it useful for access lists of any size. The security appliance receives downloadable access lists from Cisco Secure ACS using the following process:
1. 2.

The security appliance sends a RADIUS authentication request packet for the user session. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS access-accept message that contains the internal name of the applicable downloadable access list. The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name

where acl-set-name is the internal name of the downloadable access list, which is a combination of the name assigned to the access list by the Cisco Secure ACS administrator and the date and time that the access list was last modified.
3.

The security appliance examines the name of the downloadable access list and determines if it has previously received the named downloadable access list.
If the security appliance has previously received the named downloadable access list,

communication with Cisco Secure ACS is complete and the security appliance applies the access list to the user session. Because the name of the downloadable access list includes the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name of an access list previous downloaded means that the security appliance has the most recent version of the downloadable access list.
If the security appliance has not previously received the named downloadable access list, it may

have an out-of-date version of the access list or it may not have downloaded any version of the access list. In either case, the security appliance issues a RADIUS authentication request using the downloadable access list name as the username in the RADIUS request and a null password attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following attribute-value pairs:
AAA:service=ip-admission AAA:event=acl-download

In addition, the security appliance signs the request with the Message-Authenticator attribute (IETF RADIUS attribute 80).

ASDM User Guide

19-14

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring a RADIUS Server for Authorization

4.

Upon receipt of a RADIUS authentication request that has a username attribute containing the name of a downloadable access list, Cisco Secure ACS authenticates the request by checking the Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect, Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute prevents malicious use of a downloadable access list name to gain unauthorized network access. The Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions, available at http://www.ietf.org. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds with an access-accept message containing the access list. The largest access list that can fit in a single access-accept message is slightly less than 4 KB because some of the message must be other required attributes. Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered serially:
ip:inacl#1=ACE-1 ip:inacl#2=ACE-2 . . . ip:inacl#n=ACE-n

5.

An example of an attribute-value pair follows:


ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

6.

If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds with an access-challenge message that contains a portion of the access list, formatted as described above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum RADIUS message size. The security appliance stores the portion of the access list received and responds with another access-request message containing the same attributes as the first request for the downloadable access list plus a copy of the State attribute received in the access-challenge message. This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message.

Configuring Cisco Secure ACS for Downloadable Access Lists


You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and then assign the access list to a group or to an individual user. The access list definition consists of one or more security appliance commands that are similar to the extended access-list command, except without the following prefix:
access-list acl_name extended

The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+ | Shared profile Components | | | | Downloadable IP ACLs Content | | | | Name: acs_ten_acl | | | | ACL Definitions | | |

ASDM User Guide OL-10106-01

19-15

Chapter 19 Configuring a RADIUS Server for Authorization

Configuring AAA Rules

| permit tcp any host 10.0.0.254 | | permit udp any host 10.0.0.254 | | permit icmp any host 10.0.0.254 | | permit tcp any host 10.0.0.253 | | permit udp any host 10.0.0.253 | | permit icmp any host 10.0.0.253 | | permit tcp any host 10.0.0.252 | | permit udp any host 10.0.0.252 | | permit icmp any host 10.0.0.252 | | permit ip any any | +--------------------------------------------+

For more information about creating downloadable access lists and associating them with users, see the user guide for your version of Cisco Secure ACS. On the security appliance, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number

The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS. The downloaded access list on the security appliance consists of the following lines:
access-list access-list access-list access-list access-list access-list access-list access-list access-list access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit permit permit permit permit permit permit permit permit permit tcp any host 10.0.0.254 udp any host 10.0.0.254 icmp any host 10.0.0.254 tcp any host 10.0.0.253 udp any host 10.0.0.253 icmp any host 10.0.0.253 tcp any host 10.0.0.252 udp any host 10.0.0.252 icmp any host 10.0.0.252 ip any any

Configuring Any RADIUS Server for Downloadable Access Lists


You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific access lists to the security appliance in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1). In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended command, except that you replace the following command prefix:
access-list acl_name extended

with the following text:


ip:inacl#nnn=

The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command statement to be configured on the security appliance. If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 ip:inacl#99=deny tcp any any ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 ip:inacl#100=deny udp any any ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

ASDM User Guide

19-16

OL-10106-01

Chapter 19

Configuring AAA Rules Configuring a RADIUS Server for Authorization

For information about making unique per user the access lists that are sent in the cisco-av-pair attribute, see the documentation for your RADIUS server. On the security appliance, the downloaded access list name has the following format:
AAA-user-username

The username argument is the name of the user that is being authenticated. The downloaded access list on the security appliance consists of the following lines. Notice the order based on the numbers identified on the RADIUS server.
access-list access-list access-list access-list access-list AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0 deny tcp any any deny udp any any

Downloaded access lists have two spaces between the word access-list and the name. These spaces serve to differentiate a downloaded access list from a local access list. In this example, 79AD4A08 is a hash value generated by the security appliance to help determine when access list definitions have changed on the RADIUS server.

Converting Wildcard Netmask Expressions in Downloadable Access Lists


If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well as to the security appliance, you may need the security appliance to convert wildcard netmask expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators support wildcard netmask expressions but the security appliance only supports standard netmask expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize the effects of these differences upon how you configure downloadable access lists on your RADIUS servers. Translation of wildcard netmask expressions means that downloadable access lists written for Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the configuration of the downloadable access lists on the RADIUS server. You configure access list netmask conversion on a per server basis, using the acl-netmask-convert command, available in the aaa-server configuration mode. For more information about configuring a RADIUS server, see AAA Setup. For more information about the acl-netmask-convert command, see the Cisco Security Appliance Command Reference.

Configuring a RADIUS Server to Download Per-User Access Control List Names


To download a name for an access list that you already created on the security appliance from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows:
filter-id=acl_name

Note

In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.

ASDM User Guide OL-10106-01

19-17

Chapter 19 Configuring a RADIUS Server for Authorization

Configuring AAA Rules

ASDM User Guide

19-18

OL-10106-01

C H A P T E R

20

Configuring Filter Rules


This section contains the following topics:

URL Filtering, page 20-1 Filter Rules, page 20-5

URL Filtering
Configuration > Properties > URL Filtering You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve security appliance performance by using a separate server running one of the following Internet filtering products:

Websense Enterprise for filtering HTTP, HTTPS, and FTP. Secure Computing SmartFilter for filtering HTTP only. (Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.)

Although security appliance performance is less affected when using an external server, users may notice longer access times to websites or FTP servers when the filtering server is remote from the security appliance. When filtering is enabled and a request for content is directed through the security appliance, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the security appliance forwards the response from the content server to the originating client. If the filtering server denies the connection, the security appliance drops the response and sends a message or return code indicating that the connection was not successful. If user authentication is enabled on the security appliance, then the security appliance also sends the user name to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting regarding usage.
General Procedure

The following summarizes the procedure for enabling filtering with an external filtering server.
Step 1 Step 2 Step 3

Identify the filtering server. (Optional) Buffer responses from the content server (optional). (Optional) Cache content server addresses to improve performance (optional).

ASDM User Guide OL-10106-01

20-1

Chapter 20 URL Filtering

Configuring Filter Rules

Step 4 Step 5

Configure filtering rules. See Filter Rules. Configure the external filtering server. For more information refer to the following websites:

http://www.websense.com http://www.securecomputing.com

You can identify up to four filtering servers per context. In single mode a maximum of 16 servers are allowed. The security appliance uses the servers in order until a server responds. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.

Note

You must add the filtering server before you can configure filtering for HTTP, HTTPS, or FTP filtering rules.
Fields

URL Filtering Server area


WebsenseEnables the Websense URL filtering servers Secure Computing SmartFilterEnables the Secure Computing SmartFilter URL filtering

server.
Secure Computing SmartFilter PortSpecifies the Secure Computing SmartFilter port. The

default is 4005.
InterfaceDisplays the interface connected to the filtering server. IP AddressDisplays the IP address of the filtering server. TimeoutDisplays the number of seconds after which the request to the filtering server times

out.
ProtocolDisplays the protocol used to communicate with the filtering server. TCP ConnectionsDisplays the maximum number of TCP connections allowed for

communicating with the URL filtering server.


AddAdds a new filtering server, depending on whether you have selected Websense or Secure

Computing SmartFilter.
Insert BeforeAdds a new filtering server in a higher priority position than the currently

selected server.
Insert AfterAdds a new filtering server in a lower priority position than the currently selected

server.
EditLets you modify parameters for the selected filtering server DeleteDeletes the selected filtering server.

ApplyApplies the changes to the running configuration. ResetRemoves any changes that have not been applied. AdvancedDisplays advanced filtering parameters, including buffering caching, and long URL support.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

20-2

OL-10106-01

Chapter 20

Configuring Filter Rules URL Filtering

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Filter Rules

Add/Edit Parameters for Websense URL Filtering


Configuration > Properties > URL Filtering > Add/Edit Parameters for Websense URL Filtering

InterfaceSpecifies the interface on which the URL filtering server is connected. IP AddressSpecifies the IP address of the URL filtering server. TimeoutSpecifies the number of seconds after which the request to the filtering server times out. Protocol area
TCP 1Uses TCP Version 1 for communicating with the Websense URL filtering server. TCP 4Uses TCP Version 4 for communicating with the Websense URL filtering server. UDP 4Uses UDP Version 4 for communicating with the Websense URL filtering server.

TCP ConnectionsSpecifies the maximum number of TCP connections allowed for communicating with the URL filtering server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Parameters for Secure Computing SmartFilter URL Filtering


Configuration > Properties > URL Filtering > Add/Edit Parameters for Secure Computing SmartFilter URL Filtering

InterfaceSpecifies the interface on which the URL filtering server is connected. IP AddressSpecifies the IP address of the URL filtering server. TimeoutSpecifies the number of seconds after which the request to the filtering server times out. Protocol area
TCPUses TCP for communicating with the Secure Computing SmartFilter URL filtering

server.

ASDM User Guide OL-10106-01

20-3

Chapter 20 URL Filtering

Configuring Filter Rules

UDPUses UDP for communicating with the Secure Computing SmartFilter URL filtering

server. TCP ConnectionsSpecifies the maximum number of TCP connections allowed for communicating with the URL filtering server.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Advanced URL Filtering


Configuration > Properties > URL Filtering > Advanced URL Filtering
Fields

URL Cache Size area After a user accesses a site, the filtering server can allow the security appliance to cache the server address for a certain amount of time, as long as every site hosted at the address is in a category that is permitted at all times. Then, when the user accesses the server again, or if another user accesses the server, the security appliance does not need to consult the filtering server again.

Note

Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports.

Enable caching based onEnables caching based on the specified criteria.

Destination AddressCaches entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the server

Source/Destination AddressCaches entries based on both the source address initiating the

Cache sizeSpecifies the size of the cache.

URL Buffer Size area When a user issues a request to connect to a content server, the security appliance sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This delays the web server response from the point of view of the web client because the client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered and the responses are forwarded to the requesting client if the filtering server allows the connection. This prevents the delay that might otherwise occur.

Enable bufferingEnables request buffering.


Number of 1550-byte buffersSpecifies the number of 1550-byte buffers.

ASDM User Guide

20-4

OL-10106-01

Chapter 20

Configuring Filter Rules Filter Rules

Long URL Support area By default, the security appliance considers an HTTP URL to be a long URL if it is greater than 1159 characters. For Websense servers, you can increase the maximum length allowed.
Use Long URLEnables long URLs for Websense filtering servers. Maximum Long URL SizeSpecifies the maximum URL length allowed, up to a maximum of

4 KB.
Memory Allocated for Long URLSpecifies the memory allocated for long URLs.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Filter Rules
Configuration > Security Policy > Filter Rules The Filter Rules window displays configured filter rules and provides options for adding new filter rules or modifying existing rules. A filter rule specifies the type of filtering to apply and the kind of traffic to which it should be applied.

Note

Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, use the Features > Configuration > Properties > URL Filtering screen. For more information see URL Filtering.
Benefits

The Filter Rules window provides information about the filter rules that are currently configured on the security appliance. It also provides buttons that you can use to add or modify the filter rules and to increase or decrease the amount of detail shown in the window. Filtering allows greater control over any traffic that your security policy allows to pass through the security appliance. Instead of blocking access altogether, you can remove specific undesirable objects from HTTP traffic, such as ActiveX objects or Java applets, that may pose a security threat in certain situations. You can also use URL filtering to direct specific traffic to an external filtering server, such as Secure Computing SmartFilter or Websense. These servers can block traffic to specific sites or types of sites, as specified by your security policy. Because URL filtering is CPU-intensive, using an external filtering server ensures that the throughput of other traffic is not affected. However, depending on the speed of your network and the capacity of your URL filtering server, the time required for the initial connection may be noticeably slower for filtered traffic.
Fields

NoNumeric identifier of the rule. Rules are applied in numeric order.

ASDM User Guide OL-10106-01

20-5

Chapter 20 Filter Rules

Configuring Filter Rules

SourceSource host or network to which the filtering action applies. DestinationDestination host or network to which the filtering action applies. ServiceIdentifies the protocol or service to which the filtering action applies. ActionType of filtering action to apply. OptionsIndicates the options that have been enabled for the specific action. AddDisplays the Add Filter Rule dialog box for adding a new filtering rule. EditDisplays the Edit Filter Rule dialog box for editing the selected filtering rule. DeleteDeletes the selected filtering rule. MoveUpMoves the filter rule up. MoveDownMoves the filter rule down. CutLets you to cut a filter rule and place it elsewhere. CopyLets you copy a filter rule. PasteLets you paste a filter rule elsewhere. FindLets you search for a filter rule. Clicking on this button brings up an extended tool bar.
FilterLets you search by source, destination, source, action, or rule query, using the

drop-down menu.
....Lets you select the source of the filter, and brings up the Select Source dialog box. FilterLets you input a filter. ClearLets you clear a filter rule. Rule QueryLets you devise a query to search for a rule.

Use the Addresses tab to select the source of the filter rule that you are choosing.
TypeLets you select a source from the drop-down menu, selecting from All, IP Address

Objects, IP Names, or Network Object groups.


NameLists the name(s) of the filter rule. AddLets you add a filter rule. EditLets you edit a filter rule. DeleteLets you delete a filter rule. FindLets you find a filter rule.

Use the Services tab to select a predefined filter rule.


TypeLets you select a source from the drop-down menu, selecting from All, IP Address

Objects, IP Names, or Network Object groups.


NameLists the name(s) of the filter rule. EditLets you edit a filter rule. DeleteLets you delete a filter rule. FindLets you find a filter rule.

Use the Time Ranges to select a time range for the filter rule.
AddAddLets you add a time range for the filter rule. EditLets you edit a time range for the filter rule.

ASDM User Guide

20-6

OL-10106-01

Chapter 20

Configuring Filter Rules Filter Rules

DeleteLets you delete a time range for a filter rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select Source
Configuration > Security Policy > Filter Rules >Select Source Use the Select Source dialog box to select the source of the filter rule that you are closing.
Fields

TypeLets you select a source from the drop-down menu, selecting from All, IP Address Objects, IP Names, or Network Object groups. NameLists the name(s) of the filter rule. IP AddressLists the IP address of the filter rule(s). NetmaskLists the netmask of the filter rule(s). Description (optional)Lists descriptions for the filter rules.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Query
Configuration > Security Policy > Filter Rules >Select Source > Rule Query
Fields

NameLets you enter the name of the filter rule for the query. Description (optional)Lets you enter a description of the filter rule for the query.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

20-7

Chapter 20 Filter Rules

Configuring Filter Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Filter Rule


Configuration > Security Policy > Filter Rules > Add/Edit Filter Rule Use the Add Filter Rule dialog box to specify the interface on which the rule applies, to identify the traffic to which it applies, or to configure a specific type of filtering action.

Note

Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, use the Features > Configuration > Properties > URL Filtering screen. For more information see URL Filtering.
Fields

ActionProvides the following drop-down list of different filtering actions to apply:


Filter ActiveX Do not filter ActiveX Filter Java Applet Do not filter Java Applet Filter HTTP (URL) Do not filter HTTP (URL) Filter HTTPS Do not filter HTTPS Filter FTP Do not filter FTP

The Rule Flow Diagram and the Filtering Option area changes according to which filtering action you select.

Source area
IP AddressUse the IP address to identify the traffic to which the filtering action applies. ...Opens the Browse Source Address dialog box. NetmaskSpecifies the Subnet mask used to identify the traffic to which the filtering action

applies when IP Address is selected.

Destination area
IP AddressIdentifies the traffic to which the filtering action applies. NetmaskSpecifies the Subnet mask used to identify the traffic to which the filtering action

applies when IP Address is selected.

ASDM User Guide

20-8

OL-10106-01

Chapter 20

Configuring Filter Rules Filter Rules

Rule Flow Diagram area Provides a graphic representation of how a specific filtering action is applied to traffic that is forwarded through the security appliance. ActiveX Filtering Option areaThis area appears only when you select the Filter ActiveX option from the drop-down list.
ActiveX Filtering OptionWhen you select the Filter ActiveX option from the drop-down list,

this field appears and lets you specify the TCP/UDP port on which the security appliance listens for traffic to which the filtering action applies.

Java Filtering OptionThis area appears only when you select the Filter Java option from the drop-down list.
Java Filtering OptionWhen you select the Filter Java option from the drop-down list, this field

appears and lets you specify the TCP/UDP port on which the security appliance listens for traffic to which the filtering action applies.

HTTP Filtering OptionThis area appears only when you select the Filter HTTP option from the drop-down list.
Filter HTTP on port(s)Specify the TCP/UDP port on which the security appliance listens for

traffic to which the filtering action applies.


Block connections to proxy serverPrevent HTTP requests made through a proxy server. Allow outbound traffic if URL server is not availableWhen enabled, if the URL filtering

server is down or connectivity is interrupted to the security appliance, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.
Truncate CGI requests by removing the CGI parametersThe security appliance forwards only

the CGI script location and the script name, without any parameters, to the filtering server.

HTTPS Filtering OptionThis area appears only when you select the Filter HTTPS option from the drop-down list.
Filter HTTPS on port(s)specify the TCP/UDP port on which the security appliance listens for

traffic to which the filtering action applies.


Allow outbound traffic if URL server is not availableWhen enabled, if the URL filtering

server is down or connectivity is interrupted to the security appliance, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.

FTP Filtering OptionThis area appears only when you select the Filter FTP option from the drop-down list.
Filter FTP on port(s)Specifies the TCP/UDP port on which the security appliance listens for

traffic to which the filtering action applies.


Allow outbound traffic if URL server is not availableWhen enabled, if the URL filtering

server is down or connectivity is interrupted to the security appliance, users will be able to connect without URL filtering being performed. If this is disabled, users will not be able to connect to Internet websites when the URL server is unavailable.
Block outbound traffic if absolute FTP path is not providedWhen enabled, FTP requests are

dropped if they use a relative path name to the FTP directory.


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

20-9

Chapter 20 Filter Rules

Configuring Filter Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Browse Source/Destination Address


Configuration > Security Policy > Filter Rules > Add/Edit Filter Rule >Browse Source Address
Fields

TypeLets you select from one of the following types of sources: IP Address Objects, IP Names, or Network Address Groups. NameSpecifies the name used to identify the traffic to which the filtering action applies when the Name button is selected. IP AddressSpecifies the IP address used to identify the traffic to which the filtering action applies. NetmaskSpecifies the Subnet mask used to identify the traffic to which the filtering action applies when IP Address is selected. Description (optional)Specifies a description for the filter.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Filter Rules URL Filtering

ASDM User Guide

20-10

OL-10106-01

C H A P T E R

21

Configuring Service Policy Rules


This chapter describes how to enable service policy rules. Service policy rules define how specific types of application inspection are applied to different types of traffic that is received by the security appliance. You apply a specific rule to an interface or globally to every interface.

Configuring Service Policy Rules


This section describes how to configure service policy rules, and includes the following topics:

Service Policy Rules, page 21-1 SUNRPC Server, page 21-32

Service Policy Rules


Configuration > Security Policy > Service Policy Rules Some applications require special handling by the security appliance and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports. Application inspection is enabled by default for many protocols, while it is disabled for other protocols. In many cases, you can change the port on which the application inspection listens for traffic. Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation. Service policy rules define how specific types of application inspection are applied to different types of traffic that is received by the security appliance. You apply a specific rule to an interface or globally to every interface. Use traffic match criteria to define the set of traffic to which you want to apply application inspection. For example, TCP traffic with a port value of 23 might be classified as the Telnet traffic class. You can use the traffic class to change the default port for application inspection for protocols where this is permitted. Multiple traffic match criteria can be assigned to a single interface, but a packet will only match the first criteria within a specific service policy rule.

ASDM User Guide OL-10106-01

21-1

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Fields

AddAdds a new service policy rule. Choose the type of rule you want to add from the drop-down list. EditEdits a service policy rule. DeleteDeletes a service policy rule. Move UpMoves a rule up. Rules are assessed in the order they appear in this table, so the order can matter if you have overlapping rules. Move DownMoves a rule down. CutCuts a rule. CopyCopies the parameters of a rule so you can start a new rule with the same parameters using the Paste button. PasteOpens an Add/Edit Rule dialog box with the copied or cut parameters of a rule prefilled. You can then make any modifications and add it to the table. The Paste button adds the rule above the selected rule. The Paste After item, available from the Paste drop-down list, adds the rule after the selected rule. FindFilters the display to show only matching rules. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter drop-down listChoose the criteria to filter on, either Interface, Source, Destination,

Service, or Rule Query. A rule query is a collection of multiple criteria that you can save and use repeatedly.
Filter fieldFor the Interface type, this field becomes a drop-down list so you can choose an

interface name, or All Interfaces. For the Rule Query type, the drop-down list includes all defined rule queries. The Source and Destination types accept an IP address. You can type one manually, or browse for one by clicking the ... button and launching the Browse Address dialog box. The Service type accepts a TCP, UDP, TCP-UDP, ICMP, or IP protocol type. You can type one manually, or browse for one by clicking the ... button and launching the Browse Service Groups dialog box.
FilterRuns the filter. ClearClears the Filter field. Rule QueryOpens the Rule Queries dialog box so you can manage named rule queries.

Show Rule Flow DiagramShows the Rule Flow Diagram area under the rule table. This diagram shows the networks, type of traffic, interface name, direction of flow, and action. Packet TraceOpens the Packet Tracer tool with the parameters pre-filled with the characteristics of the selected rule.

The following description summarizes the columns in the Service Policy Rules table. You can edit the contents of these columns by double-clicking on a table cell. Double-clicking on a column header sorts the table in ascending alphanumeric order, using the selected column as the sort key. If you right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.)

NameIndicates the name of the rule. NoIndicates the order of evaluation for the rule. EnabledIndicates whether the rule is enabled or disabled. MatchIndicates if the criteria are used to include (match) or exclude (do not match) traffic.

ASDM User Guide

21-2

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

SourceLists the IP addresses that are subject to service policy when traffic is sent to the IP addresses listed in the Destination column. DestinationLists the IP addresses that are subject to service policy when traffic is sent from the IP addresses listed in the Source column. ServiceShows the service or protocol specified by the rule. TimeDisplays the time range during which the rule is applied. Rule ActionsShows the actions applied by the rule. DescriptionThe description you entered when you added the rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Service Policy
Add Service Policy Rule Wizard > Service Policy The Service Policy dialog box lets you add a new service policy rule, apply the rule to a specific interface, or apply the rule globally to all interfaces.
Fields

Create a service policy and apply to area


InterfaceApplies the rule to a specific interface. This selection is required if you want to

match traffic based on the source or destination IP address using an access list.
InterfaceSpecifies the interface to which the rule applies. Policy NameSpecifies the name of the interface service policy. DescriptionProvides a text description of the policy. Global - applies to all interfacesApplies the rule to all interfaces. This selection is not

compatible with matching traffic based on the source or destination IP address using an access list.
Policy NameSpecifies the name of the global service policy. Only one global service policy

is allowed and it cannot be renamed.


DescriptionProvides a text description of the policy.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

21-3

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Service Policy


Configuration > Security Policy > Service Policy Rules > Edit Service Policy The Edit Service Policy dialog box lets you change the description for the selected service policy.
Fields

DescriptionProvides a text description of the service policy.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Traffic Classification Criteria


Add/Edit Service Policy Rule Wizard > Traffic Classification Criteria The Traffic Classification tab on the Edit Service Policy Rule screen lets you specify the criteria you want to use to match traffic to which the security policy rule applies.
Fields

NameIdentifies the name of the traffic class. Description (optional)Provides a text description of the new traffic class. Traffic match criteria area:
Default Inspection TrafficUses the criteria specified in the default inspection traffic policy. Source and Destination IP Address (uses ACL)Matches traffic based on the source and

destination IP address, using an ACL. This selection is only available if you apply the rule to a specific interface using an Interface Service Policy.
Tunnel GroupMatches traffic based on the tunnel group. TCP or UDP Destination PortMatches traffic based on the TCP or UDP destination port. RTP RangeMatches traffic based on a range of RTP ports. IP DiffServ CodePoints (DSCP)Matches traffic based on the Differentiated Services model

of QoS.

ASDM User Guide

21-4

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

IP PrecedenceMatches traffic based on the IP precedence model of QoS. Any trafficMatches all traffic regardless of the traffic type.

Add rule to existing traffic classAdds the rule to the existing traffic class that is selected in the drop-down list. Use class-default as the traffic classSpecifies that the class-default traffic class is used when traffic does not match any other traffic class.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Default Inspections
Add/Edit Service Policy Rule Wizard > Traffic Classification Criteria > Default Inspections The Default Inspections dialog box lists the default port assignments that are used when you select the Default Inspection Traffic criteria on the Traffic Classification Criteria dialog box.

ServiceThis lists the application inspection engine type. ProtocolThis identifies whether the application inspection uses TCP or UDP for the transport protocol. PortThis identifies the port number used by the Default Inspection Traffic criteria.

Management Type Traffic Class and Action


Add/Edit Service Policy Rule Wizard > Management Type Traffic Class and Action The Management Class dialog box lets you configure the management traffic classification and define actions for the classified traffic.
Fields

NameIdentifies the name of the traffic management class. Description (optional)Provides a text description of the new traffic management class. Match on Destination Port area:
ProtocolMatches traffic based on the TCP or UDP destination port. ServiceChoose the = (equal) operator or range to specify a range of ports. Either type a

number, or choose a well-known port name from the drop-down list. For a range, you must specify numbers.

Protocol Inspection area:


RADIUS Accounting MapChoose a defined RADIUS accounting map from the drop-down

list.

ASDM User Guide OL-10106-01

21-5

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

ConfigureOpens the Select RADIUS Accounting Map dialog box to select a defined RADIUS accounting map or add a RADIUS accounting map or for fine control over inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select RADIUS Accounting Map


Add/Edit Service Policy Rule Wizard > Management Type Traffic Class and Action > Select RADIUS Accounting Map The Select RADIUS Accounting Map dialog box lets you select a defined RADIUS accounting map or define a new one.
Fields

AddLets you add a new RADIUS accounting map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add RADIUS Accounting Policy Map


Add/Edit Service Policy Rule Wizard > Management Type Traffic Class and Action > Select RADIUS Accounting Map > Add RADIUS Accounting Policy Map The Add RADIUS Accounting Policy Map dialog box lets you add the basic settings for the RADIUS accounting map.
Fields

NameEnter the name of the previously configured RADIUS accounting map. DescriptionEnter the description of the RADIUS accounting map, up to 100 characters in length. Host Parameters tab:
Host IP AddressSpecify the IP address of the host that is sending the RADIUS messages. Key: (optional)Specify the key. AddAdds the host entry to the Host table.

ASDM User Guide

21-6

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

DeleteDeletes the host entry from the Host table.

Other Parameters tab:


Attribute NumberSpecify the attribute number to validate when an Accounting Start is

received.
AddAdds the entry to the Attribute table. DeleteDeletes the entry from the Attribute table. Send response to the originator of the RADIUS messageSends a message back to the host

from which the RADIUS message was sent.


Enforce timeoutEnables the timeout for users.

Users TimeoutTimeout for the users in the database (hh:mm:ss).

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Using Default Inspection Traffic Criteria


The fixup command, which is available in PIX Firewall Version 6.3 and earlier releases, provided a simple, global policy for application inspection. The Modular Policy Framework provides a much more granular method of inspecting traffic. Modular Policy Framework lets you select the traffic for a specific application inspection and this can improve the performance of the security appliance. Performance is improved because the application inspection engine only inspects a limited amount of traffic. To simplify enabling application inspection on the default ports, use the default inspection traffic criteria. When you specify the default inspection traffic criteria the security appliance selects traffic for application inspection on the well-known port for each protocol. Table 1 lists the default port assignments for each protocol.
Table 1 Default Port Assignments

Protocol Name ctiqbe dns esmtp/smtp ftp gtp h323 h225 h323 ras http icmp

Protocol tcp udp tcp tcp udp tcp udp tcp icmp

Source Port N/A 53 N/A N/A 2123,3386 N/A N/A N/A N/A

Destination Port 2748 53 25 21 2123,3386 1720 1718-1719 80 N/A

ASDM User Guide OL-10106-01

21-7

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Table 1

Default Port Assignments (continued) (continued)

Protocol Name ils mgcp netbios pptp rsh rtsp sip skinny sqlnet sunrpc tftp xdmcp

Protocol tcp udp udp tcp tcp tcp tcp, udp tcp tcp udp udp udp

Source Port N/A 2427,2727 137-138 1723 N/A N/A N/A N/A N/A 111 N/A 177

Destination Port 389 2427,2727 N/A 1723 514 554 5060 2000 1521 111 69 177

When you select the default inspection traffic criteria, you can then enable each protocol on the Protocol Inspection tab of the Rule Actions screen. The protocol will be enabled on its default port. You can restrict inspection to a specific flow by using the Source and destination IP address (uses ACL) button and selecting specific criteria, such as Source Host/Network or Destination Host/Network from the Service Policy Rule screen.

Note

The default inspection traffic criteria override any port settings in the Protocol and Service group box. That means that you cannot change any of the default port assignments for any protocol when the default inspection traffic criteria are used. The inspection_default security policy is a preconfigured global policy that enables application inspection using the default inspection traffic criteria. This global policy is enabled in the security appliance factory default configuration.

Note

When you specify the default inspection traffic as the traffic match criteria, only inspect rule actions can be applied in the security policy for the specified interface. Actions on the QoS and Connection Settings tabs cannot be applied.

Changing Default Ports for Application Inspection


The default inspection traffic criteria override any port settings in the Protocol and Service group box. That means that you cannot change any of the default port assignments for any protocol when the default inspection traffic criteria are used. To change the default port assignment for any protocol, you must manually configure and enable each inspection engine. To use Modular Policy Framework for changing the default port assignment for a protocol, perform the following steps:

ASDM User Guide

21-8

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Step 1

Click Service Policy Rules on the Security Policy panel and then click Add. The Add Service Policy Rule Wizard - Service Policy screen appears. Create a service policy. To create a security policy for a specific interface, on the Create a service policy and apply to group box, click the Interface radio button and select an available interface from the selection list. To create a global security policy to be applied to all interfaces, on the Create a service policy and apply to group box, click the Global radio button.

Step 2

Step 3

Type a name of up to 40 characters in the Policy Name box and click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria screen appears.

Step 4 Step 5

Click the Source and destination IP address (uses ACL) button. Select the Source Port and Destination Port for the protocol in the Protocol and Service group box and click Next. The Add Service Policy Rule Wizard - Rule Actions screen appears. Click the checkbox for the protocol you want to enable and click Finish. The new service policy is shown in the Service Policy Rules table on the Security Policy panel. To enable another inspection engine, select the service policy and click Add. The Add Service Policy Rule Wizard - Service Policy screen appears.

Step 6

Step 7

Step 8

Click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria screen appears. Click Create a new traffic class and change the name of the traffic class, if necessary. By default, the number at the end of the name for each traffic class is incremented as you add each new class.

Step 9

Step 10 Step 11 Step 12

Click Source and destination IP address (uses ACL). Click the Traffic Match tab. Select the second port number for the protocol in the Protocol and Service group box and click OK. The new access control entry is shown in the Service Policy Rules table on the Security Policy panel.

Configuring Application Inspection with Multiple Ports


To use Modular Policy Framework for changing the default port assignment for protocols that use more than one port, perform the following steps:
Step 1

Click Service Policy Rules on the Security Policy panel and then click Add. The Add Service Policy Rule Wizard - Service Policy screen appears. Create a service policy. To create a security policy for a specific interface, on the Create a service policy and apply to group box, click the Interface radio button and select an available interface from the selection list.

Step 2

ASDM User Guide OL-10106-01

21-9

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

To create a global security policy to be applied to all interfaces, on the Create a service policy and apply to group box, click the Global radio button.
Step 3

Type a name of up to 40 characters in the Policy Name box and click Next. The Add Service Policy Rule Wizard - Traffic Classification Criteria screen appears. Click the Source and destination IP address (uses ACL) button. Select the first port number for the protocol in the Protocol and Service group box and click Next. The Add Service Policy Rule Wizard - Rule Actions screen appears. Define the rule action to apply to the specified traffic flow, using one of the following tabs:

Step 4 Step 5

Step 6

Protocol Inspection Connection Settings QoS

Step 7

Click Finish. The new service policy is shown in the Service Policy Rules table on the Security Policy panel.

Step 8 Step 9

Right-click the security policy on the Service Policy Rules table. On the pop-up menu that appears, select Insert After. The Insert Service Policy Rule After screen appears.

Step 10 Step 11

Click the Traffic Match tab. Select the second port number for the protocol in the Protocol and Service group box and click OK. The new access control entry is shown in the Service Policy Rules table on the Security Policy panel.

Source and Destination Address (This dialog is called ACL in other contexts)
(This dialog box is called ACL when editing a service policy rule)

Add/Edit Service Policy Rule Wizard > Traffic Match > Source and Destination Address Configuration > Security Policy > Edit Service Policy Rule > ACL Tab

(You can get to this dialog box through various paths.) This dialog box lets you identify the traffic to which a service policy rule applies based on the IP address or TCP/UDP port of the sending or receiving host. You can also use this dialog box to select a Time Range during which the policy rule is in effect.
Fields

Select an actionLets you specify whether the traffic must match or must not match the criteria specified on this dialog box. Time Range area
Time RangeLets you select a named time range during which the policy rule is in effect. NewLets you access the Add Time Range dialog box. For more information, see Add/Edit

Time Range.

Source Host/Network area

ASDM User Guide

21-10

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

IP AddressSpecifies that the source of the traffic is to be identified by IP address. When you

select this button, the Interface drop-down list, IP address field, . . . button, and Mask drop-down list appear within the area.
NameSpecifies that the source of the traffic is to be identified by interface name. When you

select this button, the Name drop-down list appears within the area.
GroupSpecifies that the source of the traffic is to be identified by object groups. When you

select this button, the Interface drop-down list and Group drop-down list appear within the area.
InterfaceSpecifies the name of the interface that the source of the traffic is on. This

drop-down list appears only when the IP Address button or the Group button is selected.
IP addressSpecifies the IP address used to identify the source of the traffic. This field appears

only when the IP Address button is selected.


. . .Lets you access the Select host/network dialog box, which lets you select a host or network

from a preconfigured drop-down list. This button appears only when the IP Address button is selected.
MaskSpecifies the subnet mask for the address entered in the IP address field. This field

appears only when the IP Address button is selected.


NameSpecifies the name of the interface that the source of the traffic is on. This drop-down

list appears only when the Name button is selected.


GroupSpecifies the object group that the source of the traffic is in. The items on the

drop-down list is controlled by the Hosts/Networks window. For more information about that window, see Network Object Groups. The Group drop-down list appears only when the Group button is selected.

Destination Host/Network area


IP AddressSpecifies that the destination of the traffic is to be identified by IP address. When

you select this button, the Interface drop-down list, IP address field, . . . button, and Mask drop-down list appear within the area.
NameSpecifies that the destination of the traffic is to be identified by interface name. When

you select this button, the Name drop-down list appears within the area.
GroupSpecifies that the destination of the traffic is to be identified by object groups. When

you select this button, the Interface drop-down list and Group drop-down list appear within the area.
InterfaceSpecifies the name of the interface that the destination of the traffic is on This

drop-down list appears only when the IP Address button or the Group button is selected.
IP addressSpecifies the IP address used to identify the destination of the traffic. This field

appears only when the IP Address button is selected.


. . .Lets you access the Select host/network dialog box, which lets you select a host or network

from a preconfigured drop-down list. This button appears only when the IP Address button is selected.
MaskSpecifies the subnet mask for the address entered in the IP address field. This field

appears only when the IP Address button is selected.


NameSpecifies the name of the interface that the destination of the traffic is on. This

drop-down list appears only when the Name button is selected.

ASDM User Guide OL-10106-01

21-11

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

GroupSpecifies the object group that the destination of the traffic is in. The items on the

drop-down list is controlled by the Hosts/Networks window. For more information about that window, see Network Object Groups. The Group drop-down list appears only when the Group button is selected.

Rule Flow DiagramProvides a graphic representation of how a specific filtering action is applied to traffic that is forwarded through the security appliance. Protocol and Service area
TCPMatches traffic based on the TCP protocol or service. UDPMatches traffic based on the UDP protocol or service. ICMPMatches traffic based on the ICMP protocol value. IPMatches traffic based on the IP protocol value. Manage Service GroupsDisplays the Manage Service Groups dialog box, which lets you

create and edit service groups. This button is available only when the TCP button is selected.
Source PortAppears only when either the TCP or UDP radio button is selected.

ServiceMatches traffic based on the source port value. OperatorSpecifies whether to identify a singe port or a range of ports to match. When you select = (equal to), not= (not equal to), > (greater than), or < (less than) from the drop-down list, the . . . button appears, which lets you select a specific named port. When you select range from the drop-down list, two fields appear that let you enter the starting and ending ports in the range. ...Displays the Service dialog box, which lets you select the named values for the TCP or UDP ports to match. Service GroupMatches traffic based on the source service group. To control the items on the drop-down list, use the Manage Service Groups button.
Destination PortAppears only when either the TCP or UDP radio button is selected.

ServiceMatches traffic based on the destination port value. OperatorSpecifies whether to identify a singe port or a range of ports to match. When you select = (equal to), not= (not equal to), > (greater than), or < (less than) from the drop-down list, the . . . button appears, which lets you select a specific named port. When you select range from the drop-down list, two fields appear that let you enter the starting and ending ports in the range. ...Displays the Service dialog box, which lets you select the named values for the TCP or UDP ports to match. Service GroupMatches traffic based on the destination service group. To control the items on the drop-down list, use the Manage Service Groups button.
ICMP TypeAppears only when the ICMP radio button is selected.

ICMP typeLets you enter the ICMP type of the traffic. ...Displays the Service dialog box, which lets you select ICMP types from a preconfigured drop-down list.
IP ProtocolAppears only when the IP radio button is selected.

IP protocolLets you enter the IP protocol of the traffic. ...Displays the Service dialog box, which lets you select an IP protocol from a preconfigured drop-down list.

ASDM User Guide

21-12

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Destination Port
Add/Edit Service Policy Rule Wizard > Traffic Match > Destination Port The Destination Port dialog box appears when you select TCP or UDP destination port in the Traffic Match Criteria dialog box, or choose the corresponding tab when editing a service policy rule. This dialog box lets you identify the traffic to which a service policy rule applies based on the TCP or UDP destination port.
Fields

TCPMatches traffic based on the TCP port used by the destination. UDPMatches traffic based on the UDP port used by the destination. OperatorSpecifies whether to identify a singe port or a range of ports to match. When you select = (equals sign) from the drop-down list, the . . . button appears, which lets you select a specific named port. When you select range from the drop-down list, two fields appear that let you enter the starting and ending ports in the range.

...Displays the Service dialog box, which lets you select the named values for the TCP or UDP ports to match.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

RTP Ports
Add/Edit Service Policy Rule Wizard > Traffic Match > RTP Ports The RTP Ports dialog box appears when you select RTP range on the Traffic Match Criteria dialog box, or choose the corresponding tab when editing a service policy rule. This dialog box lets you identify the traffic to which a service policy rule applies based on a range of RTP ports.

RTP Port RangeSpecifies the starting and ending ports within the range of RTP ports to be used for matching traffic. RTP port numbers should be between 2000 and 65535. The maximum number of RTP ports in a range is 16383.

ASDM User Guide OL-10106-01

21-13

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IP Precedence
Add/Edit Service Policy Rule Wizard > Traffic Match > IP Precedence The IP Precedence dialog box appears when you select IP Precedence on the Traffic Match Criteria dialog box, or choose the corresponding tab when editing a service policy rule. This dialog box lets you identify the traffic to which a service policy rule applies based on the IP precedence.
Fields

Available IP PrecedenceLists the available IP Precedence values that you can use to match traffic. IP Precedence is one model for assigning QoS priorities to IP traffic. AddAdds the selected IP Precedence value to the Match on IP Precedence list. DeleteRemoves the selected IP Precedence value from the Match on IP Precedence list. Match On IP PrecedenceLists the IP Precedence values that have been selected to match traffic.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IP DiffServ CodePoints (DSCP)


Add/Edit Service Policy Rule Wizard > Traffic Match > IP DiffServ CodePoints (DSCP) The IP DiffServ Code Points (DSCP) dialog box lets you match traffic based on the values assigned for Differentiated Services model of QoS. DiffServ defines two sets of DSCP values: EF and AF.
Fields

Expedited Forwarding (EF)Provides a single DSCP value (101110) that gives marked packets the highest level of service from the network. EF is commonly considered most appropriate for Voice over IP (VoIP). Assured Forwarding (AF)Provides four classes, each with three drop precedence levels.

You can select named DSCP values from the selection drop-down list, or enter a numeric value.

ASDM User Guide

21-14

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Named DSCP ValuesLists named DSCP values that you can select as match criteria. Select the values that you want to match and choose Add. Enter DSCP value (0-63)Specifies a numeric DSCP value. AddAdds a selected DSCP value to the Match on DSCP table. DeleteRemoves a selected DSCP value from the Match on DSCP table. Match on DSCPLists the DSCP values that have been selected as match criteria. Enter DSCP value (0-63)Uses a numeric value as the criteria for matching.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Actions > Protocol Inspection Tab


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab (You can get to this tab through various paths.) The Protocol Inspection tab lets you enable or disable the different types of application inspection available. To view or change the configuration for a specific application inspection type, choose Configure, which lets you select a map name to use for the protocol. To configure a map see Configuring Inspect Maps, page 6-30.
Fields

CTIQBEEnables application inspection for the CTIQBE protocol. DCERPCEnables application inspection for the DCERPC protocol.
ConfigureDisplays the Select DCERPC Map dialog box, which lets you select a map name

to use for this protocol.

DNSEnables application inspection for the DNS protocol.


ConfigureDisplays the Select DNS Map dialog box, which lets you select a map name to use

for this protocol.

ESMTPEnables application inspection for the ESMTP protocol


ConfigureDisplays the Select ESMTP Map dialog box, which lets you select a map name to

use for this protocol.

FTPEnables application inspection for the FTP protocol.


ConfigureDisplays the Select FTP Map dialog box, which lets you select a map name to use

for this protocol.

GTPEnables application inspection for the GTP protocol.


ConfigureDisplays the Select GTP Map dialog box, which lets you select a map name to use

for this protocol.

ASDM User Guide OL-10106-01

21-15

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Note

GTP inspection is not available without a special license.

H323 H225Enables application inspection for the H323 H225 protocol.


ConfigureDisplays the Select H323 H225 Map dialog box, which lets you select a map name

to use for this protocol.

H323 RASEnables application inspection for the H323 RAS protocol.


ConfigureDisplays the Select H323 RAS Map dialog box, which lets you select a map name

to use for this protocol.

HTTPEnables application inspection for the HTTP protocol.


ConfigureDisplays the Select HTTP Map dialog box, which lets you select a map name to use

for this protocol.


ICMPEnables application inspection for the ICMP protocol. ICMP ErrorEnables application inspection for the ICMP Error protocol. ILSEnables application inspection for the ILS protocol. IMEnables application inspection for the IM protocol.
ConfigureDisplays the Select IM Map dialog box, which lets you select a map name to use

for this protocol.

IPSec-Pass-ThruEnables application inspection for the IPSec protocol.


ConfigureDisplays the Select IPSec Map dialog box, which lets you select a map name to use

for this protocol.

MGCPEnables application inspection for the MGCP protocol.


ConfigureDisplays the Select MGCP Map dialog box, which lets you select a map name to

use for this protocol.

NETBIOSEnables application inspection for the NetBIOS protocol.


ConfigureDisplays the Select NETBIOS Map dialog box, which lets you select a map name

to use for this protocol.


PPTPEnables application inspection for the PPTP protocol. RSHEnables application inspection for the RSH protocol. RTSPEnables application inspection for the RTSP protocol. SCCP SKINNYEnables application inspection for the Skinny protocol.
ConfigureDisplays the Select SCCP (Skinny) Map dialog box, which lets you select a map

name to use for this protocol.

SIPEnables application inspection for the SIP protocol.


ConfigureDisplays the Select SIP Map dialog box, which lets you select a map name to use

for this protocol.

SNMPEnables application inspection for the SNMP protocol.


ConfigureDisplays the Select SNMP Map dialog box, which lets you select a map name to

use for this protocol.


SQLNETEnables application inspection for the SQLNET protocol. SUNRPCEnables application inspection for the SunRPC protocol.

ASDM User Guide

21-16

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

TFTPEnables application inspection for the TFTP protocol. XDMCPEnables application inspection for the XDMCP protocol.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Configuring Inspect Maps Inspect command pages for each protocol in the Cisco Security Appliance Command Reference

Select DCERPC Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select DCERPC Map The Select DCERPC Map dialog box lets you select or create a new DCERPC map. A DCERPC map lets you change the configuration values used for DCERPC application inspection. The Select DCERPC Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No DCERPC map for inspectionSpecifies no DCERPC map. Select a DCERPC map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Configure DNS
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Configure DNS
Fields

Maximum DNS packet length (default 512)Changes the maximum packet length for DNS messages that are allowed to pass through the security appliance.

ASDM User Guide OL-10106-01

21-17

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select DNS Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select DNS Map The Select DNS Map dialog box lets you select or create a new DNS map. A DNS map lets you change the configuration values used for DNS application inspection. The Select DNS Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No DNS map for inspectionSpecifies no DNS map. Select a DNS map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select ESMTP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select ESMTP Map The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets you change the configuration values used for ESMTP application inspection. The Select ESMTP Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No ESMTP map for inspectionSpecifies no ESMTP map. Select an ESMTP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

ASDM User Guide

21-18

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select FTP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select FTP Map The Select FTP Map dialog box lets you enable strict FTP application inspection, select an FTP map, or create a new FTP map. An FTP map lets you change the configuration values used for FTP application inspection.The Select FTP Map table provides a list of previously configured maps that you can select for application inspection.
Fields

FTP Strict (prevent web browsers from sending embedded commands in FTP requests)Enables strict FTP application inspection, which causes the security appliance to drop the connection when an embedded command is included in an FTP request. No FTP map for inspectionSpecifies no FTP map. Select an FTP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select GTP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select GTP Map The Select GTP Map dialog box lets you select or create a new GTP map. A GTP map lets you change the configuration values used for GTP application inspection. The Select GTP Map table provides a list of previously configured maps that you can select for application inspection.

Note

GTP inspection requires a special license. If you try to enable GTP application inspection on a security appliance without the required license, the security appliance displays an error message.

ASDM User Guide OL-10106-01

21-19

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Fields

No GTP map for inspectionSpecifies no GTP map. Select an GTP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select H.323 Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select H.323 Map The Select H.323 Map dialog box lets you select or create a new H.323 map. An H.323 map lets you change the configuration values used for H.323 application inspection. The Select H.323 Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No H.323 map for inspectionSpecifies no H.323 map. Select an H.323 map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select HTTP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select HTTP Map The Select HTTP Map dialog box lets you select or create a new HTTP map. An HTTP map lets you change the configuration values used for HTTP application inspection. The Select HTTP Map table provides a list of previously configured maps that you can select for application inspection.

ASDM User Guide

21-20

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Fields

No HTTP map for inspectionSpecifies no HTTP map. Select an HTTP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select IM Map
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the configuration values used for IM application inspection. The Select IM Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No IM map for inspectionSpecifies no IM map. Select an IM map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select IPSec-Pass-Thru Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IPSec-Pass-Thru Map The Select IPSec-Pass-Thru dialog box lets you select or create a new IPSec map. An IPSec map lets you change the configuration values used for IPSec application inspection. The Select IPSec Map table provides a list of previously configured maps that you can select for application inspection.

ASDM User Guide OL-10106-01

21-21

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Fields

No IPSec map for inspectionSpecifies no IPSec map. Select an IPSec map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select MGCP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select MGCP Map The Select MGCP Map dialog box lets you select or create a new MGCP map. An MGCP map lets you change the configuration values used for MGCP application inspection. The Select MGCP Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No MGCP map for inspectionSpecifies no MGCP map. Select an MGCP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select NETBIOS Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select NetBIOS Map The Select NETBIOS Map dialog box lets you select or create a new NetBIOS map. A NetBIOS map lets you change the configuration values used for NetBIOS application inspection. The Select NetBIOS Map table provides a list of previously configured maps that you can select for application inspection.

ASDM User Guide

21-22

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Fields

No IM map for inspectionSpecifies no NetBIOS map. Select a NetBIOS map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select SCCP (Skinny) Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SCCP Map The Select SCCP (Skinny) Map dialog box lets you select or create a new SCCP (Skinny) map. An SCCP (Skinny) map lets you change the configuration values used for SCCP (Skinny) application inspection. The Select SCCP (Skinny) Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No SCCP (Skinny) map for inspectionSpecifies no SCCP (Skinny) map. Select an SCCP (Skinny) map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select SIP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SIP Map The Select SIP Map dialog box lets you select or create a new SIP map. A SIP map lets you change the configuration values used for SIP application inspection. The Select SIP Map table provides a list of previously configured maps that you can select for application inspection.

ASDM User Guide OL-10106-01

21-23

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Fields

No SIP map for inspectionSpecifies no SIP map. Select a SIP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Select SNMP Map


Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SNMP Map The Select SNMP Map dialog box lets you select or create a new SNMP map. An SNMP map lets you change the configuration values used for SNMP application inspection. The Select SNMP Map table provides a list of previously configured maps that you can select for application inspection.
Fields

No SNMP map for inspectionSpecifies no SNMP map. Select an SNMP map for fine control over inspectionLets you select a defined application inspection map or add a new one. AddOpens the Add Policy Map dialog box for the inspection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Actions > Intrusion Prevention Tab


Add/Edit Service Policy Rule Wizard > Rule Actions > Intrusion Prevention Tab The Intrusion Prevention tab lets you configure the Intrusion Prevention (IPS) action to take within a policy map for a traffic class. This window appears only if Intrusion Prevention System hardware is installed in the security appliance.

ASDM User Guide

21-24

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Fields

Enable IPS for this traffic flowEnables or disables intrusion prevention for this traffic flow. When this check box is selected, the other parameters on this window become active. ModeConfigures the operating mode for intrusion prevention
Inline ModeSelects Inline Mode, in which a packet is directed to IPS. The packet might be

dropped as a result of the IPS operation.


Promiscuous ModeSelects Promiscuous Mode, in which IPS operates on a duplicate of the

original packet. The original packet cannot be dropped.

If IPS card fails, thenConfigures the action to take if the IPS card becomes inoperable.
Permit trafficPermit traffic if the IPS card fails Close trafficBlock traffic if the IPS card fails.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Actions > CSC Scan Tab


Add/Edit Service Policy Rule Wizard > Rule Actions > CSC Scan Tab The CSC Scan tab lets you whether the Content Security and Control (CSC) SSM scans traffic identify by the current traffic class. This window appears only if a CSC SSM is installed in the security appliance. The CSC SSM scans only HTTP, SMTP, POP3, and FTP traffic. If your service policy selects traffic that includes other protocols in addition to these four, packets for other protocols are passed through the CSC SSM without being scanned. To reduce the load on the CSC SSM, configure the service policy rules that send packets to the CSC SSM to select only HTTP, SMTP, POP3, or FTP packets.
Fields

Enable CSC scan for this traffic flowEnables or disables use of the CSC SSM for this traffic flow. When this check box is selected, the other parameters on this window become active. If CSC card fails, thenConfigures the action to take if the CSC SSM becomes inoperable.
Permit trafficPermit traffic if the CSC SSM fails Close trafficBlock traffic if the CSC SSM fails.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

21-25

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Rule Actions > Connection Settings Tab


Add/Edit Service Policy Rule Wizard > Rule Actions > Connection Settings Tab (You can get to this tab through various paths.) The Connection Settings tab lets you configure maximum connections, embryonic connections, and sequence number randomizing for TCP packets on a host or network. You can also configure connection timeouts and TCP normalization.
Fields

Maximum Connections area


TCP & UDP ConnectionsSpecifies the maximum number of simultaneous TCP and UDP

connections for all clients in the traffic class, up to 65,536. The default is 0 for both protocols, which means the maximum possible connections are allowed.
Embryonic ConnectionsSpecifies the maximum number of embryonic connections per host

up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server.
Per Client ConnectionsSpecifies the maximum number of simultaneous TCP and UDP

connections for each client. When a new connection is attempted by a client that already has opened the maximum per-client number of connections, the security appliance rejects the connection and drops the packet.
Per Client Embryonic ConnectionsSpecifies the maximum number of simultaneous TCP

embryonic connections for each client. When a new TCP connection is requested by a client that already has the maximum per-client number of embryonic connections open through the security appliance, the security appliance proxies the request to the TCP Intercept feature, which prevents the connection.

Randomize Sequence NumberSets the state of the Randomize Sequence Number feature to enabled or disabled. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers: one generated by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server on the higher security interface. At least one of the ISNs must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.

ASDM User Guide

21-26

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

TCP Timeout area


Connection TimeoutSpecifies the idle time until a connection slot is freed. Enter 0:0:0 to

disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour.
Send reset to TCP endpoints before timeoutSpecifies that the security appliance should send

a TCP reset message to the endpoints of the connection before freeing the connection slot.
Embryonic Connection TimeoutSpecifies the idle time until an embryonic connection slot is

freed. Enter 0:0:0 to disable timeout for the connection. The default is 30 seconds.
Half Closed Connection TimeoutSpecifies the idle time until a half closed connection slot is

freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 10 minutes.

TCP Normalization area


Use TCP MapSelects whether TCP normalization is enabled or not. Enable this feature to use

TCP maps.
TCP MapSelects an existing TCP map. NewAdds a new TCP map. EditEdits an existing TCP map.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Rule Actions > QoS Tab


Add/Edit Service Policy Rule Wizard > Rule Actions > QoS Tab (You can get to this tab through various paths.) The QoS tab lets you apply strict scheduling priority and rate-limit traffic.
Restrictions

If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and reestablish them.
Fields

Enable Priority for this flowEnables or disables strict scheduling priority for this flow. Priority (LLQ) does not work unless the priority queues are set. To configure priority queues, choose Configuration > Properties > Priority Queue. For more information, see Priority Queue. Enable policingEnables policing of traffic in the input or output direction.
DirectionSelect to enable policing in either the input or output direction.

ASDM User Guide OL-10106-01

21-27

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Committed RateThe rate limit for this traffic flow; this is a value in the range

8000-2000000000, specifying the maximum speed (bits per second) allowed.


Conform ActionThe action to take when the rate is less than the conform-burst value. Values

are transmit or drop.


Exceed ActionTake this action when the rate is between the conform-rate value and the

conform-burst value. Values are transmit or drop.


Burst RateA value in the range 1000-512000000, specifying the maximum number of

instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

Note

The Enable Policing check box merely enforces the maximum speed and burst rate, forcing them to the conforming rate value. It does not enforce the conform-action or the exceed-action specification if these are present.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit Class Map


Configuration > Features > Security Policy > Edit > Edit Class Map The Edit Class Map dialog box lets you add or edit the description of a class map.
Fields

DescriptionAdd or change the name of the class map description.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Rule
Configuration > Security Policy > Access Rules > Edit Rule The Edit Rule dialog box lets you modify an existing rule.

ASDM User Guide

21-28

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Fields

Select an actionDetermines the action type of the new rule. Select either permit or deny from the Select an action drop-down list.
PermitPermits all matching traffic. DenyDenies all matching traffic.

Apply to trafficDetermines which type of traffic to which the rule is applied.


Incoming to source interfaceSelects incoming traffic to the source interface. Outgoing from destination interfaceSelects outgoing traffic from the destination interface.

SyslogShows whether syslog is enabled or not. More OptionsEnables logging for the access list and sets logging options. The More Options button lets you set logging options. This button allows you to:
Use default logging behavior. Enable logging for the rule. Disable logging for the rule. Set the level and interval for permit and deny logging. This option checks the Enable Logging

check box. See Log Options for more information. Also, see Advanced Access Rule Configuration to set global logging options.

Time RangeSelect a time range defined for this rule from the drop-down list. NewCreate a new time range for this rule. See Add Time Range. Source and Destination Host/Network IP AddressChoose this button to identify the networks by IP address.
InterfaceThe interface on which the host or network resides. IP addressThe IP address of the host or network. BrowseLets you select an existing host or network by choosing the options under the Select

Host/Network window to populate the Name, Interface, IP address, and Mask fields with the properties of the selected host or network.
MaskThe subnet mask of the host or network

NameChoose this button to identify the networks by name. To name hosts/networks, see the Hosts/Networks tab. The name of the host or network. If you choose this option, and reopen the rule to edit it, the button selection reverts to IP Address, and the named host/network IP address information appears in the fields.

GroupChoose this button to identify a group of networks and hosts that you grouped together on the Hosts/Networks tab.
InterfaceThe interface connected to the hosts and networks in the group. GroupThe group name.

Protocol and Service: TCP and UDP buttonsSelects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the access list uses to match packets.
Source Port ServiceChoose this option to specify a port number, a range of ports, or a

well-known service name from a drop-down list of services, such as HTTP or FTP.

ASDM User Guide OL-10106-01

21-29

Chapter 21 Service Policy Rules

Configuring Service Policy Rules

Source Port ServiceThe operator drop-down list specifies how the access list matches the

port. Choose one of the following operators:


= Equals the port number. not = Does not equal the port number. > Greater than the port number. < Less than the port number. rangeEqual to one of the port numbers in the range. Source Port ServiceSpecifies port number, a range of ports, or a well-known service name

from a drop-down list of services, such as HTTP or FTP. The browse button displays the Service dialog box, which lets you select a TCP or UDP service from a preconfigured drop-down list.
Source Port Service GroupChoose this option to specify a service group from the Service

Group drop-down list,

Protocol and Service: ICMPSpecifies the ICMP type for the rule in the ICMP type field. The Browse button displays the Service dialog box, which lets you select an ICMP type from a preconfigured drop-down list. Protocol and Service: IPSpecifies the IP protocol for the rule in the IP protocol field. The Browse button displays the Protocols dialog box, which lets you select an IP protocol from a preconfigured drop-down list. Manage Service GroupsManages service groups. Service groups allow you to identify multiple non-contiguous port numbers that you want the access list to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, you can define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port. You can create service groups for TCP, UDP, and TCP-UDP. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol. See Manage Service Groups for more information.

Description(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Service Policy Rule > Traffic Classification Tab


Configuration > Security Policy > Edit Service Policy Rule> Traffic Classification Tab The Traffic Classification tab lets you specify the criteria you want to use to match traffic to which the security policy rule applies.
Fields

DescriptionSpecifies a description for the traffic classification.

ASDM User Guide

21-30

OL-10106-01

Chapter 21

Configuring Service Policy Rules Service Policy Rules

Default Inspection TrafficUses the criteria specified in the default inspection traffic policy. Source and destination IP address (uses ACL)Matches traffic based on the source and destination IP address, using an access control list. This selection is only available if you apply the rule to a specific interface using an Interface Service Policy. Tunnel GroupMatches traffic based on the tunnel group. TCP or UDP destination portMatches traffic based on the TCP or UDP destination port. RTP rangeMatches traffic based on a range of RTP ports. IP DiffServ CodePoints (DSCP)Matches traffic based on the Differentiated Services model of QoS. IP PrecedenceMatches traffic based on the IP precedence model of QoS. Any trafficMatches all traffic regardless of the traffic type.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Tunnel Group
Add Service Policy Rule Wizard >Traffic Match > Tunnel Group The Tunnel Group dialog box lets you identify the traffic to which a service policy rule applies based on the tunnel group.
Fields

Tunnel GroupSelects the tunnel group for which to match traffic. NewDisplays the Add Tunnel Group window, on which you can configure a new tunnel group. Match flow destination IP addressAdds the requirement to match the flow destination IP address, as well as the tunnel group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

21-31

Chapter 21 SUNRPC Server

Configuring Service Policy Rules

SUNRPC Server
Configuration > Properties > SUNRPC Server The SUNRPC Server window shows which SunRPC services can traverse the security appliance and their specific timeout, on a per server basis.
Fields

InterfaceDisplays the interface on which the SunRPC server resides. IP addressDisplays the IP address of the SunRPC server. MaskDisplays the subnet mask of the IP Address of the SunRPC server. Service IDDisplays the SunRPC program number, or service ID, allowed to traverse the security appliance. ProtocolDisplays the SunRPC transport protocol (TCP or UDP). PortDisplays the SunRPC protocol port range. TimeoutDisplays the idle time after which the access for the SunRPC service traffic is closed.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit SUNRPC Service


Configuration > Properties > SUNRPC Server > Add/Edit SUNRPC Service The Add/Edit SUNRPC Service dialog box lets you specify what SunRPC services are allowed to traverse the security appliance and their specific timeout, on a per-server basis.
Fields

Interface NameSpecifies the interface on which the SunRPC server resides. ProtocolSpecifies the SunRPC transport protocol (TCP or UDP). IP addressSpecifies the IP address of the SunRPC server. PortSpecifies the SunRPC protocol port range. MaskSpecifies the subnet mask of the IP Address of the SunRPC server. TimeoutSpecifies the idle time after which the access for the SunRPC service traffic is closed. Format is HH:MM:SS. Service IDSpecifies the SunRPC program number, or service ID, allowed to traverse the security appliance.

ASDM User Guide

21-32

OL-10106-01

Chapter 21

Configuring Service Policy Rules SUNRPC Server

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

21-33

Chapter 21 SUNRPC Server

Configuring Service Policy Rules

ASDM User Guide

21-34

OL-10106-01

C H A P T E R

22

NAT
The security appliance supports both the Network Address Translation feature, which provides a globally unique address for each outbound host session, and the Port Address Translation feature, which provides a single, unique global address for up to 64,000 simultaneous outbound or inbound host sessions. The global addresses used for NAT come from a pool of addresses to be used specifically for address translation. The unique global address that is used for PAT can either be one global address or the IP address of a given interface. The security appliance can perform NAT or PAT in both inbound and outbound connections. This ability to translate inbound addresses is called Outside NAT because addresses on the outside, or less secure, interface are translated to a usable inside IP address. Outside NAT gives you the option to translate an outside host or network to an inside host or network, and it is sometimes referred to as bi-directional NAT. Just as when you translate outbound traffic with NAT, you may choose dynamic NAT, static NAT, dynamic PAT, and static PAT. If necessary, you may use outside NAT together with inside NAT to translate the both source and destination IP addresses of a packet.

NAT
Configuration > Security Policy > NAT The NAT pane lets you view all the address translation rules or Network Address Translation exemption rules applied to your network. From the NAT pane you can also create a Translation Exemption Rule, which lets you specify traffic that is exempt from being translated or encrypted. The Exemption Rules are grouped by interface in the table, and then by direction. If you have a group of IP addresses that will be translated, you can exempt certain addresses from being translated using the Exemption Rules. You can use a previously configured access list to define your exemption rule. ASDM will write to the command-line interface a nat 0 command. You can resort the view of your exemption by clicking the column heading. You can also identify local traffic for address translation by specifying the source and destination addresses (or ports) in an access list using policy NAT. With policy NAT, you can create multiple NAT or static statements that identify the same local address as long as the source/port and destination/port combination is unique for each statement. You can then match different global addresses to each source/port and destination/port pair.
Prerequisites

Before you can designate access and translation rules for your network, you must first define each host or server for which a rule will apply.

ASDM User Guide OL-10106-01

22-1

Chapter 22 NAT

NAT

Caution

Review Important Notes about Object Groups regarding the naming of Network and Service Groups.
Restrictions

You cannot use unavailable translation commands until you define networks or hosts. Unavailable commands appear dimmed on the menu. It is important to note that the order in which you apply translation rules can affect the way the rules operate. ASDM will list the static translations first and then the dynamic translations. When processing NAT, the security appliance will first translate the static translations in the order they are configured. You can use Insert or Insert After to determine the order in which static translations are processed. Because dynamically translated rules are processed on a best match basis, the option to insert a rule before or after a dynamic translation is disabled. It is necessary to run NAT even if you have routable IP addresses on your secure networks. When running NAT with routable IP addresses, translate the routable IP address to itself on the outside. A packet sourced on the more secure (inside) interface destined for an intermediate (DMZ) interface can not have the same translated address when it is outbound on a less secure (outside) interface. Furthermore, if one dynamic rule is deleted on either of the outbound interfaces, all outbound dynamic rules for translations originating on the same interface will be deleted. It is possible to create an Exemption Rule for traffic so that traffic is sent out to the Internet or a less secure interface unencrypted. This can be useful in a scenario where you want to encrypt some traffic to another remote VPN network, but would like traffic destined to anywhere else to remain unencrypted.

Fields

AddAdds a new NAT rule. Choose the type of rule you want to add from the drop-down list. EditEdits an NAT rule. DeleteDeletes a NAT rule. Move UpMoves a rule up. Rules are assessed in the order they appear in this table, so the order can matter if you have overlapping rules. Move DownMoves a rule down. CutCuts a rule. CopyCopies the parameters of a rule so you can start a new rule with the same parameters using the Paste button. PasteOpens an Add/Edit Rule dialog box with the copied or cut parameters of the rule prefilled. You can then make any modifications and add it to the table. The Paste button adds the rule above the selected rule. The Paste After item, available from the Paste drop-down list, adds the rule after the selected rule. FindFilters the display to show only matching rules. Clicking Find opens the Filter field. Click Find again to hide the Filter field.
Filter drop-down listChoose the criteria to filter on, either Interface, Source, Destination,

Service, Action, or Rule Query. A rule query is a collection of multiple criteria that you can save and use repeatedly.
Filter fieldFor the Interface type, this field becomes a drop-down list so you can choose an

interface name. For the Action type, the drop-down list includes Exempt, Static, and Dynamic. For the Rule Query type, the drop-down list includes all defined rule queries. The Source and Destination types accept an IP address. You can type one manually, or browse for one by

ASDM User Guide

22-2

OL-10106-01

Chapter 22

NAT NAT

clicking the ... button and launching the Browse Address dialog box. The Service type accepts a TCP, UDP, TCP-UDP, ICMP, or IP protocol type. You can type one manually, or browse for one by clicking the ... button and launching the Browse Service Groups dialog box.
FilterRuns the filter. ClearClears the Filter field. Rule QueryOpens the Rules Queries dialog box so you can manage named rule queries.

Show Rule Flow DiagramShows the Rule Flow Diagram area under the rule table. This diagram shows the networks, type of traffic, interface name, direction of flow, and action. Packet TraceOpens the Packet Tracer tool with the parameters pre-filled with the characteristics of the selected rule.

The following description summarizes the columns in the NAT Rules table. You can edit the contents of these columns by double-clicking on a table cell. Double-clicking on a column header sorts the table in ascending alphanumeric order, using the selected column as the sort key. If you right-click a rule, you see all of the options represented by the buttons above, as well as Insert and Insert After items. These items either insert a new rule before the selected rule (Insert) or after the selected rule (Insert After.)

NoIndicates the order of evaluation for the rule. TypeDisplays the translation rule type applied to the given row, which can either be dynamic or static.
DynamicInternal IP addresses are dynamically translated using IP addresses from a pool of

global addresses or, in the case of PAT, a single address. These rules translate addresses of hosts on a higher security level interface to addresses selected from a pool of addresses for traffic sent to a lower security level interface. Dynamic translations are often used to map local, RFC 1918 IP addresses to addresses that are Internet-routable addresses. They are represented with the dynamic icon.
StaticInternal IP addresses are permanently mapped to a global IP address. These rules map

a host address on a lower security level interface to a global address on a higher security level interface. For example, a static rule would be used for mapping the local address of a web server on a perimeter network to a global address that hosts on the outside interface would use to access the web server. They are represented with the static icon.

RealDisplays the original address with its associated interface before network translation is applied.
Source NetworkThe source network on which the traffic to be translated resides for policy

NAT. For regular NAT, this displays any.


Destination NetworkThe destination network on which the traffic to be translated resides for

policy NAT. For regular NAT, this displays any.

TranslatedDisplays the translated addresses and the associated interfaces after network translation is applied.
InterfaceThe interface on which the translated addresses reside. AddressThe translated addresses.

OptionsIncludes the following items:


DNS RewriteLets the security appliance rewrite the DNS record so that an outside client can

resolve name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will

ASDM User Guide OL-10106-01

22-3

Chapter 22 NAT

NAT

resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.
Maximum TCP ConnectionsThe maximum number of TCP connections that are allowed to

connect to the statically translated IP address. Valid options are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
Embryonic LimitThe number of embryonic connections allowed to form before the security

appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.
Maximum UDP ConnectionsThe maximum number of UDP connections that are allowed to

connect to the statically translated IP address. Valid options are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.
Randomize Sequence NumberWith this check box checked, the security appliance will

randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the security appliance. The default is selected.

Description (for Policy NAT only)If a description of the rule is available, it is displayed in this column. Enable traffic through the firewall without address translationAllows traffic to pass through the security appliance without address translation. AddressesTab that lets you add, edit, delete, or find IP address objects, IP names, or network object groups. ServicesTab that lets you add, edit, delete, or find services. Global PoolsTab that lets you manage the Global address NAT pools, which are used for dynamic NAT configuration. These are the IP addresses the security appliance will present to the outside or less secure interface for which they are configured.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Static NAT Rule


Configuration > Security Policy > NAT > Add/Edit Static NAT Rule The Add/Edit Static NAT Rule dialog box lets you add, edit, and paste translation rules for your security appliance, which are viewed in the NAT Rules table. A Static NAT rule specifies that the address translation is a static, one-to-one translation of an IP address from a private (non-valid) IP address to a global (valid) IP address. Static or Dynamic can be selected, but not both.

ASDM User Guide

22-4

OL-10106-01

Chapter 22

NAT NAT

Note

Review Important Notes about Object Groups regarding the naming of Network and Service Groups.
Fields

Real AddressThe original address with its associated interface before network translation is applied.
InterfaceSelects the security appliance network interface on which the original host or

network resides.
IP addressSpecifies the IP address of the host or network to which you would like to apply a

rule.
MaskSelect the network mask (netmask) for the address. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree for a

predefined host or network.

Static TranslationLets you specify the static interface and IP address.


InterfaceSelects the security appliance network interface for static translation. IP addressSelects the IP address for the static translation. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree from a

predefined host or network.

Enable Port Address Translation (PAT)Choose this option to specify the protocol, original port, and translated port for PAT.
ProtocolTCP or UDP. Original PortSelect from the list of ports. Translated PortSelect from the list of ports.

NAT OptionsLets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit and Randomize Sequence Number.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic NAT Rule


Configuration > Security Policy > NAT > Add/Edit Dynamic NAT Rule The Add/Edit Dynamic NAT Rule dialog box lets you add, edit, and paste translation rules for your security appliance, which are viewed in the NAT Rules table. A Dynamic NAT rule specifies either a predefined pool of IP addresses, or to perform PAT on a global IP address or the less secure interface for multiple hosts on the more secure interface. For example, if your inside network has multiple hosts, you

ASDM User Guide OL-10106-01

22-5

Chapter 22 NAT

NAT

can permit outbound access through a pool or a PAT address by using Dynamic NAT to dynamically assign an global IP address for each host requesting an outbound connection. Static or Dynamic can be selected, but not both.

Note

Review Important Notes about Object Groups regarding the naming of Network and Service Groups.
Fields

Real AddressThe original address with its associated interface before network translation is applied.
InterfaceSelects the security appliance network interface on which the original host or

network resides.
IP AddressSpecifies the IP address of the host or network to which you would like to apply

a rule.
MaskSelect the network mask (netmask) for the address. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree for a

predefined host or network.

Dynamic TranslationLets you specify the dynamic interface and global address pool.
InterfaceSelects the security appliance network interface for dynamic translation. AddAdds a global pool. EditEdits a global pool. DeleteDeletes a global pool.

NAT OptionsLets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit and Randomize Sequence Number.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

NAT Options
Configuration > Security Policy > NAT > Add/Edit NAT Rule> NAT Options The NAT Options dialog box lets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit, and Randomize Sequence Number for NAT and Policy NAT.
Fields

DNS RewriteLets the security appliance rewrite the DNS record so that an outside client can resolve name of an inside host using an inside DNS server, or vice versa. For example, assume an inside web server www.example.com has IP 192.168.1.1, it is translated to 10.1.1.1 on the outside interface. An outside client sends a DNS request to an inside DNS server, which will resolve

ASDM User Guide

22-6

OL-10106-01

Chapter 22

NAT NAT

www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.

Maximum TCP ConnectionsThe maximum number of TCP connections that are allowed to connect to the statically translated IP address. Valid options are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. Maximum UDP ConnectionsThe maximum number of UDP connections that are allowed to connect to the statically translated IP address. Valid options are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. Embryonic LimitThe number of embryonic connections allowed to form before the security appliance begins to deny these connections. Set this limit to prevent attack by a flood of embryonic connections. An embryonic connection is one that has been started but has not yet been established, such as a three-way TCP handshake state. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature. Randomize Sequence NumberWith this check box checked, the security appliance will randomize the sequence number of TCP packets. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the security appliance. The default is selected.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Global Pools
Configuration > Security Policy > NAT > Add/Edit Address Translation Rule > Global Pools The Global Pools dialog box lets you view, define new, or delete existing global address pools used in dynamic NAT rules. For more information on dynamic NAT rules and its uses, refer to Understanding Dynamic NAT.
Fields

InterfaceIdentifies the interface name associated with the address pool used for dynamic address translation. Pool IDIdentifies the ID number of the address pool. IP Address(es)Identifies the type and value of the address(es) for the pool. It can identify one of the following types:
A range of addresses A PAT address A PAT address associated with an interface

ASDM User Guide OL-10106-01

22-7

Chapter 22 NAT

NAT

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Global Address Pool


Configuration > Security Policy > NAT > Add/Edit Address Translation Rule > Global Pools > Add/Edit Global Address Pool The Add/Edit Global Address Pool dialog box lets you define the settings for a new global address pool or edit the settings of an existing pool.
Fields

InterfaceSpecifies the interface name to associate with the new address pool. Select the name in the Interface drop-down list. Pool IDSpecifies the ID number that dynamic NAT rules use to reference this address pool. Enter the number in the Pool ID field. RangeSelect this option to specify that a range of IP addresses be used with the new address pool. If you select this option, specify the following values:
Enter the start and end addresses used by the range in the IP Address fields. These addresses

are the addresses to which the original addresses will be translated. If the security appliance is exposing the host or network to users on the Internet, these IP addresses must be valid IP addresses that are registered with the American Registry for Internet Numbers.
Enter the mask in the Network Mask (optional) field. This value identifies the mask of the

network on which translated IP addresses are members.

Port Address Translation (PAT)Choose this option to specify that an IP address be used for Port Address Translation. If you select this option, specify the following value:
Enter the IP address used for PAT in the IP Address field.

This value is the specific translated IP address to which you want to translate the original addresses of the translated host or network. If the security appliance is exposing the host or network to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.

Port Address Translation (PAT) using the IP address of the interfaceSelect this option to specify that the IP address assigned to the interface selected in the Interface drop-down list be used as the translated address for PAT.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

22-8

OL-10106-01

Chapter 22

NAT NAT

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Static Policy NAT Rule


Configuration > Security Policy > NAT > Add/Edit Static Policy NAT Rule The Add/Edit Static Policy NAT Rule dialog box lets you configure the protocol and service that policy NAT will use to translate traffic.
Fields

Real AddressThe original address with its associated interface before network translation is applied.
InterfaceSelects the security appliance network interface on which the original host or

network resides.
SourceChoose type, IP address, and netmask. DestinationChoose type, IP address, and netmask

Protocol and ServiceLets you define the protocols and services to be used for policy NAT.
TCPSelect to define the TCP protocol types used for translation with policy NAT. UDPSelect to define the UDP protocol types used for translation with policy NAT. ICMPSelect to define the ICMP protocol types used for translation with policy NAT. IPSelect to define the IP protocol types used for translation with policy NAT. IP ProtocolDepending on your selection this displays the TCP, UDP, ICMP or IP protocol

type. You can either enter the port or protocol number or select the protocol from a drop-down list using the browse (...) button.

Static TranslationLets you specify the static interface and IP address.


InterfaceSelects the security appliance network interface for static translation. IP addressSelects the IP address for the static translation. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree from a

predefined host or network.

Enable Port Address Translation (PAT)Choose this option to specify the protocol, original port, and translated port for PAT.
ProtocolTCP or UDP. Original PortSelect from the list of ports. Translated PortSelect from the list of ports.

NAT OptionsLets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit and Randomize Sequence Number.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

22-9

Chapter 22 NAT

NAT

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Dynamic Policy NAT Rule


Configuration > Security Policy > NAT > Add/Edit Dynamic Policy NAT Rule The Add/Edit Dynamic Policy NAT Rule dialog box lets you configure the protocol and service that policy NAT will use to translate traffic.
Fields

Real AddressThe original address with its associated interface before network translation is applied.
InterfaceSelects the security appliance network interface on which the original host or

network resides.
SourceChoose type, IP address, and netmask. DestinationChoose type, IP address, and netmask

Protocol and ServiceLets you define the protocols and services to be used for policy NAT.
TCPSelect to define the TCP protocol types used for translation with policy NAT. UDPSelect to define the UDP protocol types used for translation with policy NAT. ICMPSelect to define the ICMP protocol types used for translation with policy NAT. IPSelect to define the IP protocol types used for translation with policy NAT. IP ProtocolDepending on your selection this displays the TCP, UDP, ICMP or IP protocol

type. You can either enter the port or protocol number or select the protocol from a drop-down list using the browse (...) button.

Dynamic TranslationLets you specify the dynamic interface and global address pool. Real AddressThe original address with its associated interface before network translation is applied.
InterfaceSelects the security appliance network interface on which the original host or

network resides.
IP AddressSpecifies the IP address of the host or network to which you would like to apply

a rule.
MaskSelect the network mask (netmask) for the address. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree for a

predefined host or network.

Dynamic TranslationLets you specify the dynamic interface and global address pool.
InterfaceSelects the security appliance network interface for dynamic translation. AddAdds a global pool. EditEdits a global pool.

ASDM User Guide

22-10

OL-10106-01

Chapter 22

NAT NAT

DeleteDeletes a global pool.

NAT OptionsLets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit and Randomize Sequence Number.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit NAT Exempt Rule


Configuration > Security Policy > NAT > Add/Edit NAT Exempt Rule The Add/Edit NAT Exempt Rule dialog box lets you add and edit Network Address Translation exemption rules for your security appliance. Depending upon which command you selected in the Translation Rules menu, the title for this dialog box will appear as Add Address Exemption Rule or Edit Address Exemption Rule.
Fields

ActionThe action drop-down list lets you select the action, exempt or do not exempt, that this exemption rule will take if the host/network meets the criteria defined. The Select an action list options are as follows:
ExemptSpecifies that the traffic defined will be exempted from NAT. Do Not ExemptSpecifies that the traffic defined will not be exempted from NAT.

IP AddressSelects the criteria of testing the IP address of the source host or network to determine if the action of the exemption rule will be applied. Selecting this option displays the following fields:
InterfaceSelects the security appliance network interface name on which the original host or

network resides.
IP addressSpecifies the IP address of the host or network to which you would like to apply a

rule.
BrowseLets you select the correct IP address and mask from the Hosts/Networks tree from a

predefined host or network.


MaskSelect the network mask (netmask) for the address.

NameSelects the criteria of testing the name of the source host or network to determine if the action of the exemption rule will be applied. Selecting this option displays the following fields:
NameLets you select a previously defined name of a host or network to which you would like

to apply the rule. The security appliance also automatically generates a hostname for each interface by using the interface name, such as inside or outside.

GroupSelects the criteria of testing a group of the source host or network to determine if the action of the exemption rule will be applied. Selecting this option displays the following fields:

ASDM User Guide OL-10106-01

22-11

Chapter 22 NAT

NAT

InterfaceSelects the security appliance network interface name on which the original host or

network resides.
GroupSelects the group of the host or network to which you would like to apply the rule.

When Connecting ToThe When Connecting To area lets you define the criteria which must be met for the action to be performed. The criteria my be defined by selecting an IP address, Name, Group, or by browsing a previously defined drop-down list of hosts/networks. IP addressSpecifies the IP address of the destination host or network to which you would like to apply the exemption rule.
InterfaceSelects the security appliance network interface name on which the original host or

network resides.
IP addressSpecifies the IP address of the host or network to which you would like to apply a

rule.
BrowseLets you select the correct IP address and mask from the Hosts/Networks tree from a

predefined host or network.


MaskSelect the network mask (netmask) for the address.

NameSelects the criteria of testing the name of the source host or network to determine if the action of the exemption rule will be applied. Selecting this option displays the following fields:
NameLets you select a previously defined name of a host or network to which you would like

to apply the rule. The security appliance also automatically generates a hostname for each interface by using the interface name, such as inside or outside.

GroupSelects the criteria of testing a group of the source host or network to determine if the action of the exemption rule will be applied. Selecting this option displays the following fields:
InterfaceSelects the security appliance network interface name on which the original host or

network resides.
GroupSelects the group of the host or network to which you would like to apply the rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Identity NAT Rule


Configuration > Security Policy > NAT > Add/Edit Identity NAT Rule The Add/Edit Identity NAT Rule dialog box lets you configure the identity NAT settings.
Fields

Real AddressThe original address with its associated interface before network translation is applied.

ASDM User Guide

22-12

OL-10106-01

Chapter 22

NAT NAT

InterfaceSelects the security appliance network interface on which the original host or

network resides.
IP addressSpecifies the IP address of the host or network to which you would like to apply a

rule.
MaskSelect the network mask (netmask) for the address. BrowseLets you select the correct IP address and mask from the Hosts/Networks tree for a

predefined host or network.


Enable outside NATChoose this option to enable outside NAT. NAT OptionsLets you configure the DNS Rewrite, Maximum Connections, Embryonic Limit and Randomize Sequence Number.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

22-13

Chapter 22 NAT

NAT

ASDM User Guide

22-14

OL-10106-01

C H A P T E R

23

Configuring ARP Inspection and Bridging Parameters


This chapter describes how to enable ARP inspection and how to customize bridging operations for the security appliance in transparent firewall mode. In multiple context mode, the commands in this chapter can be entered in a security context, but not the system. For information about transparent firewall mode, see Chapter 16, Firewall Mode Overview. This chapter includes the following sections:

Configuring ARP Inspection, page 23-1 Customizing the MAC Address Table, page 23-4

Configuring ARP Inspection


This section describes ARP inspection and how to enable it, and includes the following topics:

ARP Inspection, page 23-1 Edit ARP Inspection Entry, page 23-2 ARP Static Table, page 23-3 Add/Edit ARP Static Configuration, page 23-4

ARP Inspection
Configuration > Properties > ARP > ARP Inspection The ARP Inspection pane lets you configure ARP inspection. By default, all ARP packets are allowed through the security appliance. You can control the flow of ARP packets by enabling ARP inspection. When you enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through. If there is a mismatch between the MAC address, the IP address, or the interface, then the security appliance drops the packet.

ASDM User Guide OL-10106-01

23-1

Chapter 23 Configuring ARP Inspection

Configuring ARP Inspection and Bridging Parameters

If the ARP packet does not match any entries in the static ARP table, then you can set the security appliance to either forward the packet out all interfaces (flood), or to drop the packet.

Note

The dedicated management interface, if present, never floods packets even if this parameter is set to flood.

ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a man-in-the-middle attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
Fields

InterfaceShows the interface names. ARP Inspection EnabledShows if ARP inspection is enabled, Yes or No. Flood EnabledIf ARP inspection is enabled, shows if the action is to flood unknown packets, Yes or No. If ARP inspection is disabled, this value is always No. EditEdits the ARP inspection parameters for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

Edit ARP Inspection Entry


Configuration > Properties > ARP > ARP Inspection > Edit ARP Inspection Entry The Edit ARP Inspection Entry dialog box lets you set ARP inspection settings.
Fields

Enable ARP InspectionEnables ARP inspection. Flood ARP PacketsSpecifies that packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, then the security appliance drops the packet. If you do not check this check box, all non-matching packets are dropped.

ASDM User Guide

23-2

OL-10106-01

Chapter 23

Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection

Note

The default setting is to flood non-matching packets. To restrict ARP through the security appliance to only static entries, then set this command to no-flood. The Management 0/0 interface or subinterface, if present, never floods packets even if this parameter is set to flood.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

ARP Static Table


Configuration > Properties > ARP > ARP Static Table Although hosts identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends an ARP request asking for the MAC address associated with the IP address, and then delivers the packet to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated.

Note

The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the security appliance, such as management traffic. The ARP Static Table panel lets you add static ARP entries that map a MAC address to an IP address for a given interface. Static ARP entries do not time out, and might help you solve a networking problem.
Fields

InterfaceShows the interface attached to the host network. IP AddressShows the host IP address. MAC AddressShows the host MAC address. Proxy ARPShows whether the security appliance performs proxy ARP for this address. If the security appliance receives an ARP request for the specified IP address, then it responds with the specified MAC address. AddAdds a static ARP entry. EditEdits a static ARP entry. DeleteDeletes a static ARP entry.

ASDM User Guide OL-10106-01

23-3

Chapter 23 Customizing the MAC Address Table

Configuring ARP Inspection and Bridging Parameters

ARP TimeoutSets the amount of time before the security appliance rebuilds the ARP table, between 60 to 4294967 seconds. The default is 14400 seconds. Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently. Although this parameter appears on the ARP Static Table panel, the timeout applies to the dynamic ARP table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit ARP Static Configuration


Configuration > Properties > ARP > ARP Static Table > Add/Edit ARP Static Configuration The Add/Edit ARP Static Configuration dialog box lets you add or edit a static ARP entry.
Fields

InterfaceSets the interface attached to the host network. IP AddressSets the host IP address. MAC AddressSets the host MAC address; for example, 00e0.1e4e.3d8b. Proxy ARPEnables the security appliance to perform proxy ARP for this address. If the security appliance receives an ARP request for the specified IP address, then it responds with the specified MAC address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Customizing the MAC Address Table


This section describes the MAC address table, and includes the following topics:

MAC Address Table, page 23-5 Add/Edit MAC Address Entry, page 23-6 MAC Learning, page 23-6

ASDM User Guide

23-4

OL-10106-01

Chapter 23

Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table

MAC Address Table


Configuration > Properties > Bridging > MAC Address Table The MAC Address Table pane lets you add static MAC Address entries. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message. When you add a static ARP entry (see the ARP Static Table section on page 23-3), a static MAC address entry is automatically added to the MAC address table. The security appliance learns and builds a MAC address table in a similar way as a normal bridge or switch: when a device sends a packet through the security appliance, the security appliance adds the MAC address to its table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface. The ASA 5505 adaptive security appliance includes a built-in switch; the switch MAC address table maintains the MAC address-to-switch port mapping for traffic within each VLAN. This section discusses the bridge MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that passes between VLANs. Because the security appliance is a firewall, if the destination MAC address of a packet is not in the table, the security appliance does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the following packets for directly connected devices or for remote devices:

Packets for directly connected devicesThe security appliance generates an ARP request for the destination IP address, so that the security appliance can learn which interface receives the ARP response. Packets for remote devicesThe security appliance generates a ping to the destination IP address so that the security appliance can learn which interface receives the ping reply.

The original packet is dropped.


Fields

InterfaceShows the interface associated with the MAC address. MAC AddressShows the MAC address. AddAdds a static MAC address entry. EditEdits a static MAC address entry. DeleteDeletes a static MAC address entry. Dynamic Entry TimeoutSets the time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

23-5

Chapter 23 Customizing the MAC Address Table

Configuring ARP Inspection and Bridging Parameters

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit MAC Address Entry


Configuration > Properties > Bridging > MAC Address Table > Add/Edit MAC Address Entry The Add/Edit MAC Address Entry dialog box lets you add or edit a static MAC address entry. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
Fields

Interface NameSets the interface associated with the MAC address. MAC AddressSets the MAC address.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

MAC Learning
Configuration > Properties > Bridging > MAC Learning The MAC Learning pane lets you disable MAC address learning on an interface. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.
Fields

InterfaceShows the interface name. MAC Learning EnabledShows if MAC learning is enabled, Yes or No. EnableEnables MAC learning to the selected interface. DisableDisables MAC learning to the selected interface.

ASDM User Guide

23-6

OL-10106-01

Chapter 23

Configuring ARP Inspection and Bridging Parameters Customizing the MAC Address Table

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

ASDM User Guide OL-10106-01

23-7

Chapter 23 Customizing the MAC Address Table

Configuring ARP Inspection and Bridging Parameters

ASDM User Guide

23-8

OL-10106-01

C H A P T E R

24

Preventing Network Attacks


This chapter describes how to prevent network attacks by configuring protection features, and includes the following sections:

Connection Settings (Transparent Mode Only), page 24-1 IP Audit, page 24-3 Fragment, page 24-10 Anti-Spoofing, page 24-12 TCP Options, page 24-13 Timeouts, page 24-16

Connection Settings (Transparent Mode Only)


Configuration > Properties > Connection Settings The Connection Settings pane lets you set maximum TCP and UDP connections, maximum embryonic connections, and lets you disable TCP sequence randomization for outbound traffic (inside to outside) in transparent firewall mode.

Note

You can also configure maximum connections, maximum embryonic connections, and TCP sequence randomization in Service Policy Rules. Service Policy Rules provide greater control of the application of these limits, and you can configure limits for traffic in both directions, not just outbound connections. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization. Limiting the number of connections and embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. TCP sequence randomization should only be disabled if another in-line firewall is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server. At least one of the ISNs must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.

ASDM User Guide OL-10106-01

24-1

Chapter 24 Connection Settings (Transparent Mode Only)

Preventing Network Attacks

Fields

InterfaceShows the Interface on which connection limits are enabled. This interface is always the inside interface, because connection limits are not supported on the outside interface. AddressShows the addresses for which you apply connection limits. Maximum TCP ConnectionsShows the maximum TCP connections. A value of 0 means unlimited connections. Embryonic LimitShows the maximum embryonic connections. A value of 0 means unlimited connections. Maximum UDP ConnectionsShows the maximum UDP connections. A value of 0 means unlimited connections. Randomize Sequence NumberShows if TCP sequence randomization is enabled or disabled, Yes or No. AddAdds a connection limit rule. EditEdits a connection limit rule. DeleteDeletes a connection limit rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

Set/Edit Connection Settings


Configuration > Properties > Connection Settings > Set/Edit Connection Settings The Set/Edit Connection Settings dialog box lets you define a connection limit rule for outbound traffic (inside to outside) in transparent firewall mode.
Fields

Host/NetworkSets the hosts and networks for which you want to set connection limits.
InterfaceSets the interface on which you want to set connection limits. Choose the inside

interface only.
IP AddressSets the IP addresses for which you want to set connection limits. MaskSets the subnet mask. You can either enter a mask in the field, or choose a common

mask from the list.


BrowseOpens the Select host/network dialog box from which you can choose hosts and

networks you defined in the Network Object Groups panel.

Maximum ConnectionsSets the maximum TCP and UDP connections.


Maximum TCP ConnectionsSets the maximum TCP connections, between 0 and 65535. The

0 value means unlimited connections.

ASDM User Guide

24-2

OL-10106-01

Chapter 24

Preventing Network Attacks IP Audit

Maximum UDP ConnectionsSets the maximum UDP connections, between 0 and 65535. The

0 value means unlimited connections.

Maximum Embryonic ConnectionsSets the maximum embryonic connections, between 0 and 65535. The 0 value means unlimited connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. Randomize Sequence Number checkEnables TCP sequence number randomization. Uncheck this box to disable randomiztion. TCP sequence randomization should only be disabled if another in-line firewall is also randomizing sequence numbers and the result is scrambling the data.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

IP Audit
The IP audit feature provides basic IPS functionality; for advanced IPS functionality on supported platforms, you can install an AIP SSM. This feature lets you create a named audit policy that identifies the actions to take when a packet matches a predefined attack signature or informational signature. Signatures are activities that match known attack patterns. For example, there are signatures that match DoS attacks. You can configure the security appliance to drop the packet, generate an alarm, or reset the connection.

IP Audit Policy
Configuration > Properties > IP Audit > IP Audit Policy The IP Audit Policy pane lets you add audit policies and assign them to interfaces. You can assign an attack policy and an informational policy to each interface. The attack policy determines the action to take with packets that match an attack signature; the packet might be part of an attack on your network, such as a DoS attack. The informational policy determines the action to take with packets that match an informational signature; the packet is not currently attacking your network, but could be part of an information-gathering activity, such as a port sweep. For a complete list of signatures, see the IP Audit Signature List.
Fields

NameShows the names of the defined IP audit policies. Although the default actions for a named policy are listed in this table (--Default Action--), they are not named policies that you can assign to an interface. Default actions are used by named policies if you do not set an action for the policy. You can modify the default actions by selecting them and clicking the Edit button. TypeShows the policy type, either Attack or Info.

ASDM User Guide OL-10106-01

24-3

Chapter 24 IP Audit

Preventing Network Attacks

ActionShows the actions taken against packets that match the policy, Alarm, Drop, and/or Reset. Multiple actions can be listed. AddAdds a new IP audit policy. EditEdits an IP audit policy or the default actions. DeleteDeletes an IP audit policy. You cannot delete a default action. Policy-to-Interface MappingsAssigns an attack and informational policy to each interface.
InterfaceShows the interface name. Attack PolicyLists the attack audit policy names available. Assign a policy to an interface by

clicking the name in the list.


Info PolicyLists the informational audit policy names available. Assign a policy to an

interface by clicking the name in the list.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit IP Audit Policy Configuration


Configuration > Properties > IP Audit > IP Audit Policy > Add/Edit IP Audit Policy Configuration The Add/Edit IP Audit Policy Configuration dialog box lets you add or edit a named IP audit policy that you can assign to interfaces, and lets you modify the default actions for each signature type.
Fields

Policy NameSets the IP audit policy name. You cannot edit the name after you add it. Policy TypeSets the policy type. You cannot edit the policy type after you add it.
AttackSets the policy type as attack. InformationSets the policy type as informational.

ActionSets one or more actions to take when a packet matches a signature. If you do not choose an action, then the default policy is used.
AlarmGenerates a system message showing that a packet matched a signature. For a complete

list of signatures, see IP Audit Signature List.


DropDrops the packet. ResetDrops the packet and closes the connection.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

24-4

OL-10106-01

Chapter 24

Preventing Network Attacks IP Audit

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IP Audit Signatures
Configuration > Properties > IP Audit > IP Audit Signatures The IP Audit Signatures pane lets you disable audit signatures. You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms. For a complete list of signatures, see IP Audit Signature List.
Fields

EnabledLists the enabled signatures. DisabledLists the disabled signatures. DisableMoves the selected signature to the Disabled pane. EnableMoves the selected signature to the Enabled pane.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

24-5

Chapter 24 IP Audit

Preventing Network Attacks

IP Audit Signature List


Table 24-1 lists supported signatures and system message numbers.
Table 24-1 Signature IDs and System Message Numbers

Signature Message ID Number Signature Title 1000 400000 IP options-Bad Option List

Signature Type Description Informational Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks. Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route). Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp). Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options). Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route). Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier). Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing). Triggers when any IP datagram is received with an offset value less than 5 but greater than 0 indicated in the offset field. Triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.

1001

400001

IP options-Record Packet Route

Informational

1002

400002

IP options-Timestamp

Informational

1003

400003

IP options-Security

Informational

1004

400004

IP options-Loose Source Route

Informational

1005

400005

IP options-SATNET ID

Informational

1006

400006

IP options-Strict Source Route

Informational

1100

400007

IP Fragment Attack

Attack

1102

400008

IP Impossible Packet

Attack

ASDM User Guide

24-6

OL-10106-01

Chapter 24

Preventing Network Attacks IP Audit

Table 24-1

Signature IDs and System Message Numbers (continued)

Signature Message ID Number Signature Title 1103 400009

Signature Type Description Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram. This could mean that fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments, which is how the Teardrop attack works to create a DoS. Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply). Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable). Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 11(Time Exceeded for a Datagram). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 12 (Parameter Problem on Datagram). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request).

IP Overlapping Fragments (Teardrop) Attack

2000

400010

ICMP Echo Reply

Informational

2001

400011

ICMP Host Unreachable

Informational

2002

400012

ICMP Source Quench

Informational

2003

400013

ICMP Redirect

Informational

2004

400014

ICMP Echo Request

Informational

2005

400015

ICMP Time Exceeded for a Datagram Informational

2006

400016

ICMP Parameter Problem on Datagram

Informational

2007

400017

ICMP Timestamp Request

Informational

ASDM User Guide OL-10106-01

24-7

Chapter 24 IP Audit

Preventing Network Attacks

Table 24-1

Signature IDs and System Message Numbers (continued)

Signature Message ID Number Signature Title 2008 400018 ICMP Timestamp Reply

Signature Type Description Informational Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 15 (Information Request). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 16 (ICMP Information Reply). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 18 (Address Mask Reply). Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field. Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length > 1024. Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet. Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. Triggers when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host.

2009

400019

ICMP Information Request

Informational

2010

400020

ICMP Information Reply

Informational

2011

400021

ICMP Address Mask Request

Informational

2012

400022

ICMP Address Mask Reply

Informational

2150

400023

Fragmented ICMP Traffic

Attack

2151

400024

Large ICMP Traffic

Attack

2154

400025

Ping of Death Attack

Attack

3040

400026

TCP NULL flags

Attack

3041

400027

TCP SYN+FIN flags

Attack

ASDM User Guide

24-8

OL-10106-01

Chapter 24

Preventing Network Attacks IP Audit

Table 24-1

Signature IDs and System Message Numbers (continued)

Signature Message ID Number Signature Title 3042 400028 TCP FIN only flags

Signature Type Description Attack Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host. Triggers if a port command is issued with an address that is not the same as the requesting host. Triggers if a port command is issued with a data port specified that is <1024 or >65535. Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt. Triggers when a UDP packet with a source port of either 135, 7, or 19 and a destination port of 135 is detected. This signature triggers when a UDP packet is detected with a source port of 7 and a destination port of 19. Triggers on an attempt to access HINFO records from a DNS server. Triggers on normal DNS zone transfers, in which the source port is 53. Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53. Triggers on a DNS request for all records. Triggers when attempts are made to register new RPC services on a target host. Triggers when attempts are made to unregister existing RPC services on a target host. Triggers when an RPC dump request is issued to a target host. Triggers when a proxied RPC request is sent to the portmapper of a target host. Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port. Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port.

3153

400029

FTP Improper Address Specified

Informational

3154 4050

400030 400031

FTP Improper Port Specified UDP Bomb attack

Informational Attack

4051

400032

UDP Snork attack

Attack

4052

400033

UDP Chargen DoS attack

Attack

6050 6051 6052 6053 6100 6101

400034 400035 400036 400037 400038 400039

DNS HINFO Request DNS Zone Transfer DNS Zone Transfer from High Port DNS Request for All Records RPC Port Registration RPC Port Unregistration

Informational Informational Informational Attack Informational Informational

6102 6103 6150

400040 400041 400042

RPC Dump Proxied RPC Request ypserv (YP server daemon) Portmap Request ypbind (YP bind daemon) Portmap Request

Informational Attack Informational

6151

400043

Informational

ASDM User Guide OL-10106-01

24-9

Chapter 24 Fragment

Preventing Network Attacks

Table 24-1

Signature IDs and System Message Numbers (continued)

Signature Message ID Number Signature Title 6152 400044 yppasswdd (YP password daemon) Portmap Request ypupdated (YP update daemon) Portmap Request

Signature Type Description Informational Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port. Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port. Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port. Triggers when a request is made to the portmapper for the mount daemon (mountd) port. Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port. Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources. Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources.

6153

400045

Attack

6154

400046

ypxfrd (YP transfer daemon) Portmap Attack Request mountd (mount daemon) Portmap Request rexd (remote execution daemon) Portmap Request rexd (remote execution daemon) Attempt Informational

6155

400047

6175

400048

Informational

6180

400049

Informational

6190

400050

statd Buffer Overflow

Attack

Fragment
Configuration > Properties > Advanced > Fragment The Fragment pane lets you configure the IP fragment database on each interface of the security appliance to improve compatibility with NFS.
Fields

Fragment table:
InterfaceLists the available interfaces of the security appliance. SizeSets the maximum number of packets that can be in the IP reassembly database waiting

for reassembly. The default is 200.


Chain LengthSpecifies the maximum number of packets into which a full IP packet can be

fragmented. The default is 24 packets.


TimeoutSpecifies the maximum number of seconds to wait for an entire fragmented packet

to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is 5 seconds.

ASDM User Guide

24-10

OL-10106-01

Chapter 24

Preventing Network Attacks Fragment

EditOpens the Edit Fragment dialog box. Show FragmentOpens a panel and displays the current IP fragment database statistics for each interface of the security appliance.

Changing Fragment Parameters

To modify the IP fragment database parameters of an interface, perform the following steps:
Step 1 Step 2 Step 3

Choose the interface to change in the Fragment table and click Edit. The Edit Fragment dialog box appears. In the Edit Fragment dialog box, change the Size, Chain, and Timeout values as desired, and click OK. If you make a mistake, click Restore Defaults. Click Apply in the Fragment panel.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Show Fragment
Configuration > Properties > Fragment > Show Fragment The Show Fragment panel displays the operational data of the IP fragment reassembly module.
Fields

SizeDisplay only. Displays the number of packets in the IP reassembly database waiting for reassembly. The default is 200. ChainDisplay only. Displays the number of packets into which a full IP packet can be fragmented. The default is 24 packets. TimeoutDisplay only. Displays the number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds displayed, all fragments of the packet that were already received will be discarded. The default is 5 seconds. ThresholdDisplay only. Displays the IP packet threshold, or the limit after which no new chains can be created in the reassembly module. QueueDisplay only. Displays the number of IP packets waiting in the queue for reassembly. AssembledDisplay only. Displays the number of IP packets successfully reassembled. FailDisplay only. Displays the number of failed reassembly attempts. OverflowDisplay only. Displays the number of IP packets in the overflow queue.

ASDM User Guide OL-10106-01

24-11

Chapter 24 Anti-Spoofing

Preventing Network Attacks

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit Fragment
Configuration > Properties > Fragment > Edit Fragment The Edit Fragment dialog box lets you configure the IP fragment database of the selected interface.
Fields

InterfaceDisplays the interface you selected in the Fragment panel. Changes made in the Edit Fragment dialog box are applied to the interface displayed. SizeSets the maximum number of packets that can be in the IP reassembly database waiting for reassembly. Chain LengthSets the maximum number of packets into which a full IP packet can be fragmented. TimeoutSets the maximum number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. Restore DefaultsRestores the factory default settings:
Size is 200. Chain is 24 packets. Timeout is 5 seconds.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Anti-Spoofing
Configuration > Properties > Anti-Spoofing

ASDM User Guide

24-12

OL-10106-01

Chapter 24

Preventing Network Attacks TCP Options

The Anti-Spoofing window lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the security appliance only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information. For outside traffic, for example, the security appliance can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the security appliance uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows:

ICMP packets have no session, so each packet is checked. UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

Fields

InterfaceLists the interface names. Anti-Spoofing EnabledShows whether an interface has Unicast RPF enabled, Yes or No. EnableEnables Unicast RPF for the selected interface. DisableDisables Unicast RPF for the selected interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TCP Options
Configuration > Properties > TCP Options The TCP Options window lets you set parameters for TCP connections.

ASDM User Guide OL-10106-01

24-13

Chapter 24 TCP Options

Preventing Network Attacks

Fields

Inbound and Outbound Reset areaSets whether to reset denied TCP connections for inbound and outbound traffic.
Interface columnShows the interface name. Inbound Reset columnShows the interface reset setting for inbound TCP traffic, Yes or No.

Enabling this setting causes the security appliance to send TCP resets for all inbound TCP sessions that attempt to transit the security appliance and are denied by the security appliance based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the security appliance silently discards denied packets.
Outbound Reset columnShows the interface reset setting for outbound TCP traffic, Yes or No.

Enabling this setting causes the security appliance to send TCP resets for all outbound TCP sessions that attemp to transit the security appliance and are denied by the security appliance based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the security appliance silently discards denied packets.
Edit buttonSets the inbound and outbound reset settings for the interface.

Send Reset Reply for Denied Outside TCP Packets check boxEnables resets for TCP packets that terminate at the least secure interface and are denied by the security appliance based on access lists or AAA settings. When this option is not enabled, the security appliance silently discards denied packets. If you enable Inbound Resets for the least secure interface (see TCP Reset Settings), then you do not also have to enable this setting; Inbound Resets handle to-the-security appliance traffic as well as through the security appliance traffic. Force Maximum Segment Size for TCP check box and fieldSets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting the bytes to 0. Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set here, then the security appliance overrides the maximum and inserts the value you set. For example, if you set a maximum size of 1200 bytes, when a host requests a maximum size of 1300 bytes, then the security appliance alters the packet to request 1200 bytes. Force Minimum Segment Size for TCP check box and fieldOverrides the maximum segment size to be no less than the number of bytes you set, between 48 and any maximum number. This feature is disabled by default (set to 0). Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum is less than the value you set for the Force Minimum Segment Size for TCP Proxy field, then the security appliance overrides the maximum and inserts the minimum value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a minimum size of 400 bytes, if a host requests a maximum value of 300 bytes, then the security appliance alters the packet to request 400 bytes. Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Seconds check boxForces each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence. You might want to use this feature if an end host application default TCP terminating sequence is a simultaneous close. The default behavior of the security appliance is to track the shutdown sequence and release the connection after two FINs and the ACK of the last FIN segment. This quick release heuristic enables the security appliance to sustain a high connection rate, based on the most common closing sequence, known as the normal close sequence. However, in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal close sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state. Having many sockets in the

ASDM User Guide

24-14

OL-10106-01

Chapter 24

Preventing Network Attacks TCP Options

CLOSING state can degrade the performance of an end host. For example, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Using this feature creates a window for the simultaneous close down sequence to complete.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

TCP Reset Settings


Configuration > Properties > TCP Options > TCP Reset Settings This dialog box sets the inbound and outboud reset settings for an interface.
Fields

Send Reset Reply for Denied Inbound TCP Packets check boxSends TCP resets for all inbound TCP sessions that attempt to transit the security appliance and are denied by the security appliance based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the security appliance silently discards denied packets. You might want to explicitly send resets for inbound traffic if you need to reset identity request (IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host, the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out. Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting the SYN until the IDENT times out, so the service resetinbound command might improve performance.

Send Reset Reply for Denied Outbound TCP Packets check boxSends TCP resets for all outbound TCP sessions that attempt to transit the security appliance and are denied by the security appliance based on access lists or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the security appliance silently discards denied packets. This option is enabled by default. You might want to disable outbound resets to reduce the CPU load during traffic storms, for example.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

24-15

Chapter 24 Timeouts

Preventing Network Attacks

Timeouts
Configuration > Properties > Timeouts The Timeouts window lets you set the timeout durations for use with the security appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time for the connection and translation slots of various protocols. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. Note: It is recommended that you do not change these values unless advised to do so by Customer Support.
Fields

In all cases, except for Authentication absolute and Authentication inactivity, unchecking the check boxes means there is no timeout value. For those two cases, clearing the check box means to reauthenticate on every new connection.

ConnectionModifies the idle time until a connection slot is freed. Enter 0:0:0 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour. Half-closedModifies the idle time until a TCP half-closed connection closes. The minimum is 5 minutes. The default is 10 minutes. Enter 0:0:0 to disable timeout for a half-closed connection. UDPModifies the idle time until a UDP protocol connection closes. This duration must be at least 1 minute. The default is 2 minutes. Enter 0:0:0 to disable timeout. ICMPModifies the idle time after which general ICMP states are closed. H.323Modifies the idle time until an H.323 media connection closes. The default is 5 minutes. Enter 0:0:0 to disable timeout. H.225Modifies the idle time until an H.225 signaling connection closes. The H.225 default timeout is 1 hour (01:00:00). Setting the value of 00:00:00 means never close this connection. To close this connection immediately after all calls are cleared, a value of 1 second (00:00:01) is recommended. MGCPModifies the timeout value for MGCP which represents the idle time after which MGCP media ports are closed. The MGCP default timeout is 5 minutes (00:05:00). Enter 0:0:0 to disable timeout. MGCP PATModifies the idle time after which an MGCP PAT translation is removed. The default is 5 minutes (00:05:00). The minimum time is 30 seconds. Uncheck the check box to return to the default value. SUNRPCModifies the idle time until a SunRPC slot is freed. This duration must be at least 1 minute. The default is 10 minutes. Enter 0:0:0 to disable timeout. SIPModifies the idle time until an SIP signalling port connection closes. This duration must be at least 5 minutes. The default is 30 minutes. SIP MediaModifies the idle time until an SIP media port connection closes. This duration must be at least 1 minute. The default is 2 minutes. SIP InviteModifies the idle time after which pinholes for PROVISIONAL responses and media xlates will be closed. The minimum value is 0:1:0, the maximum value is 0:30:0. The default value is 0:03:00. SIP DisconnectModifies the idle time after which SIP session is deleted if the 200 OK is not received for a CANCEL or a BYE message. The minimum value is 0:0:1, the maximum value is 0:10:0. The default value is 0:02:00.

ASDM User Guide

24-16

OL-10106-01

Chapter 24

Preventing Network Attacks Timeouts

Authentication absoluteModifies the duration until the authentication cache times out and you have to reauthenticate a new connection. This duration must be shorter than the Translation Slot value. The system waits until you start a new connection to prompt you again. Enter 0:0:0 to disable caching and reauthenticate on every new connection.

Note

Do not set this value to 0:0:0 if passive FTP is used on the connections. Authentication inactivityModifies the idle time until the authentication cache times out and users have to reauthenticate a new connection. This duration must be shorter than the Translation Slot value. Translation SlotModifies the idle time until a translation slot is freed. This duration must be at least 1 minute. The default is 3 hours. Enter 0:0:0 to disable timeout.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

24-17

Chapter 24 Timeouts

Preventing Network Attacks

ASDM User Guide

24-18

OL-10106-01

C H A P T E R

25

Configuring QoS
Priority Queue
Configuration > Properties > Priority Queue The Priority Queue window shows the priority queue parameters on each configured interface. Priority queueing is disabled by default.
Fields

InterfaceShows the name of the interface. Queue LimitShows the maximum number of packets that can be enqueued to a normal or priority queue before it drops the connection.

Note

Both queues have the same limit. Packets in the priority queue are totally drained before packets in the normal priority queue are transmitted. Transmission Ring LimitSpecifies the depth of the priority queues. If priority queuing is not enabled, this column shows the message: Ring Disabled. EditOpens the Edit Priority Queue dialog box, in which you can change the priority-queue parameters.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit Priority Queue


Configuration > Properties > Priority Queue > Edit Priority Queue The Edit Priority Queue dialog box lets you change the priority queue parameters for a configured interface.

ASDM User Guide OL-10106-01

25-1

Chapter 25 Priority Queue

Configuring QoS

The transmission ring limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust the queue-limit and transmission ring limit parameters to optimize the flow of low-latency traffic. Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can adjust the queue-limit parameter to increase the queue buffer size.
Fields

InterfaceIdentifies the selected interface. You cannot change this field. Queue LimitSpecifies the maximum number of packets that can be enqueued to a normal or priority queue before it drops the connection. The minimum is 0 packets, and the maximum is 250 packets.

Note

Both queues have the same limit. Packets in the priority queue are totally drained before packets in the normal priority queue are transmitted. Enable Transmission RingLets you configure the maximum number of packets allowed in the transmit queue at any given time Transmission Ring LimitSpecifies the maximum number of low-latency or normal priority packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears. The minimum value is 3. The upper limit of the range of values for the queue-limit and tx-ring-limit commands is determined dynamically at run time. To view this limit, enter help or ? on the command line. The key determinant is the memory needed to support the queues and the memory available on the device. The queues must not exceed the available memory. The theoretical maximum number of packets is 2147483647. If priority queuing is not enabled, this column shows the message: Ring Disabled.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

25-2

OL-10106-01

Chapter 25

Configuring QoS Priority Queue

WCCP
Configuration > Properties > WCCP The Web Cache Communication Protocol (WCCP) feature lets you specify WCCP service groups and redirect web cache traffic. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times.

WCCP Service Groups


Configuration > Properties > WCCP >Service Groups The Service Groups panel lets you allocate space and enable support of the specified Web Cache Communication Protocol (WCCP) service group.
Fields

ServiceDisplays the service group name or service group number for WCCP support. Redirect ListDisplays the name of the access list that controls traffic redirected to a specific service group. Group ListDisplays the name of the access list that determines which web caches are allowed to participate in the service group.

Add or Edit WCCP Service Group


Configuration > Properties > WCCP >Service Groups The Add or Edit Service Group dialog box lets you change the service group parameters for a configured service group.
Fields

ServiceSpecifies the service group. You can specify the web cache service, or the identification number of the service. Web CacheSpecifies the web cache service. The maximum number of services, including those specified with a dynamic service identifier is 256. Dynamic Service NumberA dynamic service identifier, which means the service definition is dictated by the cache. The dynamic service number can be from 0 to 254. This is used as the name of the service group. Redirect ListThe predefined access list that controls traffic redirected to this service group. Group ListThe predefined access list that determines which web caches are allowed to participate in the service group. PasswordEnter a password up to seven characters long, which is used for MD5 authentication for messages received from the service group. The password length is one to eight characters. Confirm PasswordReenter the password. ManageOpens the access list manager.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

25-3

Chapter 25 Priority Queue

Configuring QoS

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Redirection
Configuration > Properties > WCCP >Redirection The Redirection panel lets you enable packet redirection on the ingress of an interface using WCCP.
Fields

InterfaceDisplays the interface on which WCCP redirection is enabled. Service GroupDisplays the name of the service group configured for WCCP..

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add or Edit WCCP Redirection


Configuration > Properties > WCCP >Add or Edit Redirection The Redirection panel lets you enable packet redirection on the ingress of an interface using WCCP.
Fields

InterfaceSelect the interface on which to enable WCCP redirection. Service GroupSelect the service group. Add ServiceOpens the Add/Edit WCCP Service Group dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

25-4

OL-10106-01

Chapter 25

Configuring QoS Priority Queue

WCCP
Monitoring > Properties > WCCP The Web Cache Communication Protocol (WCCP) feature lets you monitor WCCP service groups and redirect web cache traffic. The feature transparently redirects selected types of traffic to a group of web cache engines to optimize resource usage and lower response times.

WCCP Service Groups


Monitoring > Properties > WCCP >Service Groups The Service Groups panel lets you view allocated space and display the properties of the specified Web Cache Communication Protocol (WCCP) service group.
Fields

Service GroupDisplays the service group name or service group number for WCCP support. Display ModeSelect the mode to display the WCCP information in the output area. The choices are Detail, View, Service, Hash, and Buckets. The Destination address and port fields and Source address and port fields correspond only to the Hash Display mode.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Redirection
Monitoring > Properties > WCCP >Redirection The Redirection panel lets you view details about enabled packet redirection on the ingress of an interface using WCCP.
Fields

Show SummaryDisplays summarized information about the interface on which WCCP redirection is enabled. Show DetailsDisplays detailed information about the interface on which WCCP redirection is enabled.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

25-5

Chapter 25 Priority Queue

Configuring QoS

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

25-6

OL-10106-01

C H A P T E R

26

VPN
The security appliance creates a virtual private network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections. The secure connection is called a tunnel, and the security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel, where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The security appliance performs the following VPN functions:

Establishes tunnels. Negotiates tunnel parameters. Enforces VPN policies. Authenticates users. Authorizes users for specific levels of use and access. Performs accounting functions. Assigns user addresses. Encrypts and decrypts data. Manages security keys. Manages data transfer across the tunnel. Manages data transfer inbound and outbound as a tunnel endpoint or router.

The security appliance invokes various standard protocols to accomplish these functions.

VPN Wizard
Configuration > VPN > VPN Wizard The VPN wizard lets you configure basic LAN-to-LAN and remote access VPN connections. Use ASDM to edit and configure advanced features.

ASDM User Guide OL-10106-01

26-1

Chapter 26 VPN Wizard

VPN

Note

The VPN wizard lets you assign either preshared keys or digital certificates for authentication. However, to use certificates, you must enroll with a certification authority and configure a trustpoint prior to using the wizard. Use the ASDM Device Administration > Certificate panels and online Help to accomplish these tasks.
VPN Overview

The security appliance creates a Virtual Private Network by creating a secure connection across a TCP/IP network (such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections and LAN-to-LAN connections. The secure connection is called a tunnel, and the security appliance uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The security appliance functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The security appliance performs the following functions:

Establishes tunnels Negotiates tunnel parameters Authenticates users Assigns user addresses Encrypts and decrypts data Manages security keys Manages data transfer across the tunnel Manages data transfer inbound and outbound as a tunnel endpoint or router

VPN Tunnel Type


VPN Wizard > VPN Tunnel Type Use the VPN Tunnel Type panel to select the type of VPN tunnel to define, remote access or LAN-to-LAN, and to identify the interface that connects to the remote IPSec peer.
Fields

Site-to-SiteClick to create a LAN-to-LAN VPN configuration. Use between two IPSec security gateways, which can include security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity. When you select this option, the VPN wizard displays a series of panels that let you to enter the attributes a site-to-site VPN requires. Remote AccessClick to create a configuration that achieves secure remote access for VPN clients, such as mobile users. This option lets remote users securely access centralized network resources. When you select this option, the VPN wizard displays a series of panels that let you enter the attributes a remote access VPN requires. VPN Tunnel InterfaceSelect the interface that establishes a secure tunnel with the remote IPSec peer. If the security appliance has multiple interfaces, you need to plan the VPN configuration before running this wizard, identifying the interface to use for each remote IPSec peer with which you plan to establish a secure connection.

ASDM User Guide

26-2

OL-10106-01

Chapter 26

VPN VPN Wizard

Enable inbound IPSec sessions to bypass interface access listsEnable IPSec authenticated inbound sessions to always be permitted through the security appliance (that is, without a check of the interface access-list statements). Be aware that the inbound sessions bypass only the interface ACLs. Configured group-policy, user, and downloaded ACLs still apply.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Remote Site Peer


VPN Wizard > Remote Site Peer Use the Remote Site Peer panel for the following tasks:
1. 2. 3.

Providing the IP address of the remote IPSec peer that terminates this VPN tunnel. Creating the tunnel group for the remote peer. Selecting and configuring an authentication method.

Fields

Peer IP AddressType the IP address of the remote IPSec peer that terminates the VPN tunnel. The peer might be another security appliance, a VPN concentrator, or any other gateway device that supports IPSec. Authentication MethodThe remote site peer authenticates either with a preshared key or a certificate.
Pre-shared KeyClick to use a preshared key for authentication between the local security

appliance and the remote IPSec peer. Using a preshared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network. It may cause scalability problems in a large network because each IPSec peer requires configuration information for each peer with which it establishes secure connections. Each pair of IPSec peers must exchange preshared keys to establish secure tunnels. Use a secure method to exchange the preshared key with the administrator of the remote site.
Pre-shared KeyType the preshared key. Maximum 127 characters. CertificateClick to use certificates for authentication between the local security appliance and

the remote IPSec peer. To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the security appliance. Digital certificates are an efficient way to manage the security keys used to establish an IPSec tunnel. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department or IP address. A digital certificate also contains a copy of the owners public key.

ASDM User Guide OL-10106-01

26-3

Chapter 26 VPN Wizard

VPN

To use digital certificates, each peer enrolls with a certification authority (CA), which is responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that you establish within an organization. When two peers want to communicate, they exchange certificates and digitally sign data to authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of the other peers require additional configuration.
Certificate Signing AlgorithmSelect the algorithm for signing digital certificates, either

rsa-sig for RSA or dsa-sig for DSA.


Trustpoint NameSelect the name that identifies the certificate the security appliance sends to

the remote peer. This list displays trustpoints with a certificate of the type previously selected in the certificate signing algorithm list.
Challenge/response authentication (CRACK)Provides strong mutual authentication when the

client authenticates using a popular method such as RADIUS and the server uses public key authentication. The security appliance supports CRACK as an IKE option in order to authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.

Tunnel Group NameType a name to create the record that contains tunnel connection policies for this IPSec connection. A tunnel group can specify authentication, authorization, and accounting servers, a default group policy, and IKE attributes. A tunnel group that you configure with this VPN wizard specifies an authentication method, and uses the security appliance Default Group Policy. By default, ASDM populates this box with the value of the Peer IP address. You can change this name. Maximum 64 characters.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IKE Policy
VPN Wizard >IKE Policy IKE, also called Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPSec Security Association. Each IKE negotiation is divided into two sections called Phase1 and Phase 2.

Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel that protects data. An encryption method to protect the data and ensure privacy. An authentication method to ensure the identity of the peers. A Diffie-Hellman group to establish the strength of the of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys.

Use the IKE Policy panel to set the terms of the Phase 1 IKE negotiations, which include the following:

ASDM User Guide

26-4

OL-10106-01

Chapter 26

VPN VPN Wizard

Fields

EncryptionSelect the symmetric encryption algorithm the security appliance uses to establish the Phase 1 SA that protects Phase 2 negotiations. The security appliance supports the following encryption algorithms: Explanation Data Encryption Standard. Uses a 56-bit key. Triple DES. Performs encryption three times using a 56-bit key. Advanced Encryption Standard. Uses a 128-bit key. AES using a 192-bit key. AES using a 256-bit key

Algorithm DES 3DES AES-128 AES-192 AES-256

The default, 3DES, is more secure than DES but requires more processing for encryption and decryption. Similarly, the AES options provide increased security, but also require increased processing.

AuthenticationSelect the hash algorithm used for authentication and ensuring data integrity. The default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There has been a demonstrated successful (but extremely difficult) attack against MD5. However, the Keyed-Hash Message Authentication Code (HMAC) version used by the security appliance prevents this attack. DH GroupSelect the Diffie-Hellman group identifier, which the two IPSec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC).

Note

The default value for the VPN 3000 Series Concentrator is MD5. A connection between the security appliance and the VPN Concentrator requires that the authentication method for Phase I and II IKE negotiations be the same on both sides of the connection.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IPSec Encryption and Authentication


VPN Wizard > IPSec Encryption and Authentication Use this IPSec Encryption and Authentication panel to select the encryption and authentication methods to use for Phase 2 IKE negotiations, which create the secure VPN tunnel. These values must be exactly the same for both peers.

ASDM User Guide OL-10106-01

26-5

Chapter 26 VPN Wizard

VPN

Fields

EncryptionSelect the symmetric encryption algorithm the security appliance uses to establish the VPN tunnel. The security appliance uses encryption to protect the data that travels across the tunnel and ensure privacy. Valid encryption methods include the following: Explanation Data Encryption Standard. Uses a 56-bit key. Triple DES. Encrypts three times using a 56-bit key. Advanced Encryption Standard. Uses a 128-bit key. AES using a 192-bit key. AES using a 256-bit key

Encryption Method DES 3DES AES-128 AES-192 AES-256

The default, 3DES, is more secure than DES but requires more processing for encryption and decryption. Similarly, the AES options provide increased security, but also require increased processing.

AuthenticationSelect the hash algorithm used for authentication and ensuring data integrity. The default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There has been a demonstrated successful (but extremely difficult) attack against MD5. However, the Keyed-Hash Message Authentication Code (HMAC) version used by the security appliance prevents this attack.

Note

The default value for the VPN 3000 Series Concentrator is MD5. A connection between the security appliance and the VPN Concentrator requires that the authentication method for Phase I and Phase II IKE negotiations be the same on both sides of the connection.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Local Hosts and Networks


VPN Wizard > Hosts and Networks Use the Hosts and Networks panel to identify local and remote hosts and networks that can use this LAN-to-LAN IPSec tunnel to send and receive data. You can identify hosts and networks by IP address, DNS name or group policy. Depending on that choice, the remaining fields in this panel change.

ASDM User Guide

26-6

OL-10106-01

Chapter 26

VPN VPN Wizard

For IPSec to succeed, both peers in the LAN-to-LAN connection must have compatible entries for hosts and networks. The hosts and networks you configure as Local Hosts and Networks in this panel must be configured as Remote Hosts and Networks on the device at the remote site for the LAN-to-LAN connection. The local security appliance and the remote device must have at least one transform set in common for this LAN-to-LAN connection.
Fields

Source areaLets you configure the local hosts and networks.


TypeSelect either any, IP Address, Network Object Group, or Interface IP.

Selecting IP Address displays IP Address and Netmask fields. Enter the IP address of the host or network. Either type the IP address or click the adjacent ... button to select a host or network. Select the subnet mask for the IP address. If you used the ... button to select a host or network, ASDM completes this box automatically. Selecting Network Object Group displays the Group Name field, where you specify a group name. This option lets you configure an entire group to use the tunnel. You configure these groups in the Configuration > Features > Building Blocks > Hosts and Networks panel. Selecting Interface IP displays the Interface field, where you select the interface name.

Destination areaLets you configure the local hosts and networks.


TypeSelect either any, IP Address, Network Object Group, or Interface IP.

Selecting IP Address displays IP Address and Netmask fields. Enter the IP address of the host or network. Either type the IP address or click the adjacent ... button to select a host or network. Select the subnet mask for the IP address. If you used the ... button to select a host or network, ASDM completes this box automatically. Selecting Network Object Group displays the Group Name field, where you specify a group name. This option lets you configure an entire group to use the tunnel. You configure these groups in the Configuration > Features > Building Blocks > Hosts and Networks panel. Selecting Interface IP displays the Interface field, where you select the interface name.

Exempt ASA side host/network from address translationAllows traffic to pass through the security appliance without address translation.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Summary
VPN Wizard > Summary The Summary panel displays all of the attributes of this VPN LAN-to-LAN connection as configured.

ASDM User Guide OL-10106-01

26-7

Chapter 26 VPN Wizard

VPN

Fields

BackTo make changes, click Back until you reach the appropriate panel. FinishWhen you are satisfied with the configuration, click Finish. ASDM saves the LAN-to-LAN configuration. After you click Finish, you can no longer use the VPN wizard to make changes to this configuration. Use ASDM to edit and configure advanced features. CancelTo remove the configuration, click Cancel.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Remote Access Client


VPN Wizard > Remote Access Client Use the Remote Access Client panel to identify the type of remote access users this connection serves.
Fields

Cisco VPN Client Release 3.x or higher, or other Easy VPN Remote productClick for IPSec connections, including compatible software and hardware clients other than those named here. Microsoft Windows client using L2TP over IPSecClick to enable connections from Microsoft Windows and Microsoft Windows Mobile clients over a public IP network. L2TP uses PPP over UDP (port 1701) to tunnel the data. Enable one or more of the following PPP authentication protocols:
PAPPasses cleartext username and password during authentication and is not secure. CHAPIn response to the server challenge, the client returns the encrypted [challenge plus

password] with a cleartext username. This protocol is more secure than the PAP, but it does not encrypt data.
MS-CHAP, Version 1Similar to CHAP but more secure in that the server stores and compares

only encrypted passwords rather than cleartext passwords as in CHAP.


MS-CHAP, Version 2Contains security enhancements over MS-CHAP, Version 1. EAPEnables EAP which permits the security appliance to proxy the PPP authentication

process to an external RADIUS authentication server.

Client will send tunnel group name as username@tunnelgroupCheck to enable the security appliance to associate different users that are establishing L2TP over IPSec connections with different tunnel groups. Since each tunnel group has its own AAA server group and IP address pools, users can be authenticated through methods specific to their tunnel group.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

26-8

OL-10106-01

Chapter 26

VPN VPN Wizard

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

VPN Client Authentication Method and Tunnel Group Name


VPN Wizard > VPN Client Authentication Method and Tunnel Group Name Use the VPN Client Authentication Method and Tunnel Group Name panel to configure an authentication method and create a tunnel group.
Fields

Authentication MethodThe remote site peer authenticates either with a preshared key or a certificate.
Pre-shared KeyClick to use a preshared key for authentication between the local security

appliance and the remote IPSec peer. Using a preshared key is a quick and easy way to set up communication with a limited number of remote peers and a stable network. It may cause scalability problems in a large network because each IPSec peer requires configuration information for each peer with which it establishes secure connections. Each pair of IPSec peers must exchange preshared keys to establish secure tunnels. Use a secure method to exchange the preshared key with the administrator of the remote site.
Pre-shared KeyType the preshared key. CertificateClick to use certificates for authentication between the local security appliance and

the remote IPSec peer. To complete this section, you must have previously enrolled with a CA and downloaded one or more certificates to the security appliance. Digital certificates are an efficient way to manage the security keys used to establish an IPSec tunnel. A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department or IP address. A digital certificate also contains a copy of the owners public key. To use digital certificates, each peer enrolls with a certification authority (CA), which is responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that you establish within an organization. When two peers want to communicate, they exchange certificates and digitally sign data to authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of the other peers require additional configuration.
Trustpoint NameSelect the name that identifies the certificate the security appliance sends to

the remote peer.


Certificate Signing AlgorithmSelect the algorithm for signing digital certificates, either

rsa-sig for RSA or dsa-sig for DSA.


Challenge/response authentication (CRACK)Provides strong mutual authentication when the

client authenticates using a popular method such as RADIUS and the server uses public key authentication. The security appliance supports CRACK as an IKE option in order to authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.

ASDM User Guide OL-10106-01

26-9

Chapter 26 VPN Wizard

VPN

Tunnel Group NameType a name to create the record that contains tunnel connection policies for this IPSec connection. A tunnel group can specify authentication, authorization, and accounting servers, a default group policy, and IKE attributes. A tunnel group that you configure with this VPN wizard specifies an authentication method, and uses the security appliance Default Group Policy.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Client Authentication
VPN Wizard > Client Authentication Use the Client Authentication panel to select the method by which the security appliance authenticates remote users.
Fields

Select one of the following options:

Authenticate using the local user databaseClick to use authentication internal to the security appliance. Use this method for environments with a small, stable number of users. The next panel lets you create accounts on the security appliance for individual users. Authenticate using an AAA server groupClick to use an external server group for remote user authentication. AAA Server GroupSelect a AAA server group configured previously. New ...Click to configure a new AAA server group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

New Authentication Server Group


VPN Wizard > New Authentication Server Group User the New Authentication Server Group panel to define one or more new AAA servers.

ASDM User Guide

26-10

OL-10106-01

Chapter 26

VPN VPN Wizard

Fields

To configure a new AAA server group that contains just one server, provide the following information:

Server Group NameType a name for the server group. You associate this name with users whom you want to authenticate using this server. Authentication ProtocolSelect the authentication protocol the server uses. Options include TACACS+, RADIUS, SDI, NT, and Kerberos. Server IP AddressType the IP address for the AAA server. InterfaceSelect the security appliance interface on which the AAA server resides. Server Secret KeyType a case-sensitive, alphanumeric keyword of up to 127 characters. The server and security appliance use the key to encrypt data that travels between them. The key must be the same on both the security appliance and server. You can use special characters, but not spaces. Confirm Server Secret KeyType the secret key again.

To add more servers to this new group, or to change other AAA server settings, go to Configuration > Features > Properties > AAA.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

User Accounts
VPN Wizard > User Accounts Use the User Accounts panel to add new users to the security appliance internal user database for authentication purposes.
Fields

Provide the following information:

User to Be AddedUse the fields in this section to add a user.


UsernameEnter the username. Password(Optional) Enter a password. Confirm Password(Optional) Reenter the password.

Add Click to add a user to the database after you have entered the username and optional password. UsernameDisplays the names of all users in the database. DeleteTo remove a user from the database, highlight the appropriate username and click Delete.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

26-11

Chapter 26 VPN Wizard

VPN

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Address Pool
VPN Wizard > Address Pool Use the Address Pool panel to configure a pool of local IP addresses that the security appliance assigns to remote VPN clients.
Fields

Tunnel Group NameDisplays the name of the tunnel group to which the address pool applies. You set this name in the VPN Client Tunnel Group Name and Authentication Method panel. Pool NameSelect a descriptive identifier for the address pool. The security appliance associates the pool name with a tunnel group. Range Start AddressType the starting IP address in the address pool. Range End AddressType the ending IP address in the address pool. Subnet Mask(Optional) Select the subnet mask for these IP addresses

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Attributes Pushed to Client


VPN Wizard > Attributes Pushed to Client Use the Attributes Pushed to Client (Optional) panel to have the security appliance pass information about DNS and WINS servers and the default domain name to remote access clients.
Fields

Provide information for remote access clients to use.


Tunnel GroupDisplays the name of the tunnel group to which the address pool applies. You set this name in the VPN Client Tunnel Group Name and Authentication Method panel. Primary DNS ServerType the IP address of the primary DNS server. Secondary DNS ServerType the IP address of the secondary DNS server. Primary WINS ServerType the IP address of the primary WINS server.

ASDM User Guide

26-12

OL-10106-01

Chapter 26

VPN VPN Wizard

Secondary WINS Server Type the IP address of the secondary WINS server. Default Domain NameType the default domain name. Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Address Translation Exemption


VPN Wizard > Address Translation Exemption Use the Address Translation Exemption (Optional) panel to identify local hosts/networks which do not require address translation. By default, the security appliance hides the real IP addresses of internal hosts and networks from outside hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by untrusted outside hosts, but may be improper for those who have been authenticated and protected by VPN. For example, an inside host using dynamic NAT has its IP address translated by matching it to a randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these hosts, unless you configure a NAT exemption rule.

Note

If you want all hosts and networks to be exempt from NAT, configure nothing on this panel. If you have even one entry, all other hosts and networks are subject to NAT.
Fields

Host/Network to Be AddedComplete these fields to exempt a particular host or network from NAT.
IP AddressClick to identify hosts and networks by IP address. NameClick to identify hosts by their hostnames. GroupClick to identify hosts and networks by tunnel group. This option lets you configure an

entire group to use the tunnel.


GroupSelect the name of the tunnel group. InterfaceSelect the name of the interface that connects to the hosts or networks you have

selected.
IP addressSelect the IP address of the host or network. Either type the IP address or click the

adjacent ... button to view a diagram of the network and select a host or network.
MaskSelect the subnet mask for the IP address. NameSelect the hostname. Use fully qualified domain names.

AddClick to add the host or network the Selected Hosts/Networks list after you have completed the applicable fields.

ASDM User Guide OL-10106-01

26-13

Chapter 26 VPN Wizard

VPN

Selected Hosts/NetworksDisplays the hosts and networks that are exempt from NAT. If you want all hosts and networks to be exempt from NAT, leave this list empty. Enable split tunnelingSelect to have traffic from remote access clients destined for the public Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted, while traffic to unprotected networks is unencrypted. When you enable split tunneling, the security appliance pushes a list of IP addresses to the remote VPN client after authentication. The remote VPN client encrypts traffic to the IP addresses that are behind the security appliance. All other traffic travels unencrypted directly to the Internet without involving the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

26-14

OL-10106-01

C H A P T E R

27

IKE
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPSec security association. To configure the security appliance for virtual private networks, you set global IKE parameters that apply system wide, and you also create IKE policies that the peers negotiate to establish a VPN tunnel.

Certificate Group Matching


Certificate Group Matching lets you define rules to match a users certificate to a permission group based on fields in the distinguished name (DN). You can use any field of the certificate or you can have all certificate users share a permission group. To match user permission groups based on fields of the certificate, you must define rules that specify the fields to match for a group and then enable each rule for that selected group. A group must already exist in the configuration before you can create a rule for it. If the group does not exist in the configuration, you must define it by using Configuration > VPN > General > Tunnel Group. Once you have defined rules, you must configure a certificate group matching policy to define the method to use for identifying the permission groups of certificate users: match the group from the rules, match the group from the OU field, or use a default group for all certificate users. You can use any or all of these methods.

Policy
Configuration > VPN > IKE > Certificate Group Matching > Policy A certificate group matching policy defines the method to use for identifying the permission groups of certificate users. You can use any or all of these methods.
Fields

Use the configured rules to match a certificate to a groupLets you use the rules you have defined under Rules. Use the certificate OU field to determine the groupLets you use the organizational unit field to determine the group to which to match the certificate. This is selected by default. Use the IKE identity to determine the groupLets you use the identity you previously defined under Configuration > VPN > IKE > Global Parameters. The IKE identity can be hostname, IP address, key ID, or automatic.

ASDM User Guide OL-10106-01

27-1

Chapter 27 Certificate Group Matching

IKE

Use the peer IP address to determine the groupLets you use the peers IP address. This is selected by default. Default to groupLets you select a default group for certificate users that is used when none of the preceding methods resulted in a match. This is selected by default. Click the default group in the Default to group list. The group must already exist in the configuration. If the group does not appear in the list, you must define it by using Configuration > VPN > General > Tunnel Group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Rules
Configuration > VPN > IKE > Certificate Group Matching > Rules The Certificate Group Matching Rules panel lets you add, edit, and delete rules to/from your configuration. To match user permission groups based on fields of the certificate, you must define rules that specify which fields to match for a group and then enable each rule for that selected group. Rules cannot be longer than 255 characters. A group must already exist in the configuration before you can create a rule for it. You can assign multiple rules to the same group. To do that, you add the rule priority and group first. Then you define as many criteria statements as you need for each group. When multiple rules are assigned to the same group, a match results for the first rule that tests true. To match user permission groups based on multiple fields in the certificate so that all the criteria must match for the user to be assigned to a permission group, create a single rule with multiple matching criteria. To match user permission groups based on one criterion or another so that successfully matching any of the criteria identifies the member of the group, create multiple rules.
Fields

Map NameDisplays the names of configured certificate-to-group maps. Rule PriorityDisplays the importance of the rule as a matching criterion. The lower the value, the higher the priority. The default value is 10. Mapped to GroupDisplays the group to which the rule is mapped. FieldDisplays the type of distinguished name (Subject or Issuer) used in the rule. ComponentDisplays the distinguished name component used in the rule. For a list of possibilities and their definitions, see Add Certificate Matching Rule Criterion Help. OperatorDisplays the operator used in the rule: Equals, Not Equals, Contains, and Does Not Contain. ValueDisplays the value to be matched against.

ASDM User Guide

27-2

OL-10106-01

Chapter 27

IKE Certificate Group Matching

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Certificate Matching Rule


Configuration > VPN > IKE > Certificate Group Matching > Rules > Add/Edit Certificate Matching Rule Use the Add/Edit Certificate Matching Rule dialog box to define a certificate matching rule.
Fields

Map ExistingSelect the name of the map to include the rule. Map NewEnter a new map name for a rule. Rule PrioritySpecify a number that indicates the level of priority for this rule. For the first rule defined, the default priority is 10. Each rule must have a unique priority. The lower the value, the higher the priority. Mapped to GroupSelect the tunnel group to map to this rule. Groups must already exist in the configuration. If the group does not appear in the list, you must define it by using Configuration > VPN > General > Tunnel Group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Certificate Matching Rule Criterion


Configuration > VPN > IKE > Certificate Group Matching > Rules > Add/Edit Certificate Matching Rule Criterion Use the Add/Edit Certificate Matching Rule Criterion dialog box to configure a certificate matching rule criterion for the selected group.
Fields

FieldSpecify the type of distinguished name to be used in the rule: Subject and Issuer, which consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.500 terminology.

ASDM User Guide OL-10106-01

27-3

Chapter 27 Certificate Group Matching

IKE

SubjectThe person or system that uses the certificate. For a CA root certificate, the Subject

and Issuer are the same.


IssuerThe CA or other entity (jurisdiction) that issued the certificate.

ComponentSelect the distinguished name component used in the rule: Definition The entire DN. The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. A specific DN attribute. The e-mail address of the person, system or entity that owns the certificate.

DN Field Whole Field Country (C) Common Name (CN) DN Qualifier (DNQ) E-mail Address (EA)

Generational Qualifier A generational qualifier such as Jr., Sr., or III. (GENQ) Given Name (GN) Initials (I) Locality (L) Name (N) Organization (O) Organizational Unit (OU) Serial Number (SER) Surname (SN) State/Province (S/P) Title (T) User ID (UID)

The first name of the certificate owner. The first letters of each part of the certificate owners name. The city or town where the organization is located. The name of the certificate owner. The name of the company, institution, agency, association, or other entity. The subgroup within the organization. The serial number of the certificate. The family name or last name of the certificate owner. The state or province where the organization is located. The title of the certificate owner, such as Dr. The identification number of the certificate owner.

OperatorSelect the operator used in the rule:


EqualsThe distinguished name field must exactly match the value. ContainsThe distinguished name field must include the value within it. Does Not EqualThe distinguished name field must not match the value Does Not ContainThe distinguished name field must not include the value within it.

ValueSpecify the value to match against.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

27-4

OL-10106-01

Chapter 27

IKE Global Parameters

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Global Parameters
Configuration > VPN > IKE > Global Parameters This panel lets you set system wide values for VPN tunnels. The following sections describe each of the options.
Enabling IKE on Interfaces

You must enable IKE for each interface that you want to use for VPN tunnels.
Enabling IPSec over NAT-T

NAT-T lets IPSec peers establish both remote access and LAN-to-LAN connections through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary. This feature is disabled by default.

The security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-T, and IPSec over UDP, depending on the client with which it is exchanging data. When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence. When enabled, IPSec over TCP takes precedence over all other connection methods.

The security appliance implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows:

One LAN-to-LAN connection. Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both. Open port 4500 on the security appliance. Enable IPSec over NAT-T globally in this panel. Select the second or third option for the Fragmentation Policy parameter in the Configuration > VPN > IPSec > Pre-Fragmentation panel. These options let traffic travel across NAT devices that do not support IP fragmentation; they do not impede the operation of NAT devices that do support IP fragmentation.

To use NAT-T you must:


Enabling IPSec over TCP

IPSec over TCP enables a VPN client to operate in an environment in which standard ESP or IKE cannot function, or can function only with modification to existing firewall rules. IPSec over TCP encapsulates both the IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both NAT and PAT devices and firewalls. This feature is disabled by default.

Note

This feature does not work with proxy-based firewalls.

ASDM User Guide OL-10106-01

27-5

Chapter 27 Global Parameters

IKE

IPSec over TCP works with remote access clients. It works on all physical and VLAN interfaces. It is a client to security appliance feature only. It does not work for LAN-to-LAN connections.

The security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-Traversal, and IPSec over UDP, depending on the client with which it is exchanging data. The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard IPSec, IPSec over TCP, NAT-Traversal, or IPSec over UDP. When enabled, IPSec over TCP takes precedence over all other connection methods.

You enable IPSec over TCP on both the security appliance and the client to which it connects. You can enable IPSec over TCP for up to 10 ports that you specify. If you enter a well-known port, for example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated with that port will no longer work. The consequence is that you can no longer use a browser to manage the security appliance through the IKE-enabled interface. To solve this problem, reconfigure the HTTP/HTTPS management to different ports. You must configure TCP port(s) on the client as well as on the security appliance. The client configuration must include at least one of the ports you set for the security appliance.
Determining ID Method

During IKE negotiations the peers must identify themselves to each other. You can choose the identification methods from the following options: Address Hostname Key ID Automatic Uses the IP addresses of the hosts exchanging ISAKMP identity information. Uses the fully-qualified domain name of the hosts exchanging ISAKMP identity information (default). This name comprises the hostname and the domain name. Uses the string the remote peer uses to look up the preshared key. Determines IKE negotiation by connection type:

IP address for preshared key Cert DN for certificate authentication.

Disabling Inbound Aggressive Mode Connections

Phase 1 IKE negotiations can use either Main mode or Aggressive mode. Both provide the same services, but Aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode is faster, but does not provide identity protection for the communicating parties. It is therefore necessary that they exchange identification information prior to establishing a secure SA in which to encrypt in formation. This feature is disabled by default.
Alerting Peers Before Disconnecting

Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off. The security appliance can notify qualified peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002 Hardware Clients of sessions that are about to be disconnected, and it conveys to them the reason. The peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up panel. This feature is disabled by default. This panel lets you enable the feature so that the security appliance sends these alerts, and conveys the reason for the disconnect. Qualified clients and peers include the following:

Security appliance devices with Alerts enabled.

ASDM User Guide

27-6

OL-10106-01

Chapter 27

IKE Global Parameters

VPN clients running 4.0 or later software (no configuration required). VPN 3002 hardware clients running 4.0 or later software, and with Alerts enabled. VPN 3000 Series Concentrators running 4.0 or later software, with Alerts enabled.

Waiting for Active Sessions to Terminate Prior to Reboot

You can schedule a security appliance reboot to occur only when all active sessions have terminated voluntarily. This feature is disabled by default.
Fields

Enable IKEShows IKE status for all configured interfaces.


InterfaceDisplays names of all configured security appliance interfaces. IKE EnabledShows whether IKE is enabled for each configured interface. Enable/DisablesClick to enable or disable IKE for the highlighted interface.

NAT TransparencyLets you enable or disable IPSec over NAT-T and IPSec over TCP.
Enable IPSec over NAT-TSelect to enable IPSec over NAT-T. NAT KeepaliveType the number of seconds that can elapse with no traffic before the security

appliance terminates the NAT-T session. The default is 20 seconds. The range is 10 to 3600 seconds (one hour).
Enable IPSec over TCPSelect to enable IPSec over TCP. Enter up to 10 comma-separated TCP port valuesType up to 10 ports on which to enable

IPSec over TCP. Use a comma to separate the ports. You do not need to use spaces. The default port is 10,000. The range is 1 to 65,635.

Identity to Be Sent to PeerLets you set the way that IPSec peers identify themselves to each other.
IdentitySelect one of the following methods by which IPSec peers identify themselves:

Address Hostname Key ID Automatic

Uses the IP addresses of the hosts. Uses the fully-qualified domain names of the hosts. This name comprises the hostname and the domain name. Uses the string the remote peer uses to look up the preshared key. Determines IKE negotiation by connection type: IP address for preshared key or cert DN for certificate authentication.

Key Id StringType the alpha-numeric string the peers use to look up the preshared key.

Disable inbound aggressive mode connectionsSelect to disable aggressive mode connections. Alert peers before disconnectingSelect to have the security appliance notify qualified LAN-to-LAN peers and remote access clients before disconnecting sessions. Wait for all active sessions to voluntarily terminate before rebootingSelect to have the security appliance postpone a scheduled reboot until all active sessions terminate.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

27-7

Chapter 27 Policies

IKE

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Policies
Configuration > VPN > IKE > Policies Each IKE negotiation is divided into two sections called Phase1 and Phase 2. Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel that protects data. To set the terms of the IKE negotiations, you create one or more IKE policies, which include the following:

A unique priority (1 through 65,543, with 1 the highest priority). An authentication method, to ensure the identity of the peers. An encryption method, to protect the data and ensure privacy. An HMAC method to ensure the identity of the sender, and to ensure that the message has not been modified in transit. A Diffie-Hellman group to establish the strength of the of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys. A limit for how long the security appliance uses an encryption key before replacing it.

If you do not configure any IKE policies, the security appliance uses the default policy, which is always set to the lowest priority, and which contains the e default value for each parameter. If you do not specify a value for a specific parameter, the default value takes effect. When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order. A match between IKE policies exists if they have the same encryption, hash, authentication, and Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent. If the lifetimes are not identical, the shorter lifetimefrom the remote peer policyapplies. If no match exists, IKE refuses negotiation and the IKE SA is not established.
Fields

PoliciesDisplays parameter settings for each configured IKE policy.


Priority #Shows the priority of the policy. EncryptionShows the encryption method. HashShows the has algorithm. D-H GroupShows the Diffie-Hellman group. AuthenticationShows the authentication method. Lifetime (secs)Shows the SA lifetime in seconds.

Add/Edit/DeleteClick to add, edit, or delete an IKE policy.

ASDM User Guide

27-8

OL-10106-01

Chapter 27

IKE Policies

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit IKE Policy


Configuration > VPN > IKE > Policies > Add/Edit IKE Policy
Fields

Priority #Type a number to set a priority for the IKE policy. The range is 1 to 65,543, with 1 the highest priority. EncryptionSelect an encryption method. This is a symmetric encryption method that protects data transmitted between two IPSec peers.The choices follow: des 3des aes aes-192 aes-256 56-bit DES-CBC. Less secure but faster than the alternatives. The default. 168-bit Triple DES. 128-bit AES. 192-bit AES. 256-bit AES.

HashSelect the hash algorithm that ensures data integrity. It ensures that a packet comes from whom you think it comes from, and that it has not been modified in transit. sha md5 SHA-1 MD5 The default is SHA-1. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. A successful (but extremely difficult) attack against MD5 has occurred; however, the HMAC variant IKE uses prevents this attack.

AuthenticationSelect the authentication method the security appliance uses to establish the identity of each IPSec peer. Pre-shared keys do not scale well with a growing network but are easier to set up in a small network. The choices follow: pre-share rsa-sig crack Pre-shared keys. A digital certificate with keys generated by the RSA signatures algorithm. IKE Challenge/Response for Authenticated Cryptographic Keys protocol for mobile IPSec-enabled clients which use authentication techniques other than certificates.

ASDM User Guide OL-10106-01

27-9

Chapter 27 IP Address Management

IKE

D-H GroupSelect the Diffie-Hellman group identifier, which the two IPSec peers use to derive a shared secret without transmitting it to each other. 1 2 5 7 Group 1 (768-bit) Group 2 (1024-bit Group 5 (1536-bit) Group 7 (Elliptical curve field size is 163 bits.) Group 7 is for use with the Movian VPN client, but with any peer that supports Group 7 (ECC). The default, Group 2 (1024-bit Diffie-Hellman) requires less CPU time to execute but is less secure than Group 2 or 5.

Lifetime (secs)Either select Unlimited or type an integer for the SA lifetime. The default is 86,400 seconds or 24 hours. With longer lifetimes, the security appliance sets up future IPSec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default. Time MeasureSelect a time measure. The security appliance accepts the following values:. 120 - 86,400 seconds 2 - 1440 minutes 1 - 24 hours 1 day
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IP Address Management
IP addresses make internetwork connections possible. They are like telephone numbers: both the sender and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of addresses: the first set connects client and server on the public network; and once that connection is made, the second set connects client and server through the VPN tunnel. In security appliance address management, we are dealing with the second set of IP addresses: those private IP addresses that connect a client with a resource on the private network, through the tunnel, and let the client function as if it were directly connected to the private network. Furthermore, we are dealing only with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources on your private network are part of your network administration responsibilities, not part of security appliance management. Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private network addressing scheme, that let the client function as a tunnel endpoint.

ASDM User Guide

27-10

OL-10106-01

Chapter 27

IKE IP Address Management

Assignment
Configuration > VPN > IP Address Management > Assignment The Assignment panel lets you choose a way to assign IP addresses to remote access clients.
Fields

Use authentication serverSelect to assign IP addresses retrieved from an authentication server on a per-user basis. If you are using an authentication server (external or internal) that has IP addresses configured, we recommend using this method. Configure AAA servers on the Configuration > Properties > AAA Setup > AAA Servers and AAA Server Group panels. Use DHCP Select to obtain IP addresses from a DHCP server. If you use DHCP, configure the server on the Configuration > Properties > DHCP Services > DHCP Server panel. Use internal address poolsSelect to have the security appliance assign IP addresses from an internally configured pool. Internally configured address pools are the easiest method of address pool assignment to configure. If you use this method, configure the IP address pools on Configuration > VPN > IP Address Management > IP Pools panel.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IP Pools
Configuration > VPN > IP Address Management > IP Pools The IP Pool box shows each configured address pool by name, and with their IP address range, for example: 10.10.147.100 to 10.10.147.177. If no pools exist, the box is empty. The security appliance uses these pools in the order listed: if all addresses in the first pool have been assigned, it uses the next pool, and so on. If you assign addresses from a non-local subnet, we suggest that you add pools that fall on subnet boundaries to make adding routes for these networks easier.
Fields

Pool NameDisplays the name of each configured address pool. Starting AddressShows first IP address available in each configured pool. Ending AddressShows the last IP address available in each configured pool. Subnet MaskShows the subnet mask for addresses in each configured pool. AddClick to add a new address pool. Edit/DeleteClick to edit or delete an already configured address pool.

ASDM User Guide OL-10106-01

27-11

Chapter 27 IPSec

IKE

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit IP Pool
Configuration > VPN > IP Address Management > IP Pools > Add/Edit IP Pool These panels let you:

Add a new pool of IP addresses from which the security appliance assigns addresses to clients. Modify an IP address pool that you have previously configured.

The IP addresses in the pool range must not be assigned to other network resources.
Fields

NameAssign an alpha-numeric name to the address pool. Limit 64 characters Starting IP AddressEnter the first IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.100. Ending IP AddressEnter the last IP address available in this pool. Use dotted decimal notation, for example: 10.10.147.100. Subnet MaskSelect the subnet mask for the IP address pool.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IPSec
IPSec provides the most complete architecture for VPN tunnels, and it is perceived as the most secure protocol. Both LAN-to-LAN connections and client-to-LAN connections can use IPSec. In IPSec terminology, a peer is a remote-access client or another secure gateway. During tunnel establishment with IPSec, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management. These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPSec SA).

ASDM User Guide

27-12

OL-10106-01

Chapter 27

IKE IPSec

In IPSec LAN-to-LAN connections, the security appliance can function as initiator or responder. In IPSec client-to-LAN connections, the security appliance functions only as responder. Initiators propose SAs; responders accept, reject, or make counter-proposalsall in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs. The VPN Client complies with the IPSec protocol and is specifically designed to work with the security appliance. However, the security appliance can establish IPSec connections with many protocol-compliant clients. Likewise, the security appliance can establish LAN-to-LAN connections with other protocol-compliant VPN devices, often called secure gateways. Thesecurity appliance supports these IPSec attributes:

Main mode for negotiating phase one ISAKMP security associations when using digital certificates for authentication Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using preshared keys for authentication Authentication Algorithms:
ESP-MD5-HMAC-128 ESP-SHA1-HMAC-160

Authentication Modes:
Preshared Keys X.509 Digital Certificates

Diffie-Hellman Groups 1, 2, 5, and 7 Encryption Algorithms:


AES-128, -192, and -256 3DES-168 DES-56 ESP-NULL

Extended Authentication (XAuth) Mode Configuration (also known as ISAKMP Configuration Method) Tunnel Encapsulation Mode IP compression (IPCOMP) using LZS

IPSec Rules
Configuration > VPN > IPSec > IPSec Rules This pane shows the currently configured IPSec rules. Use it to add, edit, delete and move up, move down, cut, copy, and paste an IPSec rule.
Fields

Note

You cannot edit, delete, or copy an implicit rule. The security appliance implicitly accepts the traffic selection proposal from remote clients when configured with a dynamic tunnel policy. You can override it by giving a specific traffic selection.

ASDM User Guide OL-10106-01

27-13

Chapter 27 IPSec

IKE

Type: PriorityDisplays the type of rule (static or dynamic) and its priority. Traffic Selection
#Indicates the rule number. SourceIndicates the IP addresses that are subject to this rule when traffic is sent to the IP

addresses listed in the Remote Side Host/Network column. In detail mode (see the Show Detail button), an address column might contain an interface name with the word any, such as inside:any. any means that any host on the inside interface is affected by the rule.
DestinationLists the IP addresses that are subject to this rule when traffic is sent from the IP

addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the Show Detail button), an address column might contain an interface name with the word any, such as outside:any. any means that any host on the outside interface is affected by the rule. Also in detail mode, an address column might contain IP addresses in square brackets, for example, [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host makes a connection to an outside host, the security appliance maps the inside host's address to an address from the pool. After a host creates an outbound connection, the security appliance maintains this address mapping. This address mapping structure is called an xlate, and remains in memory for a period of time.
ServiceSpecifies the service and protocol specified by the rule (TCP, UDP, ICMP, or IP). ActionSpecifies the type of IPSec rule (protect or do not protect).

Transform SetDisplays the transform set for the rule. PeerIdentifies the IPSec peer. PFSDisplays Perfect Forward Secrecy settings for the rule. NAT-T EnabledIndicates whether NAT Traversal is enabled for the policy. Reverse Route EnabledIndicates whether Reverse Route Injection is enabled for the policy. Connection TypeIdentifies the connection as static or dynamic. SA LifetimeDisplays the SA lifetime for the rule. TrustpointDisplays the trust point for the policy. This applies to static connections only.
Chain EnabledDisplays whether the policy transmits the entire trust point chain.

IKE Negotiation ModeDisplays whether IKE negotiations use main or aggressive mode. Description(Optional) Specifies a brief description for this rule. For an existing rule, this is the description you typed when you added the rule. An implicit rule includes the following description: Implicit rule. To edit the description of any but an implicit rule, right-click this column, and choose Edit Description or double-click the column.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

27-14

OL-10106-01

Chapter 27

IKE IPSec

Tunnel Policy (Crypto Map) - Basic


Configuration > VPN > IPSec > IPSec Rules > Add/Edit Rule > Tunnel Policy (Crypto Map) Basic Tab Use this pane to define a new Tunnel Policy for an IPSec rule. The values you define here appear in the IPSec Rules table after you click OK. All rules are enabled by default as soon as they appear in the IPSec Rules table. The Tunnel Policy panel lets you define a tunnel policy that is used to negotiate an IPSec (Phase 2) security association (SA). ASDM captures your configuration edits, but does not save them to the running configuration until you click Apply. Every tunnel policy must specify a transform set and identify the security appliance interface to which it applies. The transform set identifies the encryption and hash algorithms that perform IPSec encryption and decryption operations. Because not every IPSec peer supports the same algorithms, you might want to specify a number of policies and assign a priority to each. The security appliance then negotiates with the remote IPSec peer to agree on a transform set that both peers support. Tunnel policies can be static or dynamic. A static tunnel policy identifies one or more remote IPSec peers or subnetworks to which your security appliance permits IPSec connections. A static policy can be used whether your security appliance initiates the connection or receives a connection request from a remote host. A static policy requires you to enter the information necessary to identify permitted hosts or networks. A dynamic tunnel policy is used when you cannot or do not want to provide information about remote hosts that are permitted to initiate a connection with the security appliance. If you are only using your security appliance as a VPN client in relation to a remote VPN central-site device, you do not need to configure any dynamic tunnel policies. Dynamic tunnel policies are most useful for allowing remote access clients to initiate a connection to your network through a security appliance acting as the VPN central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically assigned IP addresses or when you do not want to configure separate policies for a large number of remote access clients.
Fields

InterfaceSelect the interface name to which this policy applies. Policy TypeSet the type, static or dynamic, of this tunnel policy PriorityEnter the priority of the policy. Transform SetSelect the transform set for the policy and click Add to move it to the list of active transform sets. Click Move Up or Move Down to rearrange the order of the transform sets in the list box. You can add a maximum of 11 transform sets to a crypto map entry or a dynamic crypto map entry. Peer SettingsConfigure the peer settings for the policy.
Connection TypeSet the connection type for the policy. This applies only to static tunnel

policies. Unidirectional connection type policies are used for LAN-to-LAN redundancy
IP Address of Peer to Be AddedEnter the IP address of the IPSec peer you are adding.

Enable Perfect Forwarding SecrecyCheck to enable Perfect Forward Secrecy for the policy. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy. Diffie-Hellman GroupWhen you enable PFS you must also select a Diffie-Hellman group which the security appliance uses to generate session keys. The choices are as follows:

ASDM User Guide OL-10106-01

27-15

Chapter 27 IPSec

IKE

Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate

IPSec session keys, where the prime and generator numbers are 768 bits. This option is more secure but requires more processing overhead.
Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to

generate IPSec session keys, where the prime and generator numbers are 1024 bits. This option is more secure than Group 1 but requires more processing overhead.
Group 5 (1536-bits) Group 7 (ECC) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 7 (ECC) to

generate IPSec session keys, where the elliptic curve field size is 163 bits. This option is the fastest and requires the least overhead. It is intended for use with the Movian VPN client, but you can use it with any peers that support Group 7 (ECC).

Tunnel Policy (Crypto Map) - Advanced


Configuration > VPN > IPSec > IPSec Rules > Add/Edit Rule > Tunnel Policy (Crypto Map) Advanced Tab
Fields

Security Association Lifetime parametersConfigures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys.
TimeSpecifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss). Traffic VolumeDefines the SA lifetime in terms of kilobytes of traffic. Enter the number of

kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Enable NAT-T Enables NAT Traversal (NAT-T) for this policy. Enable Reverse Route InjectionEnables Reverse Route Injection for this policy. Static Type Only SettingsSpecifies parameters for static tunnel policies.
Trust Point NameSelects the trust point to use. If you select something other than None (Use

Preshared Keys), which is the default, the Enable entire chain transmission check box becomes active.
Enable entire chain transmissionEnables transmission of the entire trust point chain. IKE Negotiation ModeSelects the IKE negotiation mode, Main or Aggressive. This

parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it does not protect the identity of the communicating parties. Main Mode is slower, using more packets and more exchanges, but it protects the identities of the communicating parties. This mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman Group list becomes active.
Diffie-Hellman GroupSelect the Diffie-Hellman group to apply. The choices are as follows:

Group 1 (768-bits), Group 2 (1024-bits), Group 5 (1536-bits), Group 7 (ECC).

Tunnel Policy (Crypto Map) -Traffic Selection


Configuration > VPN > IPSec > IPSec Rules > Add/Edit Rule > Tunnel Policy (Crypto Map) Traffic Selection Tab

ASDM User Guide

27-16

OL-10106-01

Chapter 27

IKE IPSec

This pane lets you define what traffic to protect.


Fields

Interface and Action


InterfaceIdentify the interface for the rule. ActionSpecify the action for this rule to take. The selections are protect and do not protect.

Source and DestinationSpecify the IP address, network object group or interface IP address for the source host or network. A rule cannot use the same address as both the source and destination.
IP AddressIndicates that the parameters that follow specify the interface, IP address, and

subnet mask of the source host or network.


NameIndicates that the parameters that follow specify the name of the source host or

network.
GroupIndicates that the parameters that follow specify the interface and group name of the

source host or network.


InterfaceSelects the interface name for the IP address. This parameter appears when you

select the IP Address option button.


IP addressSpecifies the IP address of the interface to which this policy applies. This

parameter appears when you select the IP Address option button.


... Displays the Select host/network panel, on which you can select an interface and display

and select the associated hosts. Your selection appears in the Source Host/Network IP address and Mask boxes on the Add Rule panel. This selection also fills in the Mask field. This parameter appears when you select the IP Address option button.
MaskSelects a standard subnet mask to apply to the IP address. This parameter appears when

you select the IP Address option button.


NameSelects the interface name to use as the source or destination host or network. This

parameter appears when you select the Name option button. This is the only parameter associated with this option.
InterfaceSelects the interface name for the IP address. This parameter appears when you

select the Group option button.


GroupSelects the name of the group on the specified interface for the source or destination

host or network. If the list contains no entries, you can enter the name of an existing group. This parameter appears when you select the Group option button.

Rule Flow DiagramShows the results of your selections for the source and destination host/network group boxes. Protocol and ServiceSpecifies protocol and service parameters relevant to this rule.

Note

Any - any IPSec rules are not allowed. This type of rule would prevent the device and its peer from supporting multiple LAN -to-LAN tunnels.
TCPSpecifies that this rule applies to TCP connections. This selection also displays the

Source Port and Destination Port group boxes.


UDPSpecifies that this rule applies to UDP connections. This selection also displays the

Source Port and Destination Port group boxes.

ASDM User Guide OL-10106-01

27-17

Chapter 27 IPSec

IKE

ICMPSpecifies that this rule applies to ICMP connections. This selection also displays the

ICMP Type group box.


IPSpecifies that this rule applies to IP connections. This selection also displays the IP

Protocol group box.


Manage Service GroupsDisplays the Manage Service Groups panel, on which you can add,

edit, or delete a group of TCP/UDP services/ports.


Source Port and Destination Port Contains TCP or UDP port parameters, depending on

which option button you selected in the Protocol and Service group box.
ServiceIndicates that you are specifying parameters for an individual service. Specifies the

name of the service and a boolean operator to use when applying the filter.
Boolean operator (unlabeled)Lists the boolean conditions (equal, not equal, greater than,

less than, or range) to use in matching the service specified in the service box.
Service (unlabeled)Identifies the service (such as https, kerberos, or any) to be matched. If

you specified the range service operator this parameter becomes two boxes, into which you enter the start and the end of the range.
... Displays a list of services from which you can select the service to display in the Service

box.
Service GroupIndicates that you are specifying the name of a service group for the source

port.
Service (unlabeled)Selects the service group to use. ICMP TypeSpecifies the ICMP type to use. The default is any. Click the ... button to display

a list of available types.

Options
Time RangeSpecify the name of an existing time range or create a new range. ... Displays the Add Time Range pane, on which you can define a new time range. Please enter the description below (optional)Provides space for you to enter a brief

description of the rule.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Pre-Fragmentation
Configuration > VPN > IPSec > Pre-Fragmentation Use this panel to set the IPSec pre-fragmentation policy and do-not-fragment (DF) bit policy for any interface.

ASDM User Guide

27-18

OL-10106-01

Chapter 27

IKE IPSec

The IPSec pre-fragmentation policy specifies how to treat packets that exceed the maximum transmission unit (MTU) setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the security appliance and the client rejects or drops IP fragments. For example, suppose a client wants to FTP get from an FTP server behind a security appliance. The FTP server transmits packets that when encapsulated would exceed the security appliances MTU size on the public interface. The selected options determine how the security appliance processes these packets. The pre-fragmentation policy applies to all traffic travelling out the security appliance public interface. The security appliance encapsulates all tunneled packets. After encapsulation, the security appliance fragments packets that exceed the MTU setting before transmitting them through the public interface. This is the default policy. This option works for situations where fragmented packets are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce out-of-order fragments. When you enable pre-fragmentation, the security appliance fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the security appliance clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site. In our example, the security appliance overrides the MTU and allows fragmentation by clearing the DF bit.

Note

Changing the MTU or the pre-fragmentation option on any interface tears down all existing connections. For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the pre-fragmentation option on the external interface, all of the active tunnels on the public interface are dropped.
Fields

Pre-FragmentationShows the current pre-fragmentation configuration for every configured interface.


InterfaceShows the name of each configured interface. Pre-Fragmentation EnabledShows, for each interface, whether pre-fragmentation is

enabled.
DF Bit PolicyShows the DF Bit Policy for each interface.

EditDisplays the Edit IPSec Pre-Fragmentation Policy dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

27-19

Chapter 27 IPSec

IKE

Edit IPSec Pre-Fragmentation Policy


Configuration > VPN > IPSec > Pre-Fragmentation > Edit IPSec Pre-Fragmentation Policy Use this panel to modify an existing IPSec pre-fragmentation policy and do-not-fragment (DF) bit policy for an interface selected on the parent panel, Configuration > VPN > IPSec > Pre-Fragmentation
Fields

InterfaceIdentifies the selected interface. You cannot change this parameter using this dialog box. Enable IPSec pre-fragmentationEnables or disables IPSec pre-fragmentation. The security appliance fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the security appliance clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent, non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site. DF Bit Setting PolicySelects the do-not-fragment bit policy: Copy, Clear, or Set.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Transform Sets
Configuration > VPN > IPSec > Transform Sets Use this panel to view and add or edit transform sets. A transform is a set of operations done on a data flow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm (ESP-3DES-MD5).
Fields

Transform SetsShows the configured transform sets.


NameShows the name of the transform sets. ModeShows the mode, Tunnel, of the transform set. This parameter specifies the mode for

applying ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied. Tunnel mode applies ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses.
ESP EncryptionShows the Encapsulating Security Protocol (ESP) encryption algorithms for

the transform sets. ESP provides data privacy services, optional data authentication, and anti-replay services. ESP encapsulates the data being protected.
ESP AuthenticationShows the ESP authentication algorithms for the transform sets.

AddOpens the Add Transform Set dialog box, in which you can add a new transform set.

ASDM User Guide

27-20

OL-10106-01

Chapter 27

IKE IPSec

EditOpens the Edit Transform Set dialog box, in which you can modify an existing transform set. DeleteRemoves the selected transform set. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Transform Set


Configuration > VPN > IPSec > Transform Sets > Add/Edit Transform Set Use this panel to add or modify a transform set. A transform is a set of operations done on a data flow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm (ESP-3DES-MD5).
Fields

Set NameSpecifies a name for this transform set. PropertiesConfigures properties for this transform set. These properties appear in the Transform Sets table.
ModeShows the mode, Tunnel, of the transform set. This field shows the mode for applying

ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied. Tunnel mode applies ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses.
ESP EncryptionSelects the Encapsulating Security Protocol (ESP) encryption algorithms

for the transform sets. ESP provides data privacy services, optional data authentication, and anti-replay services. ESP encapsulates the data being protected.
ESP AuthenticationSelects the ESP authentication algorithms for the transform sets.

Note

The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as data integrity.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

27-21

Chapter 27 IPSec

IKE

Tunnel Policy
Configuration > VPN > IPSec > Tunnel Policy The Tunnel Policy panel lets you define a tunnel policy that is used to negotiate an IPSec (Phase 2) security association (SA). ASDM captures your configuration edits, but does not send them the security appliance until you click Apply. Every tunnel policy must specify a transform set and identify the security appliance interface to which it applies. The transform set identifies the encryption and hash algorithms that perform IPSec encryption and decryption operations. Because not every IPSec peer supports the same algorithms, you might want to specify a number of policies and assign a priority to each. The security appliance then negotiates with the remote IPSec peer to agree on a transform set that both peers support. Tunnel policies can be static or dynamic. A static tunnel policy identifies one or more remote IPSec peers or subnetworks to which your security appliance permits IPSec connections. A static policy can be used whether your security appliance initiates the connection or receives a connection request from a remote host. A static policy requires you to enter the information necessary to identify permitted hosts or networks. A dynamic tunnel policy is used when you cannot or do not want to provide information about remote hosts that are permitted to initiate a connection with the security appliance. If you are only using your security appliance as a VPN client in relation to a remote VPN central-site device, you do not need to configure any dynamic tunnel policies. Dynamic tunnel policies are most useful for allowing remote access clients to initiate a connection to your network through a security appliance acting as the VPN central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically assigned IP addresses or when you do not want to configure separate policies for a large number of remote access clients.
Fields

InterfaceDisplays the interface name to which this policy applies. Type & PriorityDisplays the policy type and priority of the policy. Transform SetDisplays the transform set for the policy PeerDisplays the peer settings for the policy. Connection TypeDisplays the connection type for the policy. This applies only to static tunnel policies. Unidirectional connection type policies are used for LAN-to-LAN redundancy SA LifetimeDisplays the duration of a Security Association, which is how long the IPSec SA lasts until it expires. PFSDisplays Perfect Forward Secrecy settings for the policy. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy. NAT-T EnabledIndicates whether NAT Traversal is enabled for the policy. RRI EnabledIndicates whether Reverse Route Injection is enabled for the policy. TrustpointDisplays the trust point for the policy. This applies to static connections only.
Chain EnabledDisplays whether the policy transmits the entire trust point chain.

IKE Negotiation ModeDisplays the Diffie-Hellman group that applies to the policy. SA InheritanceDisplays the method for SA inheritance. Add/Edit/DeleteClick to add, edit, or delete a highlighted tunnel policy.

ASDM User Guide

27-22

OL-10106-01

Chapter 27

IKE IPSec

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Policy


Configuration > VPN > IPSec > Tunnel Policy > Add/Edit Tunnel Policy Use this panel to configure and add a new tunnel policy.
Fields

InterfaceSelects an interface name to which this policy applies. Policy TypeSelects a policy type. Transform SetsSelects, adds or removes, and orders transform sets for this policy.
Transform Set to Be AddedSelects a transform set to add to the list for this policy. AddAdds the selected transform set to the list for this policy. Remove Deletes the selected transform set from the list for this policy. Transform SetsDisplays the transform sets to be used for this policy. Move UpMoves the selected transform set higher in the Transform Sets list. Move DownMoves the selected transform set lower in the Transform Sets list.

Peer Settings - Optional for Dynamic Tunnel PoliciesConfigures Peer Settings parameters.
Connection TypeSelects the Connection Type for this policy. The Connection Type applies

only to static tunnel policies. Unidirectional connection type policies are used for LAN-to-LAN redundancy. Tunnel policies of the Originate Only connection type can specify up to 10 redundant peers.
IP Address of Peer to Be AddedSpecifies the IP address of the peer being added. AddAdds the selected transform set to the list for this policy. Remove Deletes the selected transform set from the list for this policy. PeersDisplays the peers for this connection. Move UpMoves the selected transform set higher in the Transform Sets list. Move DownMoves the selected transform set lower in the Transform Sets list.

AdvancedDisplays the Tunnel Policy - Advanced Settings dialog box.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

27-23

Chapter 27 IPSec

IKE

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Tunnel Policy Advanced Settings


Configuration > VPN > IPSec > Tunnel Policy > Add/Edit Tunnel Policy > Tunnel Policy Advanced Settings Use this dialog box to configure additional tunnel policy settings.
Fields

Security Association Lifetime parametersConfigures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys.
TimeSpecifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss). Traffic VolumeDefines the SA lifetime in terms of kilobytes of traffic. Enter the number of

kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Enable Perfect Forwarding Secrecy Enables Perfect Forwarding Secrecy. When you select this check box, the Diffie-Hellman Group list becomes active. This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys. Diffie-Hellman GroupSelects the Diffie-Hellman group to apply. The choices are as follows:
Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate

IPSec session keys, where the prime and generator numbers are 768 bits. This option is more secure but requires more processing overhead.
Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to

generate IPSec session keys, where the prime and generator numbers are 1024 bits. This option is more secure than Group 1 but requires more processing overhead.
Group 7 (ECC) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 7 (ECC) to

generate IPSec session keys, where the elliptic curve field size is 163 bits. This option is the fastest and requires the least overhead. It is intended for use with the Movian VPN client, but you can use it with any peers that support Group 7 (ECC).

Enable NAT-T Enables NAT Traversal (NAT-T) for this policy. Enable Reverse Route InjectionEnables Reverse Route Injection for this policy. Static Type Only SettingsSpecifies parameters for static tunnel policies.
Trust Point NameSelects the trust point to use. If you select something other than None (Use

Preshared Keys), which is the default, the Enable entire chain transmission check box becomes active.
Enable entire chain transmissionEnables transmission of the entire trust point chain.

ASDM User Guide

27-24

OL-10106-01

Chapter 27

IKE Load Balancing

IKE Negotiation ModeSelects the IKE negotiation mode, Main or Aggressive. This

parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it does not protect the identity of the communicating parties. Main Mode is slower, using more packets and more exchanges, but it protects the identities of the communicating parties. This mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman Group list becomes active.
Diffie-Hellman GroupSelects the Diffie-Hellman group to apply. See the description above

for details.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

14-32

Load Balancing
Configuration > VPN > Load Balancing
Note

VPN load balancing runs only on security appliance models ASA 5520 and higher. VPN load balancing requires an active 3DES/AES license. The security appliance checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the security appliance prevents the enabling of load balancing and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage. This panel lets you enable load balancing on the security appliance. Enabling load balancing involves:

Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP port (if necessary), and IPSec shared secret for the cluster. These values are identical for every device in the cluster. Configuring the participating device by enabling load balancing on the device and defining device-specific properties. These values vary from device to device.

If you have a remote-client configuration in which you are using two or more security appliances connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance anodize availability.

ASDM User Guide OL-10106-01

27-25

Chapter 27 Load Balancing

IKE

Note

Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing. To implement load balancing, you group together logically two or more devices on the same private LAN-to-LAN network into a virtual cluster. All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not tied to a physical device; it can shift among devices. For example, if the current virtual cluster master fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new virtual cluster master. The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A VPN client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user) the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources.

Note

All clients other than the Cisco VPN client, the Cisco VPN 3002 Hardware Client, or the ASA 5505 operating as an Easy VPN Client connect directly to the security appliance as usual; they do not use the virtual cluster IP address. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately and automatically takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.
Prerequisites

Load balancing is disabled by default. You must explicitly enable load balancing. You must have first configured the public and private interfaces and also have previously configured the the interface to which the virtual cluster IP address refers. All devices that participate in a cluster must share the same cluster-specific values: IP address, encryption settings, encryption key, and port.
Fields

VPN Load BalancingConfigures virtual cluster device parameters.


Participate in Load Balancing ClusterSpecifies that this device is a participant in the

load-balancing cluster.
VPN Cluster ConfigurationConfigures device parameters that must be the same for the

entire virtual cluster. All servers in the cluster must have an identical cluster configuration.
Cluster IP AddressSpecifies the single IP address that represents the entire virtual cluster.

Choose an IP address that is within the public subnet address range shared by all the security appliances in the virtual cluster.

ASDM User Guide

27-26

OL-10106-01

Chapter 27

IKE Load Balancing

UDP PortSpecifies the UDP port for the virtual cluster in which this device is participating.

The default value is 9023. If another application is using this port, enter the UDP destination port number you want to use for load balancing.
Enable IPSec EncryptionEnables or disables IPSec encryption. If you select this check box,

you must also specify and verify a shared secret.The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information communicated between the devices is encrypted, select this check box.

Note

When using encryption, you must have previously configured the load-balancing inside interface. If that interface is not enabled on the load-balancing inside interface, you get an error message when you try to configure cluster encryption. If the load-balancing inside interface was enabled when you configured cluster encryption, but was disabled before you configured the participation of the device in the virtual cluster, you get an error message when you select the Participate in Load Balancing Cluster check box, and encryption is not enabled for the cluster.
IPSec Shared SecretSpecifies the shared secret to between IPSec peers when you have

enabled IPSec encryption. The value you enter in the box appears as consecutive asterisk characters.
Verify SecretConfirms the shared secret value entered in the IPSec Shared Secret box.

VPN Server ConfigurationConfigures parameters for this specific device.


InterfacesConfigures the public and private interfaces and their relevant parameters. PublicSpecifies the name or IP address of the public interface for this device. PrivateSpecifies the name or IP address of the private interface for this device. PrioritySpecifies the priority assigned to this device within the cluster. The range is from 1

to 10. The priority indicates the likelihood of this device becoming the virtual cluster master, either at start-up or when an existing master fails. The higher you set the priority (for example, 10), the more likely this device becomes the virtual cluster master.

Note

If the devices in the virtual cluster are powered up at different times, the first device to be powered up assumes the role of virtual cluster master. Because every virtual cluster requires a master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster has a virtual master. If none exists, that device takes on the role. Devices powered up and added to the cluster later become secondary devices. If all the devices in the virtual cluster are powered up simultaneously, the device with the highest priority setting becomes the virtual cluster master. If two or more devices in the virtual cluster are powered up simultaneously, and both have the highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
NAT Assigned IP AddressSpecifies the IP address that this devices IP address is translated

to by NAT. Enter 0.0.0.0 if NAT is not being used or if the device is not behind a firewall using NAT.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

27-27

Chapter 27 NAC

IKE

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

NAC
Configuration > VPN > NAC The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts. Posture validation involves the checking of a remote host for compliancy with safety requirements before the assignment of a network access policy. An Access Control Server must be configured for Network Admission Control before you configure NAC on the security appliance. The NAC window lets you set attributes that apply to all NAC communications. The following global attributes at the top of the window apply to EAPoUDP messaging between the security appliance and remote hosts:

Retransmission TimerThe security appliance starts this timer when it sends an EAPoUDP message to the host. A response from the host clears the timer. If the timer expires before the security appliance receives a response, it resends the message. The setting is in seconds. Enter a value in the range 1 to 60. The default setting is 3. Hold TimerThe security appliance starts this timer when it places the NAC session for a remote host into a hold state. It places a session in a hold state if it does not receive a response after sending EAPoUDP messages equal to the number of EAPoUDP Retries. The security appliance also starts this timer after it receives an Access Reject message from the ACS server. When the timer expires, the security appliance tries to initiate a new EAP over UDP association with the remote host. The setting is in seconds. Enter a value in the range 60 to 86400. The default setting is 180. EAPoUDP RetriesNumber of times the security appliance resends an EAP over UDP message. This attribute limits the number of consecutive retries sent in response to Retransmission Timer expirations. The setting is in seconds. Enter a value in the range 1 to 3. The default setting is 3. EAPoUDP PortPort number for EAP over UDP communication with the Cisco Trust Agent (CTA) on the host. This number must match the port number configured on the CTA. Enter a value in the range 1024 to 65535. The default setting is 21862.

The Clientless Authentication area of the NAC window lets you configure settings for hosts that are not responsive to the EAPoUDP requests. Hosts for which there is no CTA running do not respond to these requests.

Enable Clientless AuthenticationCheck to enable clientless authentication. The security appliance sends the configured clientless username and password to the Access Control Server in the form of a user authentication request. The ACS in turn requests the access policy for clientless hosts. If you uncheck this attribute, the security appliance applies the default ACL for clientless hosts. UsernameUsername configured for clientless hosts on the ACS. The default setting is clientless. Enter 1 to 64 ASCII characters, excluding leading and trailing spaces, pound signs (#), question marks (?), single and double quotation marks ( and "), asterisks (*), and angle brackets (< and >). PasswordPassword configured for clientless hosts on the ACS. The default setting is clientless. Enter 4 32 ASCII characters.

ASDM User Guide

27-28

OL-10106-01

Chapter 27

IKE NAC

Confirm PasswordPassword configured for clientless hosts on the ACS repeated for validation.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

27-29

Chapter 27 NAC

IKE

ASDM User Guide

27-30

OL-10106-01

C H A P T E R

28

General
A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic. This section describes the general VPN configuration attributes, including the following:

Client Update Default Tunnel Gateway Group Policy Browse Time Range ACL Manager Tunnel Group VPN System Options Zone Labs Integrity Server Easy VPN Remote Advanced Easy VPN Properties

Client Update
Configuration > VPN > General > Client Update The Client Update window lets administrators at a central location do the following actions:

Enable the update; specify the types and revision numbers of clients to which the update applies Provide a URL or IP address from which to get the update In the case of Windows clients, optionally notify users that they should update their VPN client version.

Note

The Client Update function at Configuration > VPN > General > Client Update applies only to Windows clients and VPN 3002 hardware clients. For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. You can apply client updates only to the IPSec remote-access tunnel-group type.

ASDM User Guide OL-10106-01

28-1

Chapter 28 Client Update

General

Note

If you try to do a client update to an IPSec LAN-to-LAN tunnel group or a WebVPN tunnel group, you do not receive an error message, but no update notification or client update goes to those types of tunnel groups. To enable client update globally for all clients of a particular client type, use this window. You can also notify all Windows clients that an upgrade is needed and initiate an upgrade on all VPN 3002 hardware clients from this window. To configure the client revisions to which the update applies and the URL or IP address from which to download the update, click Edit. To configure client update revisions and software update sources for a specific tunnel group, see Configuration > VPN > General > Tunnel Group > Add/Edit > IPSec Tab > Client VPN Software Update Table.
Fields

Enable Client UpdateEnables or disables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows VPN clients or initiate an automatic update to hardware clients. Client TypeLists the clients to upgrade: software or hardware, and for software clients, all Windows clients or a subset. If you click All Windows Based, do not specify Windows 95, 98 or ME and Windows NT, 2000 or XP individually. The hardware client gets updated with a release of the ASA 5505 software or of the VPN 3002 hardware client. VPN Client RevisionsContains a comma-separated list of software image revisions appropriate for this client. If the users client revision number matches one of the specified revision numbers, there is no need to update the client, and, for Windows-based clients, the user does not receive an update notification. The following caveats apply:
The revision list must include the software version for this update. Your entries must match exactly those on the URL for the VPN client, or the TFTP server for

the hardware client.


The TFTP server for distributing the hardware client image must be a robust TFTP server. A VPN client user must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP, with no notification

to the user.

Image URLContains the URL or IP address from which to download the software image. This URL must point to a file appropriate for this client. For Windows-based clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in the form tftp://.
For Windows-based VPN clients: To activate the Launch button on the VPN Client Notification,

the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example: http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.
For the hardware client: The format of the URL is tftp://server_address/directory/filename. The

server address can be either an IP address or a hostname if you have configured a DNS server. For example:

ASDM User Guide

28-2

OL-10106-01

Chapter 28

General Client Update

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

EditOpens the Edit Client Update Entry dialog box, which lets you configure or change client update parameters. See Edit Client Update Entry. Live Client UpdateSends an upgrade notification message to all currently connected VPN clients or selected tunnel group(s).
Tunnel GroupSelects all or specific tunnel group(s) for updating. Update NowImmediately sends an upgrade notification containing a URL specifying where

to retrieve the updated software to the currently connected Windows VPN clients in the selected tunnel group or all connected tunnel groups. The message includes the location from which to download the new version of software. The administrator for that VPN client can then retrieve the new software version and update the VPN client software. For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification. You must check Enable Client Update in the window for the upgrade to work. Clients that are not connected receive the upgrade notification or automatically upgrade the next time they log on.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit Client Update Entry


Configuration > VPN > General > Client Update > Edit Client Update Entry The Edit Client Update dialog box lets you change information about VPN client revisions and URLs for the indicated client types. The clients must be running one of the revisions specified for the indicated client type. If not, the clients are notified that an upgrade is required.
Fields

Client Type(Display-only) Displays the client type selected for editing. VPN Client RevisionsLets you type a comma-separated list of software or firmware images appropriate for this client. If the users client revision number matches one of the specified revision numbers, there is no need to update the client. If the client is not running a software version on the list, an update is in order. The user of a Windows-based VPN client must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP. Image URLLets you type the URL for the software/firmware image. This URL must point to a file appropriate for this client.
For a Windows-based VPN client, the URL must include the protocol HTTP or HTTPS and the

server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

ASDM User Guide OL-10106-01

28-3

Chapter 28 Default Tunnel Gateway

General

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.
For the hardware client: The format of the URL is tftp://server_address/directory/filename. The

server address can be either an IP address or a hostname if you have configured a DNS server. For example: tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin The directory is optional.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Default Tunnel Gateway


Configuration > VPN > General > Default Tunnel Gateway To configure the default tunnel gateway, click the Static Route link in this window. The Configuration > Routing > Routing > Static Route window opens.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Group Policy
Configuration > VPN > General > Group Policy The Group Policy window lets you manage VPN group policies. A VPN group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

ASDM User Guide

28-4

OL-10106-01

Chapter 28

General Group Policy

The child windows, tabs, and dialog boxes let you configure the default group parameters. These parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can inherit parameters from this default group, and users can inherit parameters from their group or the default group. You can override these parameters as you configure groups and users. If you click the Add dialog box, a small menu appears giving you the option to create a new internal group policy, or an external group policy that is stored externally on a RADIUS or LDAP server. Both the Add Internal Group Policy window and the Edit Group Policy window include six tabbed sections. If you click the WebVPN tab, you expose six additional tabs. Click each tab to display its parameters. As you move from tab to tab, the security appliance retains your settings. When you have finished setting parameters on all tabbed sections, click OK or Cancel. In these dialog boxes, you configure the following kinds of parameters:

General Parameters: Protocols, filtering, connection settings, and servers. IPSec Parameters: IP Security tunneling protocol parameters and client access rules. Client Configuration Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers. Client FW Parameters: VPN Client personal firewall requirements. Hardware Client Parameters: Interactive hardware client and individual user authentication; network extension mode. WebVPN Parameters: SSL VPN access.

Before configuring these parameters, you should configure: Access hours.


Rules and filters. IPSec Security Associations. Network lists for filtering and split tunneling User authentication servers, and specifically the internal authentication server.

Fields

Group PolicyContains a table listing the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies.
NameLists the name of the currently configured group policies. TypeLists the type of each currently configured group policy. Tunneling ProtocolLists the tunneling protocol that each currently configured group policy

uses.
AAA Server GroupLists the AAA server group, if any, to which each currently configured

group policy pertains.


AddDisplays the Add Group Policy dialog box, which lets you add a new AAA group policy

to the list. This screen includes seven tabbed sections. Click each tab to display its parameters. As you move from tab to tab, ASDM retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.
EditDisplays the Edit Group Policy dialog box, which lets you modify an existing AAA group

policy.
DeleteLets you remove a AAA group policy from the list. There is no confirmation or undo.

ASDM User Guide OL-10106-01

28-5

Chapter 28 Group Policy

General

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit External Group Policy


Configuration > VPN > General > Group Policy > Add > External Group Policy > Add or Edit External Group Policy The Add or Edit External Group Policy dialog box lets you configure an external group policy.
Fields

NameIdentifies the group policy to be added or changed. For Edit External Group Policy, this field is display-only. Server GroupLists the available server groups to which to apply this policy. PasswordSpecifies the password for this server group policy. NewOpens a dialog box that lets you select whether to create a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add AAA Server Group


Configuration > VPN > General > Group Policy > Add/Edit > External Group Policy > New > RADIUS Server Group/New LDAP Server Group > Add AAA Server Group The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.
Fields

Server GroupSpecifies the name of the server group. Protocol(Display only) Indicates whether this is a RADIUS or an LDAP server group. Accounting ModeIndicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

ASDM User Guide

28-6

OL-10106-01

Chapter 28

General Group Policy

Reactivation ModeSpecifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time. Dead TimeSpecifies, for depletion mode, the number of minutes (0 through 1440) that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default value is 10 minutes. This field is not available for timed mode. Max Failed Attempts Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. The default value is 3 attempts.

Add/Edit Internal Group Policy > General Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > General Tab The Add or Edit Group Policy window, General tab, lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. This is the default value for all of the attributes on this tab. Tunneling ProtocolsSpecifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:
IPSecIP Security Protocol. Regarded as the most secure protocol, IPSec provides the most

complete architecture for VPN tunnels. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec.
WebVPNVPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel

to a security appliance; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
L2TP over IPSecAllows remote users with VPN clients provided with several common PC

and mobile PC operating systems to establish secure connections over the public IP network to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701) to tunnel the data. The security appliance must be configured for IPSec transport mode.

Note

If no protocol is selected, an error message appears.

FilterSpecifies the filter to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Configuration > Features > VPN > VPN General > Group Policy window. ManageDisplays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

ASDM User Guide OL-10106-01

28-7

Chapter 28 Browse Time Range

General

Connection SettingsSpecifies the connection settings parameters.


Access HoursIf the Inherit check box is not selected, you can select the name of an existing

access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.
ManageOpens the Browse Time Range dialog box, on which you can add, edit, or delete a

time range.
Simultaneous LoginsIf the Inherit check box is not selected, this parameter specifies the

maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.

Note

While there is no maximum limit, allowing several simultaneous connections might compromise security and affect performance.

Maximum Connect TimeIf the Inherit check box is not selected, this parameter specifies the

maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, select Unlimited (the default).
Idle TimeoutIf the Inherit check box is not selected, this parameter specifies this users idle

timeout period in minutes. If there is no communication activity on the users connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, select Unlimited. This value does not apply to WebVPN users.

ServersConfigures DNS and WINS servers, and DHCP Scope.


DNS ServersSpecifies the DNS servers to use. If you deselect Inherit, you can specify the

primary and secondary DNS servers in their respective boxes.


WINS ServersSpecifies the WINS servers to use. If you deselect Inherit, you can specify the

primary and secondary WINS servers in their respective boxes.


DHCP ScopeSpecifies the DHCP scope; that is, the range of IP addresses the security

appliance DHCP server should use to assign addresses to users of this group policy. If you deselect Inherit, you can enter the scope in the box.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Browse Time Range


You can get to this panel through various paths.

ASDM User Guide

28-8

OL-10106-01

Chapter 28

General Browse Time Range

Use the Browse Time Range dialog box to add, edit, or delete a time range. A time range is a reusable component that defines starting and ending times that can be applied to a group policy. After defining a time range, you can select the time range and apply it to different options that require scheduling. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional recurring (that is, periodic) entries. For more information about time ranges, see the online Help for the Add or Edit Time Range dialog box.
Fields

AddOpens the Add Time Range dialog box, on which you can create a new time range.

Note

Creating a time range does not restrict access to the device. EditOpens the Edit Time Range dialog box, on which you can modify an existing time range. This button is active only when you have selected an existing time range from the Browse Time Range table. DeleteRemoves a selected time range from the Browse Time Range table. There is no confirmation or undo of this action. NameSpecifies the name of the time range. Start TimeSpecifies when the time range begins. End TimeSpecifies when the time range ends. Recurring EntriesSpecifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Time Range


You can get to this panel through various paths. The Add or Edit Time Range dialog box lets you configure a new time range.
Fields

Time Range NameSpecifies the name that you want to assign to this time range. Start TimeDefines the time when you want the time range to start.
Start nowSpecifies that the time range starts immediately. Start atSelects the month, day, year, hour, and minute at which you want the time range to

start.

End TimeDefines the time when you want the time range to end.

ASDM User Guide OL-10106-01

28-9

Chapter 28 Browse Time Range

General

Never endSpecifies that the time range has no defined end point. End at (inclusive)Selects the month, day, year, hour, and minute at which you want the time

range to end.

Recurring Time RangesConstrains the active time of this time range within the start and end times when the time range is active. For example, if the start time is start now and the end time is never end, and you want the time range to be effective every weekday, Monday through Friday, from 8:00 AM to 5:00 PM, you could configure a recurring time range, specifying that it is to be active weekdays from 08:00 through 17:00, inclusive. AddOpens the Add Recurring Time Range dialog box, on which you can configure a recurring time range. EditOpens the Edit Recurring Time Range dialog box, on which you can modify a selected recurring time range. DeleteRemoves a selected recurring time range.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Recurring Time Range


You can get to this panel through various paths. The Add or Edit Recurring Time Range dialog box lets you configure or modify a recurring time range.
Fields

Specify days of the week and times on which this recurring range will be activeMakes available the options in the Days of the week area. For example, use this option when you want the time range to be active only every Monday through Thursday, from 08:00 through 16:59.
Days of the weekSelect the days that you want to include in this recurring time range.

Possible options are: Every day, Weekdays, Weekends, and On these days of the week. For the last of these, you can select a check box for each day that you want included in the range.
Daily Start TimeSpecifies the hour and minute, in 24-hour format, when you want the

recurring time range to be active on each selected day.


Daily End Time (inclusive)Specifies the hour and minute, in 24-hour format, when you want

the recurring time range to end on each selected day.

Specify a weekly interval when this recurring range will be activeMakes available the options in the Weekly Interval area. The range extends inclusively through the end time. All times in this area are in 24-hour format. For example, use this option when you want the time range to be active continuously from Monday at 8:00 AM through Friday at 4:30 PM.
FromSelects the day, hour, and minute when you want the weekly time range to start. ThroughSelects the day, hour, and minute when you want the weekly time range to end.

ASDM User Guide

28-10

OL-10106-01

Chapter 28

General ACL Manager

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ACL Manager
You can get to this panel through various paths. The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used. You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted. The security appliance supports only an inbound ACL on an interface. At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security appliance denies it. ACEs are referred to as rules in this topic.

Standard ACL Tab


This pane provides summary information about standard ACLs, and lets you add or edit ACLs and ACEs.
Fields

AddLets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL. EditOpens the Edit ACE dialog box, on which you can change an existing access control list rule. DeleteRemoves an ACL or ACE. There is no confirmation or undo. Move Up/Move DownChanges the position of a rule in the ACL Manager table. CutRemoves the selection from the ACL Manager table and places it on the clipboard. CopyPlaces a copy of the selection on the clipboard. PasteOpens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule. NoIndicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen. AddressDisplays the IP address or URL of the application or service to which the ACE applies. ActionSpecifies whether this filter permits or denies traffic flow. DescriptionShows the description you typed when you added the rule. An implicit rule includes the following description: Implicit outbound rule.

ASDM User Guide OL-10106-01

28-11

Chapter 28 ACL Manager

General

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Extended ACL Tab


This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.
Fields

AddLets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL. EditOpens the Edit ACE dialog box, on which you can change an existing access control list rule. DeleteRemoves an ACL or ACE. There is no confirmation or undo. Move Up/Move DownChanges the position of a rule in the ACL Manager table. CutRemoves the selection from the ACL Manager table and places it on the clipboard. CopyPlaces a copy of the selection on the clipboard. PasteOpens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule. NoIndicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen. EnabledEnables or disables a rule. Implicit rules cannot be disabled. SourceSpecifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule. DestinationSpecifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address. ServiceNames the service and protocol specified by the rule. ActionSpecifies whether this filter permits or denies traffic flow.

ASDM User Guide

28-12

OL-10106-01

Chapter 28

General ACL Manager

Logging Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears. TimeSpecifies the name of the time range to be applied in this rule. DescriptionShows the description you typed when you added the rule. An implicit rule includes the following description: Implicit outbound rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit/Paste ACE
ACL Manager > Add/Edit/Paste Extended ACE The Add/Edit/Paste ACE dialog box lets you create a new extended access list rule, or modify an existing rule. The Paste option becomes available only when you cut or copy a rule.
Fields

ActionDetermines the action type of the new rule. Select either permit or deny.
PermitPermits all matching traffic. DenyDenies all matching traffic.

Source/DestinationSpecifies the source or destination type and, depending on that type, the other relevant parameters describing the source or destination host/network IP Address. Possible values are: any, IP address, Network Object Group, and Interface IP. The availability of subsequent fields depends upon the value of the Type field:
anySpecifies that the source or destination host/network can be any type. For this value of the

Type field, there are no additional fields in the Source or Destination area.
IP AddressSpecifies the source or destination host or network IP address. With this selection,

the IP Address, ellipsis button, and Netmask fields become available. Select an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.
Network Object GroupSpecifies the name of the network object group. Select a name from

the drop-down list or click the ellipsis (...) button to browse for a network object group name.
Interface IPSpecifies the interface on which the host or network resides. Select an interface

from the drop-down list. The default values are inside and outside. There is no browse function.

Protocol and ServiceSpecifies the protocol and service to which this ACE filter applies. Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port.

ASDM User Guide OL-10106-01

28-13

Chapter 28 ACL Manager

General

You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.
ProtocolSelects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp,

and other. The remaining available fields in the Protocol and Service area depend upon the protocol you select. The next few bullets describe the consequences of each of these selections:
Protocol: TCP and UDPSelects the TCP/UDP protocol for the rule. The Source Port and

Destination Port areas allow you to specify the ports that the ACL uses to match packets.
Source Port/Destination Port(Available only for TCP and UDP protocols) Specifies an

operator and a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range).
Group(Available only for TCP and UDP protocols) Selects a source port service group. The

Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.
Protocol: ICMPLets you select an ICMP type or ICMP group from a preconfigured list or

browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.
Protocol: IPSpecifies the IP protocol for the rule in the IP protocol box. No other fields are

available when you make this selection.


Protocol: OtherLets you select a protocol from a drop-down list, select a protocol group from

a drop-down list, or browse for a protocol group. The Browse (...) button opens the Browse Other dialog box.

Rule Flow Diagram(Display only) Provides a graphical representation of the configured rule flow. This same diagram appears on the ACL Manager dialog box unless you explicitly close that display. OptionsSets optional features for this rule, including logging parameters, time ranges, and description.
LoggingEnables or disables logging or specifies the use of the default logging settings. If

logging is enabled, the Syslog Level and Log Interval fields become available.
Syslog LevelSelects the level of logging activity. The default is Informational. Log IntervalSpecifies the interval for permit and deny logging. The default is 300 seconds.

The range is 1 through 6000 seconds.


Time RangeSelects the name of the time range to use with this rule. The default is (any). Click

the Browse (...) button to open the Browse Time Range dialog box to select or add a time range.
Description(Optional) Provides a brief description of this rule. A description line can be up

to 100 characters long, but you can break a description into multiple lines.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-14

OL-10106-01

Chapter 28

General ACL Manager

Browse Source/Destination Address


ACL Manager > Add/Edit Extended Access List Rule > Source or Destination > Browse button The Browse Source or Destination Address dialog box lets you select an object to use a s a source or destination for this rule.
Fields

TypeDetermines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection. Source/Destination Object TableDisplays the objects from which you can select a source or destination object. If you select All in the type field, each category of object appears under its own heading. The table has the following headings:
NameDisplays the network name (which may be an IP address) for each object. IP addressDisplays the IP address of each object. NetmaskDisplays the network mask to use with each object. DescriptionDisplays the description entered in the Add/Edit/Paste Extended Access List Rule

dialog box.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Browse Source/Destination Port


ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: tcp or udp >Source or Destination Port > Group option > Browse button The Browse Source or Destination Port dialog box lets you select a source or destination port for this protocol in this rule.
Fields

AddOpens the Add TCP Service Group dialog box, on which you can configure a new TCP service group. FindOpens the Filter field. Filter/ClearSpecifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

ASDM User Guide OL-10106-01

28-15

Chapter 28 ACL Manager

General

TypeDetermines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection. NameLists the predefined protocols and service groups for your selection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add TCP Service Group


ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: tcp or udp >Source or Destination Port > Group option > Browse button > Browse Source or Destination Port > Add button The Add TCP Service Group dialog box lets you configure a new a TCP service group or port to add to the browsable source or destination port list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.
Fields

Group NameSpecifies the name of the new TCP service group. Description(Optional) Provides a brief description of this group. Members not in GroupPresents the option to select either a service/service group or a port number to add to the Members in Group list. Service/Service GroupSelects the option to select the name of a TCP service or service group to add to the Members in Group list. Port #Selects the option to specify a range of port numbers to add to the Members in Group list. AddMoves a selected item from the Members not in Group list to the Members in Group list. RemoveMoves a selected item from the Members in Group list to the Members not in Group list. Members in GroupLists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-16

OL-10106-01

Chapter 28

General ACL Manager

Browse ICMP
ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: icmp >ICMP > Group option > Browse button The Browse ICMP dialog box lets you select an ICMP group for this rule.
Fields

AddOpens the Add ICMP Group dialog box, on which you can configure a new TCP service group. FindOpens the Filter field. Filter/ClearSpecifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button. TypeDetermines the type of object to use as the ICMP group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection. NameLists the predefined ICMP groups for your selection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add ICMP Group


ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: icmp >ICMP > Group option > Browse button > Browse ICMP > Add button The Add ICMP Group dialog box lets you configure a new a ICMP group by name or by number to add to the browsable ICMP list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.
Fields

Group NameSpecifies the name of the new TCP service group. Description(Optional) Provides a brief description of this group. Members not in GroupPresents the option to select either an ICMP type/ICMP group or an ICMP number to add to the Members in Group list. ICMP Type/ICMP GroupSelects the option to select the name of an ICMP group to add to the Members in Group list. ICMP #Selects the option to specify an ICMP member by number to add to the Members in Group list.

ASDM User Guide OL-10106-01

28-17

Chapter 28 ACL Manager

General

AddMoves a selected item from the Members not in Group list to the Members in Group list. RemoveMoves a selected item from the Members in Group list to the Members not in Group list. Members in GroupLists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Browse Other
ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: other >Other > Group option > Browse button The Browse Other dialog box lets you select a protocol group for this rule.
Fields

AddOpens the Add Protocol Group dialog box, on which you can configure a new service group. FindOpens the Filter field. Filter/ClearSpecifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button. TypeDetermines the type of object to use as the protocol group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection. NameLists the predefined protocol groups for your selection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add Protocol Group


ACL Manager > Add/Edit Extended Access List Rule > Protocol and Service > Protocol: other > Group option > Browse button > Browse Other > Add button

ASDM User Guide

28-18

OL-10106-01

Chapter 28

General ACL Manager

The Add Protocol Group dialog box lets you configure a new a protocol group by name or by number to add to the browsable protocol list for this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.
Fields

Group NameSpecifies the name of the new TCP service group. Description(Optional) Provides a brief description of this group. Members not in GroupPresents the option to select either a protocol/protocol group or a protocol number to add to the Members in Group list. Protocol/Protocol GroupSelects the option to select the name of a protocol or protocol group to add to the Members in Group list. Protocol #Selects the option to specify a protocol by number to add to the Members in Group list. AddMoves a selected item from the Members not in Group list to the Members in Group list. RemoveMoves a selected item from the Members in Group list to the Members not in Group list. Members in GroupLists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Internal Group Policy > IPSec Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > IPSec Tab The Add or Edit Group Policy window, IPSec tab, lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. This is the default option for all attributes on this tab. Re-Authentication on IKE Re-keyEnables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is selected. IP CompressionEnables or disables IP Compression, unless the Inherit check box is selected. Perfect Forward SecrecyEnables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPSec protected data, and then use knowledge of the IKE SA secret to compromise the IPSec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to break each IPSec SA individually.

ASDM User Guide OL-10106-01

28-19

Chapter 28 ACL Manager

General

Tunnel Group LockEnables locking the tunnel group you select from the list, unless the Inherit check box or the value None is selected. Client Access RulesLets you configure up to 25 client access rules. If you deselect the Inherit check box, the Add, Edit, and Delete buttons become active and the following column headings appear in the table:
PriorityShows the priority for this rule. ActionSpecifies whether this rule permits or denies access. Client TypeSpecifies the type of VPN client to which this rule applies, software or hardware,

and for software clients, all Windows clients or a subset.


VPN Client VersionSpecifies the version or versions of the VPN client to which this rule

applies. This box contains a comma-separated list of software or firmware images appropriate for this client.

AddAdds a new rule for an IPSec group policy. This button is active only if the Inherit check box is deselected. EditModifies an existing rule for an IPSec group policy. This button is active only if the Inherit check box is deselected. DeleteRemoves an existing rule for an IPSec group policy. This button is active only if the Inherit check box is deselected. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Client Access Rule


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > IPSec > Add or Edit Client Access Rule Spawned from the Add or Edit Group Policy windows, IPSec tab, the Add or Edit Client Access Rule window adds a new client access rule for an IPSec group policy or modifies an existing rule.
Fields

PriorityShows the priority for this rule. ActionSpecifies whether this rule permits or denies access. VPN Client TypeSpecifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Some common values for VPN Client Type include VPN 3002, PIX, Linux, * (matches all client types), Win9x (matches Windows 95, Windows 98, and Windows ME), and WinNT (matches Windows NT, Windows 2000, and Windows XP). If you choose *, do not configure individual Windows types such as Windows NT. VPN Client VersionSpecifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

ASDM User Guide

28-20

OL-10106-01

Chapter 28

General ACL Manager

You must specify the software version for this client. You can specify * to match any version. Your entries must match exactly those on the URL for the VPN client, or the TFTP server for

the VPN 3002.


The TFTP server for distributing the hardware client image must be a robust TFTP server. If the client is already running a software version on the list, it does not need a software update.

If the client is not running a software version on the list, an update is in order.
A VPN client user must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Internal Group Policy > Client Configuration Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Configuration Tab The Add or Edit Group Policy window, Client Configuration tab contains three tabs that let you configure general client parameters, Cisco client parameters, and Microsoft client parameters.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Configuration Tab >General Client Parameters Tab This tab configures client attributes that are common across both Cisco and Microsoft clients, including the banner text, default domain, split tunnel parameters, and address pools.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. Deselecting the Inherit check box makes other options available for the parameter. This is the default option for all attributes on this tab.

ASDM User Guide OL-10106-01

28-21

Chapter 28 ACL Manager

General

BannerSpecifies whether to inherit the banner from the default group policy or enter new banner text. Edit BannerDisplays the View/Config Banner dialog box, in which you can enter banner text, up to 500 characters. Default DomainSpecifies whether to inherit the default domain from the default group policy or use a new default domain specified in the field. Split Tunnel DNS Names (space delimited)Specifies whether to inherit the split-tunnel DNS names or from the default group policy or specify a new name or list of names in the field. Split Tunnel PolicySpecifies whether to inherit the split-tunnel policy from the default group policy or select a policy from the menu. The menu options are to tunnel all networks, tunnel those in the network list below, or exclude those in the network list below. Split Tunnel Network ListSpecifies whether to inherit the split-tunnel network list from the default group policy or select from the drop-down list. ManageOpens the ACL Manager dialog box, on which you can manage standard and extended access control lists. Address PoolsConfigures the address pools available through this group policy.
Available PoolsSpecifies a list of address pools for allocating addresses to remote clients.

Deselecting the Inherit check box with no address pools in the Assigned Pools list indicates that no address pools are configured and disables inheritance from other sources of group policy.
AddMoves the name of an address pool from the Available Pools list to the Assigned Pools

list.
RemoveMoves the name of an address pool from the Assigned Pools list to the Available

Pools list.
Assigned Pools (up to 6 entries)Lists the address pools you have added to the assigned pools

list. The address-pools settings in this table override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation. The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

View/Config Banner
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Configuration > Edit Banner > View/Config Banner The View/Config Banner dialog box lets you enter into the text box up to 500 characters of text to be displayed as a banner for the specified client.

ASDM User Guide

28-22

OL-10106-01

Chapter 28

General ACL Manager

Note

A carriage return/line feed, created by pressing Enter, counts as 2 characters.


Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Configuration Tab >Cisco Client Parameters Tab This tab configures client attributes that are specific to Cisco clients, including password storage, enabling or disabling IPSec over UDP and setting the UDP port number, and configuring IPSec backup servers.
Fields

Store Password on Client SystemEnables or disables storing the password on the client system.

Note

Storing the password on a client system can constitute a potential security risk. IPSec over UDPEnables or disables using IPSec over UDP. IPSec over UDP PortSpecifies the UDP port to use for IPSec over UDP. IPSec Backup ServersActivates the Server Configuration and Server IP Addresses fields, so you can specify the UDP backup servers to use if these values are not inherited. Server ConfigurationLists the server configuration options to use as an IPSec backup server. The available options are: Keep Client Configuration (the default), Use the Backup Servers Below, and Clear Client Configuration. Server Addresses (space delimited)Specifies the IP addresses of the IPSec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

28-23

Chapter 28 ACL Manager

General

Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Configuration Tab >Microsoft Client Parameters Tab This tab configures client attributes that are specific to Microsoft clients, specifically, proxy server parameters for Microsoft Internet Explorer.
Fields

Proxy Server PolicyConfigures the Microsoft Internet Explorer browser proxy actions (methods) for a client PC.
Do not modify client proxy settingsLeaves the HTTP browser proxy server setting in Internet

Explorer unchanged for this client PC.


Do not use proxyDisables the HTTP proxy setting in Internet Explorer for the client PC. Auto-detect proxyEnables the use of automatic proxy server detection in Internet Explorer

for the client PC.


Use proxy server settings specified belowSets the HTTP proxy server setting in Internet

Explorer to use the value configured in the Proxy Server Name or IP Address field.

Proxy Server SettingsConfigures the proxy server parameters for Microsoft clients using Microsoft Internet Explorer.
Proxy Server Name or IP AddressSpecifies the IP address or name of an Microsoft Internet

Explorer server that is applied for this client PC.

Note

ASDM lets you configure the proxy server name or IP address. To configure the optional port to use, as well as the server, you must use the msie-proxy server command in group-policy configuration mode.

Bypass Proxy Server for Local Addresses Configures Microsoft Internet Explorer browser

proxy local-bypass settings for a client PC. Select Yes to enable local bypass or No to disable local bypass.
Proxy Server Exception ListConfigures Microsoft Internet Explorer browser proxy exception

list settings for a local bypass on the client PC. Enter the list of addresses that you do not want to have accessed through a proxy server. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.
Name or IP Address (use * as a wildcard)Specifies the IP address or name of an MSIE server

that is applied for this client PC.


AddAdd the specified name or IP address to the Proxy Server Exceptions list. DeleteRemove the specified name or IP address from the Proxy server Exceptions list. Proxy Server ExceptionsLists the server names and IP addresses that you want to exclude

from proxy server access. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

DHCP InterceptEnables or disables DHCP Intercept. DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

ASDM User Guide

28-24

OL-10106-01

Chapter 28

General ACL Manager

Note

A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.
Intercept DHCP Configure MessageSpecifies whether to inherit the DHCP intercept policy

from the group policy or to enable (Yes) or disable (No) DHCP policy.
Subnet Mask (optional)Selects the subnet mask from the drop-down list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Standard Access List Rule


ACL Manager > Add or Edit Standard Access List Rule The Add/Edit Standard Access List Rule dialog box lets you create a new rule, or modify an existing rule.
Fields

ActionDetermines the action type of the new rule. Select either permit or deny.
PermitPermits all matching traffic. DenyDenies all matching traffic.

Host/Network IP AddressIdentifies the networks by IP address.


IP addressThe IP address of the host or network. MaskThe subnet mask of the host or network

Description(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

28-25

Chapter 28 ACL Manager

General

Add/Edit Internal Group Policy > Client Firewall Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Client Firewall Tab The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified.

Note

Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients. A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the users PC, and thereby the corporate network, from intrusions by way of the Internet or the users local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option. In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic are you there? messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration. In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.
Fields

InheritDetermines whether the group policy obtains its client firewall setting from the default group policy. This option is the default setting. When set, it overrides the remaining attributes in this tab and dims their names. Client Firewall AttributesSpecifies the client firewall attributes, including what type of firewall (if any) is implemented and the firewall policy for that firewall. Firewall SettingLists whether a firewall exists, and if so, whether it is required or optional. If you select No Firewall (the default), none of the remaining fields on this window are active. If you want users in this group to be firewall-protected, select either the Firewall Required or Firewall Optional setting. If you select Firewall Required, all users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.

ASDM User Guide

28-26

OL-10106-01

Chapter 28

General ACL Manager

Note

If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and VPN 3002 hardware clients) are unable to connect. If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do notfor example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Firewall TypeLists firewalls from several vendors, including Cisco. If you select Custom Firewall, the fields under Custom Firewall become active. The firewall you designate must correlate with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported. Custom FirewallSpecifies the vendor ID, Product ID and description for the custom firewall.
Vendor IDSpecifies the vendor of the custom firewall for this group policy. Product IDSpecifies the product or model name of the custom firewall being configured for

this group policy.


Description(Optional) Describes the custom firewall.

Firewall PolicySpecifies the type and source for the custom firewall policy.
Policy defined by remote firewall (AYT)Specifies that the firewall policy is defined by the

remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN client ends the session.
Policy pushed (CPP)Specifies that the policy is pushed from the peer. If you select this

option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, in and out refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.
Inbound Traffic PolicyLists the available push policies for inbound traffic. Outbound Traffic PolicyLists the available push policies for outbound traffic. ManageDisplays the ACL Manager window, on which you can configure Access Control

Lists (ACLs).
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

28-27

Chapter 28 ACL Manager

General

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Internal Group Policy > Hardware Client Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Hardware Client Tab The Add or Edit Group Policy window, Hardware Client tab, lets you configure settings for the VPN 3002 hardware client for the group policy being added or modified. The Hardware Client tab parameters do not pertain to the ASA 5505 in client mode.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab. Require Interactive Client AuthenticationEnables or disables the requirement for interactive client authentication. This parameter is disabled by default. Interactive hardware client authentication provides additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established. When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password. If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer appears. The VPN 3002 connects to the security appliance using the saved username and password.

Require Individual User AuthenticationEnables or disables the requirement for individual user authentication for users behind ASA 5505 in client mode or the VPN 3002 hardware client in the group. To display a banner to hardware clients in a group, individual user authentication must be enabled. This parameter is disabled by default. Individual user authentication protects the central site from access by unauthorized persons on the private network of the hardware client. When you enable individual user authentication, each user that connects through a hardware client must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists.

ASDM User Guide

28-28

OL-10106-01

Chapter 28

General ACL Manager

Note

You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser. If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the hardware client directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered. If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser. To authenticate, you must enter the IP address for the private interface of the hardware client in the browser Location or Address field. The browser then displays the login screen for the hardware client. To authenticate, click the Connect/Login Status button. One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers configured for a group.

User Authentication Idle TimeoutConfigures a user timeout period. The security appliance terminates the connection if it does not receive user traffic during this period. You can specify that the timeout period is a specific number of minutes or unlimited.
UnlimitedSpecifies that the connection never times out. This option prevents inheriting a

value from a default or specified group policy.


MinutesSpecifies the timeout period in minutes. Use an integer between 1 and 35791394. The

default value is Unlimited.

Cisco IP Phone BypassLets Cisco IP phones bypass the interactive individual user authentication processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone Bypass is disabled by default.

Note

You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use network extension mode for IP phone connections. LEAP BypassLets LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a hardware client travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by default.

Note

This feature does not work as intended if you enable interactive hardware client authentication. IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys. Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

ASDM User Guide OL-10106-01

28-29

Chapter 28 ACL Manager

General

Note

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services. LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication. LEAP Bypass works as intended under the following conditions:
The interactive unit authentication feature (intended for wired devices) must be disabled. If

interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the hardware client before LEAP devices can connect using that tunnel.
Individual user authentication is enabled (if it is not, you do not need LEAP Bypass). Access points in the wireless environment must be Cisco Aironet Access Points. The wireless

NIC cards for PCs can be other brands.


The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP). The ASA 5505 or VPN 3002 can operate in either client mode or network extension mode. LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.

Note

Allowing any unauthenticated traffic to traverse the tunnel might pose a security risk.

Allow Network Extension ModeRestricts the use of network extension mode on the hardware client. Select the option to let hardware clients use network extension mode. Network extension mode is required for the hardware client to support IP phone connections, because the Call Manager can communicate only with actual IP addresses.

Note

If you disable network extension mode, the default setting, the hardware client can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all hardware clients in a group for PAT mode. If a hardware client is configured to use network extension mode and the security appliance to which it connects disables network extension mode, the hardware client attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the hardware client puts an unnecessary processing load on the security appliance to which it connects; large numbers of hardware clients that are misconfigured in this way reduces the ability of the security appliance to provide service.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-30

OL-10106-01

Chapter 28

General ACL Manager

Add/Edit Internal Group Policy > NAC Tab


Configuration > VPN > General > Group Policy > Add/Edit Internal Group Policy > NAC Tab The Add or Edit Internal Group Policy window, NAC tab, lets you configure Network Admission Control settings for the default group policy or an alternative group policy.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab. Enable NACRequires posture validation for remote access. If the remote computer passes the validation checks, the ACS server downloads the access policy for the security appliance to enforce. The default setting is Disable. Status Query TimerThe security appliance starts this timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query. Enter the number of seconds in the range 30 to 1800. The default setting is 300. Revalidation TimerThe security appliance starts this timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds between each successful posture validation. The range is 300 to 86400. The default setting is 36000. Default ACL (Optional) The security appliance applies the security policy associated with the selected ACL if posture validation fails. Select None or select an extended ACL in the list. The default setting is None. If the setting is None and posture validation fails, the security appliance applies the default group policy. Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the list.

Manage Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs. Posture Validation Exception ListDisplays one or more attributes that exempt remote computers from posture validation. At minimum, each entry lists the operating system and an Enabled setting of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote computer. An entry that consists of an operating system and a filter requires the remote computer to match both to be exempt from posture validation. The security appliance ignores the entry if the Enabled setting is set to No. AddAdds an entry to the Posture Validation Exception list. EditModifies an entry in the Posture Validation Exception list. DeleteRemoves an entry from the Posture Validation Exception list.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

28-31

Chapter 28 ACL Manager

General

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Posture Validation Exception


Configuration > VPN > General > Group Policy > Add/Edit Internal Group Policy > NAC tab > Add/Edit The Add/Edit Posture Validation Exception dialog window lets you exempt remote computers from posture validation, based on their operating system and other optional attributes that match a filter.

Operating SystemChoose the operating system of the remote computer. If the computer is running this operating system, it is exempt from posture validation. The default setting is blank. EnableThe security appliance checks the remote computer for the attribute settings displayed in this window only if you check Enabled. Otherwise, it ignores the attribute settings. The default setting is unchecked. Filter (Optional) Use to apply an ACL to filter the traffic if the operating system of the computer matches the value of the Operating System attribute. Manage Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs. Use this button to populate the list next to the Filter attribute.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

WebVPN Tab > Functions Tab


You can get to this panel through various paths. The WebVPN tab > Functions tab lets you configure the features available to WebVPN users. The interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.

Inherit Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. Enable URL entryPlaces the URL entry box on the home page. If this feature is enabled, users can enter web addresses in the URL entry box, and use WebVPN to access those websites.

ASDM User Guide

28-32

OL-10106-01

Chapter 28

General ACL Manager

Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote users PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In a WebVPN connection, the security appliance acts as a proxy between the end users web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the servers SSL certificate. The end users browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

Enable file server accessEnables Windows file access (SMB/CIFS files only) through HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Servers and URLs area. To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing attribute descriptions. With this box checked, users can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements. File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.

Note

File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server. Enable file server entryPlaces the file server entry box on the portal page. File server access must be enabled. With this box checked, users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

Enable file server browsingLets users browse the Windows network for domains/workgroups, servers and shares. File server access must be enabled. With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.

Enable auto applet downloadLets users automatically download and start the port forwarding java applet upon WebVPN login. Disabled by default, you can enable this feature only if port forwarding, Outlook/Exchange proxy, or HTTP proxy is also enabled. You can also enable auto applet download in the default group policy (DfltGrpPolicy) or in user-defined group policies.

ASDM User Guide OL-10106-01

28-33

Chapter 28 ACL Manager

General

Enable port forwardingWebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.

Note

Port Forwarding does not work with some SSL/TLS versions. With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems.

Caution

Make sure Sun Microsystems Java Runtime Environment (JRE) 1.5.x is installed on the remote computers to support port forwarding (application access) and digital certificates. If JRE 1.4.x is running and the user authenticates with a digital certificate, the application fails to start because JRE cannot access the web browser's certificate store.

Enable Outlook/Exchange proxyEnables the use of the Outlook/Exchange e-mail proxy. Apply Web-type ACLApplies the WebVPN access control list defined for the users of this group. Enable HTTP ProxyEnables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browsers old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer. Enable Citrix MetaFrameEnables support for terminal services from a MetaFrame Application Server to the client. This attribute lets the security appliance act as a secure gateway within a secure Citrix configuration. These services provide users with access to MetaFrame applications through a standard Web browser.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Content Filtering Tab

ASDM User Guide

28-34

OL-10106-01

Chapter 28

General ACL Manager

The Add or Edit Group Policy window, WebVPN tab, Content Filtering tab, lets you configure the security appliance to block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.

Fields

InheritDetermines whether this group policy inherits its content filtering values from the default group policy. This option is the default setting. When this attribute is checked, the remaining attributes are dim, indicating that you cannot set them. Filter Java/ActiveXRemoves <applet>, <embed> and <object> tags from HTML. Filter scriptsRemoves <script> tags from HTML. Filter imagesRemoves <img> tags from HTML. Removing images dramatically speeds the delivery of web pages. Filter cookies from imagesRemoves cookies that are delivered with images. This may preserve user privacy, because advertisers use cookies to track visitors.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Group Policy > WebVPN Tab > Homepage Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Homepage Tab The Add or Edit Group Policy window, WebVPN tab, Homepage tab, lets you configure what, if any, home page to use and specify any customizations (such as color, logo, and so on) that you want to apply to it. It does not define the home page customization.
Fields

InheritIndicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for both the Webpage Customization and Custom Homepage attributes. Webpage CustomizationSpecifies whether to inherit the webpage customizations from the default group policy, to apply an existing customization (selected from a list), or to create a new customization. NewOpens the Add Customization Object dialog box, on which you can create and configure a new customization to apply to the GUI pages that the user sees. Custom HomepageSpecifies whether to inherit the home page from the default group policy, use an existing URL as the home page, or use no home page. Specify URLIndicates that the subsequent fields specify the protocol, either http or https, and the URL of the Web page to use as the home page, as follows:

ASDM User Guide OL-10106-01

28-35

Chapter 28 ACL Manager

General

ProtocolIndicates whether to use http or https as the connection protocol for the home page. :// fieldSpecifies the URL of the Web page to use as the home page.

Use noneSpecifies that no home page is configured.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Port Forwarding Tab The Add or Edit Group Policy window, WebVPN tab, Port Forwarding tab, lets you configure port forwarding parameters.
Fields

Inherit(Multiple instances) If checked, this option specifies that the default group policy sets the value of the associated attribute. This option is the default setting for both the Port Forwarding List and Applet Name attributes. Port Forwarding ListSpecifies whether to inherit the port forwarding list from the default group policy, select one from the list, or create a new port forwarding list. NewOpens the Add Port Forwarding List window, on which you can add a new port forwarding list. See the description of the Add Port Forwarding List window. Applet NameSpecifies whether to inherit the applet name or to use the name specified in the field. Specify this name to identify port forwarding to end users. The name you configure appears in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users. The default applet name is Application Access.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-36

OL-10106-01

Chapter 28

General ACL Manager

Add/Edit Port Forwarding List


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Port Forwarding Tab > New button > Add or Edit Port Forwarding List The Add Port Forwarding List dialog box lets you specify the name of a port forwarding list and displays a list of configured port forwarding entries.
Fields

List NameAssigns a name to the port forwarding list you want to add. Local TCP PortLists the local TCP port for each entry in the port forwarding list. Remote ServerLists the remote server for each entry in the port forwarding list. Remote TCP PortLists the remote TCP port for each entry in the port forwarding list. Description(Optional) Lists a description, up to 64 characters long, for each entry in the port forwarding list. AddOpens the Add Port Forwarding Entry dialog box, on which you can configure a new port forwarding entry. EditOpens the Edit Port Forwarding Entry dialog box, on which you can modify an existing port forwarding entry. DeleteRemoves a selected port forwarding entry from the port forwarding list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Port Forwarding Entry


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Port Forwarding Tab > New button > Add Port Forwarding List > Add or Edit The Add or Edit Port Forwarding Entry dialog box lets you specify the name of a port forwarding list and displays a list of configured port forwarding entries.
Fields

Local TCP PortSpecifies the local TCP port for this port forwarding list entry. Remote ServerSpecifies the remote server for this port forwarding list entry. Remote TCP PortSpecifies the remote TCP port for this port forwarding list entry. Description(Optional) Specifies a description, up to 64 characters, for this port forwarding list entry.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

28-37

Chapter 28 ACL Manager

General

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Group Policy > WebVPN Tab > Other Tab


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Other Tab The Add or Edit Group Policy window, WebVPN tab, Other tab, lets you configure servers and URL lists and the Web-type ACL ID.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. Servers and URL ListsSpecifies whether to inherit the list of Servers and URLs, to select an existing list, or to create a new list. NewDisplays a dialog box in which you can add a new server or URL to the list. Web-Type ACL IDSpecifies whether to inherit the web-type ACL ID, select the identifier of an existing Web-Type ACL to use, or add or modify a web-type ACL. ManageOpens the ACL Manager dialog box on which you can manage web-type ACLs. SSO ServerSpecifies whether to inherit the single-sign-on server setting, to select an existing SSO server from the list, or to add a new SSO server. NewOpens the Add SSO Server dialog box, on which you can configure a new server for the list. HTTP CompressionSpecifies whether to inherit the HTTP Compression setting from the default group, or explicitly to enable or disable HTTP compression. Keepalive IgnoreSpecifies whether to inherit the maximum transaction size from the default group or sets the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore. The range is 0 through 900 KB. Deny MessageLets you inherit, specify, or remove the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges, as follows:
Check Inherit to inherit from the default group the message to be sent to remote users who log

in to WebVPN successfully, but have no VPN privileges.


Uncheck and erase the text in the field, to not send a message to remote users who log into

WebVPN successfully, but have no VPN privileges.


Uncheck, and create or modify the message (up to 490 characters long) in the field, to be sent

to remote users who log in to WebVPN successfully, but have no VPN privileges. The default message is as follows: Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

28-38

OL-10106-01

Chapter 28

General ACL Manager

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Server and URL List


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Other Tab > Add or Edit Server and URL List The Add or Edit Server and URL List dialog box lets you add, edit, delete, and order the items in the designated URL list.
Fields

List NameSpecifies the name of the list to be added or selects the name of the list to be modified or deleted. URL Display NameSpecifies the URL name displayed to the user. URLSpecifies the actual URL associated with the display name. AddOpens the Add Server or URL dialog box, on which you can configure a new server or URL and display name. EditOpens the Edit Server or URL dialog box, on which you can configure a new server or URL and display name. DeleteRemoves the selected item from the server and URL list. There is no confirmation or undo. Move Up/Move DownChanges the position of the selected item in the server and URL list.

Add/Edit Server or URL


Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > Other Tab > Add or Edit Server and URL The Add or Edit Server or URL dialog box lets you add or edit, delete, and order the items in the designated URL list.
Fields

URL Display NameSpecifies the URL name displayed to the user. URLSpecifies the actual URL associated with the display name.

Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab
Configuration > VPN > General > Group Policy > Add/Edit > Internal Group Policy > Web VPN Tab > SSL VPN Client Tab The Add or Edit Group Policy window, WebVPN tab, SSL VPN Client tab, lets you configure the security appliance to download SSL VPN clients (SVCs) to remote computer.

ASDM User Guide OL-10106-01

28-39

Chapter 28 ACL Manager

General

SVC is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance. To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation. After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates. The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system.
Fields

Inherit(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab. Use SSL VPN ClientSpecifies whether to inherit the value of this attribute from the default group policy, or when to use the SSL VPN Client: always, optionally, or never. Keep Installer on Client SystemEnables (Yes) permanent SVC installation or disables (No) the automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user. CompressionEnables or disables compression on the SVC connection. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.

Keepalive MessagesAdjusts the frequency of keepalive messages, in the range of 15 to 600 seconds. You can adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

Key Renegotiation SettingsWhen the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection.
Renegotiation IntervalSpecifies the number of minutes from the start of the session until the

rekey takes place, from 1 through 10080 (1 week).


Renegotiation MethodSpecifies whether and how SVC establishes a new tunnel during SVC

rekey. If you check none, SVC rekey is disabled. If you check SSL, SSL renegotiation takes place during SVC rekey. If you select New tunnel, SVC establishes a new tunnel during SVC rekey. We recommend that you configure SSL as the rekey method.

ASDM User Guide

28-40

OL-10106-01

Chapter 28

General ACL Manager

Dead Peer DetectionDead Peer Detection (DPD) ensures that the security appliance (gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed.
Gateway Side DetectionEnables DPD performed by the security appliance (gateway) and

specifies the frequency, from 30 to 3600 seconds, with which the security appliance performs DPD. If you uncheck enable, DPD performed by the security appliance is disabled.
Client Side DetectionEnables DPD performed by the SVC (client), and specifies the

frequency, from 30 to 3600 seconds, with which the SVC performs DPD. If you uncheck enable, DPD performed by the SVC is disabled.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab
You can get to this panel through various paths. The Auto Signon window or tab lets you configure or edit auto signon for WebVPN users. Auto signon is a simplified single signon method that you can use if you do not already have an SSO method deployed on your internal network. With auto signon configured for particular internal servers, the security appliance passes the login credentials that the WebVPN user used to login to the security appliance (username and password) to those particular internal servers. You configure the security appliance to respond to a specific authentication method for a particular range of servers. The authentication methods you can configure the security appliance to respond to are NTLM authentication, HTTP Basic authentication, or both methods. Auto signon is a straight-forward method for configuring SSO for particular internal servers. This section describes the procedure for setting up SSO with auto signon. If you already have SSO deployed using Computer Associates SiteMinder SSO server and want to configure the security appliance to support this solution, see SSO Servers. If you use SSO with HTTP Forms protocol and want to configure the security appliance to support this method, see AAA Setup.
Fields

InheritClick to uncheck and allow WebVPN login credentials to be used to login to specific internal servers. IP AddressDisplay only. In conjunction with the following Mask, displays the IP address range of the servers to be authenticated to as configured with the Add/Edit Auto Signon dialog box. You can specify a server using either the server URI or the server IP address and mask. MaskDisplay only. In conjunction with the preceding IP Address, displays the IP address range of the servers configured to support auto signon with the Add/Edit Auto Signon dialog box.

ASDM User Guide OL-10106-01

28-41

Chapter 28 ACL Manager

General

URIDisplay only. Displays a URI mask that identifies the servers configured with the Add/Edit Auto Signon dialog box. Authentication TypeDisplay only. Displays the type of authenticationbasic HTTP, NTLM, or basic and NTLMas configured with the Add/Edit Auto Signon dialog box. Add/EditClick to add or edit an auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method. DeleteClick to delete an auto signon instruction selected in the Auto Signon table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ACLs
Configuration > VPN > Web VPN > ACLs This window lets you configure ACLs for WebVPN.
Fields

View (Unlabeled)Indicates whether the selected entry is expanded (minus sign) or contracted (plus sign). # columnSpecifies the ACE ID number. EnableIndicates whether this ACL is enabled or disabled. You can enable or disable the ACL using this check box. ActionSpecifies whether this ACL permits or denies access. TypeSpecifies whether this ACL applies to a URL or a TCP address/port. FilterSpecifies the type of filter being applied. Syslog Level (Interval)Specifies the syslog parameters for this ACL. Time RangeSpecifies the name of the time range, if any, for this ACL. The time range can be a single interval or a series of periodic ranges. DescriptionSpecifies the description, if any, of the ACL. Add ACLDisplays the Add Web Type ACL dialog box, in which you can specify an ACL ID. Add ACEDisplays the Add Web Type ACE dialog box, in which you specify parameters for the named ACL. This button is active only if there are one or more entries in the Web Type ACL table. Edit ACE/DeleteClick to edit or delete the highlighted ACL or ACE. When you delete an ACL, you also delete all of its ACEs. No warning or undelete. Move Up/Move DownHighlight an ACL or ACE and click these buttons to change the order of ACLs and ACEs. The security appliance checks WebVPN ACLs and their ACEs in priority order according to their position in the ACLs list box until it finds a match.

ASDM User Guide

28-42

OL-10106-01

Chapter 28

General Tunnel Group

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Tunnel Group
Configuration > VPN > General > Tunnel Group The parameters in the Tunnel Group window let you manage VPN tunnel groups. A VPN tunnel group represents a connection-specific record for IPSec and WebVPN connections. The IPSec group uses the IPSec tunnel-group parameters to create the tunnel. An IPSec tunnel group can be either remote-access or LAN-to-LAN. The IPSec group is configured on the internal server or on an external RADIUS server. For ASA 5505 in client mode or VPN 3002 hardware client parameters, which enable or disable interactive hardware client authentication and individual user authentication, the IPSec tunnel group parameters take precedence over parameters set for users and groups. The WebVPN tunnel-group parameters are the parameters of the WebVPN group that you want to apply to this tunnel group. You configure WebVPN access on the Configuration > WebVPN window.
Fields

Tunnel GroupShows the configured parameters for existing VPN tunnel groups. The Tunnel Group table contains the following columns:
NameSpecifies the name or IP address of the tunnel group. TypeIndicates the type of tunnel; for example, ipsec-l2l indicates an IPSec LAN-to-LAN

tunnel. The other possibilities are ipsec-ra (IPSec remote access) and webvpn.
Group PolicyIndicates the name of the group policy for this tunnel group.

AddOffers a menu letting you choose a tunnel type: IPSec for Remote Access, IPSec for LAN-to-LAN Access, or WebVPN Access, and opens a dialog box on which you can configure the new tunnel group. EditOpens a dialog box that lets you modify an existing tunnel group. DeleteRemoves the selected tunnel group from the list. Group DelimiterLets you select the delimiter character to use when parsing tunnel group names from the user names that the security appliance receives when tunnels are being negotiated. By default, no delimiter is specified, disabling group-name parsing.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

28-43

Chapter 28 Tunnel Group

General

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > General Tab > Basic Tab


You can get to this panel through various paths. The Add or Edit window, General tab, Basic tab lets you specify a name for the tunnel group that you are adding, lets you select the group policy, and lets you specify whether to strip the realm and/or group from the username before passing it on to the AAA server. You can also configure password management. On the Edit Tunnel Group window, the General tab displays the name and type of the selected tunnel group. All other functions are the same as for the Add Tunnel Group window.
Fields

NameSpecifies the name assigned to this tunnel group. For the Edit function, this field is display-only. TypeDisplays the type of tunnel group you are adding or editing. For Edit, this is a display-only field whose contents depend on your selection in the Add window. Group PolicyLists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy. Strip the realm (administrative domain) from the username before passing it on to the AAA serverEnables or disables stripping the realm from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.

Note

You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter. A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.

Strip the group from the username before passing it on to the AAA serverEnables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append

ASDM User Guide

28-44

OL-10106-01

Chapter 28

General Tunnel Group

a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password ManagementLets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.
Override account-disabled indication from AAA serverOverrides an account-disabled

indication from a AAA server.

Note

Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change passwordChecking this

check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.
Enable notification prior to expirationWhen you check this option, the security appliance

notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.
Notify...days prior to expirationSpecifies the number of days before the current password

expires to notify the user of the pending expiration. The range is 1 through 180 days.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > General Tab > Authentication Tab


You can get to this panel through various paths. This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The settings on this tab apply to the tunnel group globally across the security appliance. To set authentication server group settings per interface, click the Advanced tab. The Add or Edit Tunnel Group window > General tab > Authentication tab lets you configure the following attributes:

ASDM User Guide OL-10106-01

28-45

Chapter 28 Tunnel Group

General

Authentication Server GroupLists the available authentication server groups, including the LOCAL group (the default). You can also select None. Selecting something other than None or Local makes available the Use LOCAL if Server Group Fails check box. To set the authentication server group per interface, go to the Advanced tab. Use LOCAL if Server Group failsEnables or disables fallback to the LOCAL database if the group specified by the Authentication Server Group attribute fails. NAC Authentication Server GroupSpecifies the authentication server group to use for posture validation. This field is active only if you have configured NAC on the security appliance. You must have an ACS group consisting of at least one server configured to support NAC. The list displays the names of all server groups of type RADIUS configured on this security appliance that are available for remote access tunnels.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > General Tab > Authorization Tab


You can get to this panel through various paths. This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The settings on this tab apply to the tunnel group globally across the security appliance. The Add or Edit Tunnel Group window > General tab > Authorization tab lets you configure the following attributes:

Authorization Server GroupLists the available authorization server groups, including the LOCAL group. You can also select None (the default). Selecting something other than None makes available the check box for Users must exist in authorization database to connect. Users must exist in the authorization database to connectTells the security appliance to allow only users in the authorization database to connect. By default this feature is disabled. You must have a configured authorization server to use this feature. Authorization SettingsLets you set values for usernames that the security appliance recognizes for authorization. This applies to users that authenticate with digital certificates and require LDAP or RADIUS authorization.
Use the entire DN as the usernameAllows the use of the entire Distinguished Name (DN) as

the username.
Specify individual DN fields as the usernameEnables the use of individual DN fields as the

username.
Primary DN FieldLists all of the DN field identifiers for your selection.

ASDM User Guide

28-46

OL-10106-01

Chapter 28

General Tunnel Group

DN Field Country (C) Common Name (CN) DN Qualifier (DNQ) E-mail Address (EA) Generational Qualifier (GENQ) Given Name (GN) Initials (I) Locality (L) Name (N) Organization (O) Organizational Unit (OU) Serial Number (SER) Surname (SN) State/Province (S/P) Title (T) User ID (UID)

Definition Two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. Name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. Specific DN attribute. E-mail address of the person, system or entity that owns the certificate. Generational qualifier such as Jr., Sr., or III. First name of the certificate owner. First letters of each part of the certificate owners name. City or town where the organization is located. Name of the certificate owner. Name of the company, institution, agency, association, or other entity. Subgroup within the organization. Serial number of the certificate. Family name or last name of the certificate owner. State or province where the organization is located. Title of the certificate owner, such as Dr. Identification number of the certificate owner.

Secondary DN FieldLists all of the DN field identifiers (see the foregoing table) for your

selection and adds the option None for no selection.

Add/Edit Tunnel Group > General Tab > Accounting Tab


You can get to this panel through various paths. This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The setting on this tab applies to the tunnel group globally across the security appliance. The Add or Edit Tunnel Group window > General tab > Accounting tab lets you configure the following attribute:

Accounting Server GroupLists the available accounting server groups. You can also select None (the default). LOCAL is not an option.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

28-47

Chapter 28 Tunnel Group

General

Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab
You can get to this panel through various paths. To specify whether to use DHCP or address pools for address assignment, go to Configuration > VPN > I P Address Management > Assignment. The Add or Edit Tunnel Group window > General tab > Client Address Assignment tab, lets you configure the following Client Address Assignment attributes:

DHCP ServersSpecifies a DHCP server to use. You can add up to 10 servers, one at a time.
IP AddressSpecifies the IP address of a DHCP server. AddAdds the specified DHCP server to the list for client address assignment. DeleteDeletes the specified DHCP server from the list for client address assignment. There

is no confirmation or undo.

Address PoolsLets you specify up to 6 address pools, using the following parameters:
Available PoolsLists the available, configured address pools you can choose. AddAdds the selected address pool to the list for client address assignment. RemoveMoves the selected address pool from the Assigned Pools list to the Available Pools

list.
Assigned PoolsLists the address pools selected for address assignment.

Note

To configure interface-specific address pools, go to the Advanced tab.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > General Tab > Advanced Tab


You can get to this panel through various paths. The Add or Edit Tunnel Group window, General tab, Advanced tab, lets you configure the following interface-specific attributes:

Interface-Specific Authentication Server GroupsLets you configure an interface and server group for authentication.
InterfaceLists available interfaces for selection. Server GroupLists authentication server groups available for this interface. Use LOCAL if server group failsEnables or disables fallback to the LOCAL database if the

server group fails.


AddAdds the association between the selected available interface and the authentication

server group to the assigned list.

ASDM User Guide

28-48

OL-10106-01

Chapter 28

General Tunnel Group

RemoveMoves the selected interface and authentication server group association from the

assigned list to the available list.


Interface/Server Group/Use FallbackShow the selections you have added to the assigned list.

Interface-Specific Client IP Address Pools-Lets you specify an interface and Client IP address pool. You can have up to 6 pools.
InterfaceLists the available interfaces to add. Address PoolLists address pools available to associate with this interface. AddAdds the association between the selected available interface and the client IP address

pool to the assigned list.


RemoveMoves the selected interface/address pool association from the assigned list to the

available list.
Interface/Address PoolShows the selections you have added to the assigned list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab On the Add or Edit Tunnel Group window for IPSec for Remote Access, the IPSec tab lets you configure or edit IPSec-specific tunnel group parameters.
Fields

Pre-shared KeyLets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters. Trustpoint NameSelects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. Authentication ModeSpecifies the authentication mode: none, xauth, or hybrid.
noneSpecifies no authentication mode. xauthSpecifies the use of IKE Extended Authentication mode, which provides the capability

of authenticating a user within IKE using TACACS+ or RADIUS.


hybridSpecifies the use of Hybrid mode, which lets you use digital certificates for security

appliance authentication and a different, legacy methodsuch as RADIUS, TACACS+ or SecurIDfor remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:
1.

The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

ASDM User Guide OL-10106-01

28-49

Chapter 28 Tunnel Group

General

2.

An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

Note

Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key. IKE Peer ID ValidationSelects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. Enable sending certificate chainEnables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission. ISAKMP Keep AliveEnables and configures ISAKMP keep alive monitoring.
Disable Keep AlivesEnables or disables ISAKMP keep alives. Monitor Keep AlivesEnables or disables ISAKMP keep alive monitoring. Selecting this

option makes available the Confidence Interval and Retry Interval fields.
Confidence IntervalSpecifies the ISAKMP keep alive confidence interval. This is the number

of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.
Retry IntervalSpecifies number of seconds to wait between ISAKMP keep alive retries. The

default is 2 seconds.
Head end will never initiate keepalive monitoringSpecifies that the central-site security

appliance never initiates keepalive monitoring.

Interface-Specific Authentication ModeSpecifies the authentication mode on a per-interface basis.


InterfaceLets you select the interface name. The default interfaces are inside and outside, but

if you have configured a different interface name, that name also appears in the list.
Authentication ModeLets you select the authentication mode, none, xauth, or hybrid, as

above.
Interface/Authentication Mode tableShows the interface names and their associated

authentication modes that are selected.


AddAdds an interface/authentication mode pair selection to the Interface/Authentication

Modes table.
RemoveRemoves an interface/authentication mode pair selection from the

Interface/Authentication Modes table.

Client VPN Software Update TableLists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.
Client TypeIdentifies the VPN client type. VPN Client RevisionsSpecifies the acceptable revision level of the VPN client.

ASDM User Guide

28-50

OL-10106-01

Chapter 28

General Tunnel Group

Image URLSpecifies the URL or IP address from which the correct VPN client software

image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > PPP Tab


Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > PPP Tab On the Add or Edit Tunnel Group window for a IPSec remote access tunnel group, the PPP tab lets you configure or edit the authentication protocols permitted of a PPP connection. This tab applies only to IPSec remote access tunnel groups.
Fields

CHAPEnables the use of the CHAP protocol for a PPP connection. MS-CHAP-V1Enables the use of the MS-CHAP-V1 protocol for a PPP connection. MS-CHAP-V2Enables the use of the MA-CHAP-V2 protocol for a PPP connection. PAPEnables the use of the PAP protocol for a PPP connection. EAP-PROXYEnables the use of the EAP-PROXY protocol for a PPP connection. EAP refers to the Extensible Authentication protocol.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab On the Add or Edit Tunnel Group window for LAN-to-LAN Remote Access, the General tab, Basic tab you can specify a name for the tunnel group that you are adding (Add function only) and select the group policy.

ASDM User Guide OL-10106-01

28-51

Chapter 28 Tunnel Group

General

On the Edit Tunnel Group window, the General tab displays the name and type of the tunnel group you are modifying.
Fields

NameSpecifies the name assigned to this tunnel group. For the Edit function, this field is display-only. Type(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window. Group PolicyLists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy. Strip the realm (administrative domain) from the username before passing it on to the AAA serverEnables or disables stripping the realm from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.

Note

You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter. A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.

Strip the group from the username before passing it on to the AAA serverEnables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup. Password ManagementLets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.
Override account-disabled indication from AAA serverOverrides an account-disabled

indication from a AAA server.

Note

Allowing override account-disabled is a potential security risk.

ASDM User Guide

28-52

OL-10106-01

Chapter 28

General Tunnel Group

Enable notification upon password expiration to allow user to change passwordChecking this

check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.
Enable notification prior to expirationWhen you check this option, the security appliance

notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.
Notify...days prior to expirationSpecifies the number of days before the current password

expires to notify the user of the pending expiration. The range is 1 through 180 days.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab The Add or Edit Tunnel Group window for IPSec for LAN-to-LAN access, IPSec tab, lets you configure or edit IPSec LAN-to-LAN-specific tunnel group parameters.
Fields

NameSpecifies the name assigned to this tunnel group. For the Edit function, this field is display-only. Type(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window. Pre-shared KeyLets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters. Trustpoint NameSelects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. Authentication ModeSpecifies the authentication mode: none, xauth, or hybrid.
noneSpecifies no authentication mode. xauthSpecifies the use of IKE Extended Authentication mode, which provides the capability

of authenticating a user within IKE using TACACS+ or RADIUS.

ASDM User Guide OL-10106-01

28-53

Chapter 28 Tunnel Group

General

hybridSpecifies the use of Hybrid mode, which lets you use digital certificates for security

appliance authentication and a different, legacy methodsuch as RADIUS, TACACS+ or SecurIDfor remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:
1. 2.

The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated. An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

Note

Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key. IKE Peer ID ValidationSelects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. Enable sending certificate chainEnables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission. ISAKMP Keep AliveEnables and configures ISAKMP keep alive monitoring.
Disable Keep AlivesEnables or disables ISAKMP keep alives. Monitor Keep AlivesEnables or disables ISAKMP keep alive monitoring. Selecting this

option makes available the Confidence Interval and Retry Interval fields.
Confidence IntervalSpecifies the ISAKMP keep alive confidence interval. This is the number

of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.
Retry IntervalSpecifies number of seconds to wait between ISAKMP keep alive retries. The

default is 2 seconds.
Head end will never initiate keepalive monitoringSpecifies that the central-site security

appliance never initiates keepalive monitoring.

Interface-Specific Authentication ModeSpecifies the authentication mode on a per-interface basis.


InterfaceLets you select the interface name. The default interfaces are inside and outside, but

if you have configured a different interface name, that name also appears in the list.
Authentication ModeLets you select the authentication mode, none, xauth, or hybrid, as

above.
Interface/Authentication Mode tableShows the interface names and their associated

authentication modes that are selected.


AddAdds an interface/authentication mode pair selection to the Interface/Authentication

Modes table.
RemoveRemoves an interface/authentication mode pair selection from the

Interface/Authentication Modes table.

Client VPN Software Update TableLists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses

ASDM User Guide

28-54

OL-10106-01

Chapter 28

General Tunnel Group

this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.
Client TypeIdentifies the VPN client type. VPN Client RevisionsSpecifies the acceptable revision level of the VPN client. Image URLSpecifies the URL or IP address from which the correct VPN client software

image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab
Configuration > VPN > General > Tunnel Group > Add/Edit> WebVPN Access > General Tab > Basic Tab The Add or Edit pane, General tab, Basic tab lets you specify a name for the tunnel group that you are adding, lets you select the group policy, and lets you configure password management. On the Edit Tunnel Group window, the General tab displays the name and type of the selected tunnel group. All other functions are the same as for the Add Tunnel Group window.
Fields

NameSpecifies the name assigned to this tunnel group. For the Edit function, this field is display-only. TypeDisplays the type of tunnel group you are adding or editing. For Edit, this is a display-only field whose contents depend on your selection in the Add window. Group PolicyLists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy. Strip the realm Not available for WebVPN. Strip the group Not available or WebVPN. Password ManagementLets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.
Override account-disabled indication from AAA serverOverrides an account-disabled

indication from a AAA server.

Note

Allowing override account-disabled is a potential security risk.

ASDM User Guide OL-10106-01

28-55

Chapter 28 Tunnel Group

General

Enable notification upon password expiration to allow user to change passwordChecking this

check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.
Enable notification prior to expirationWhen you check this option, the security appliance

notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.
Notify...days prior to expirationSpecifies the number of days before the current password

expires to notify the user of the pending expiration. The range is 1 through 180 days.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Tab > Basic Tab


Configuration > VPN > General > Tunnel Group > Add/Edit> WebVPN Access > WebVPN Tab > Basic Tab The attributes on the Add/Edit Tunnel Group General Tab tabs for WebVPN are the same as those for Add/Edit Tunnel Group General Tab tabs for IPSec Remote Access. The following description applies to the fields appearing on the WebVPN Tab tabs.
Fields

The Basic tab lets you configure the following WebVPN attributes:

AuthenticationSpecifies the type of authentication to perform: AAA, Certificate, or Both. The default value is AAA. DNS GroupSpecifies the DNS server to use for a WebVPN tunnel-group. The default value is DefaultDNS. CSD Failure group policyThis attribute is valid only for security appliances with Cisco Secure Desktop installed. The security appliance uses this attribute to limit access rights to remote CSD clients if you use Cisco Secure Desktop Manager to set the VPN feature policy to one of the following options:
Use Failure Group-Policy. Use Success Group-Policy, if criteria match, and the criteria fail to match.

ASDM User Guide

28-56

OL-10106-01

Chapter 28

General Tunnel Group

This attribute specifies the name of the failure group policy to be applied. Choose a group policy to differentiate access rights from those associated with the default group policy. The default value is DfltGrpPolicy.

Note

The security appliance does not use this attribute if you set the VPN feature policy to Always use Success Group-Policy.

For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administration Guide The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab The table on this tab shows the attributes of the already-configured NetBIOS servers. The Add or Edit Tunnel Group window for WebVPN Access, NetBIOS tab, lets you configure the NetBIOS attributes for the tunnel group. WebVPN uses NetBIOS and the Common Internet File System protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network. The security appliance queries NetBIOS name servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems. To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to 3 NBNS servers for redundancy. The security appliance uses the first server on the list for NetBIOS/CIFS name resolution. If the query fails, it uses the next server.
Fields

IP AddressDisplays the IP addresses of configured NetBIOS servers. Master BrowserShows whether a server is a WINS server or one that can also be a CIFS server (that is, a master browser). Timeout (seconds)Displays the initial time in seconds that the server waits for a response to an NBNS query before sending the query to the next server. RetriesShows the number of times to retry sending an NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10. Add/EditClick to add a NetBIOS server. This opens the Add or Edit NetBIOS Server dialog box. DeleteRemoves the highlighted NetBIOS row from the list.

ASDM User Guide OL-10106-01

28-57

Chapter 28 Tunnel Group

General

Move Up/Move DownThe security appliance sends NBNS queries to the NetBIOS servers in the order in which they appear in this box. Use this box to change the priority order of the servers by moving them up or down in the list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server This dialog box lets you create a new entry for the NetBIOS servers table or modify an existing entry.
Fields

IP AddressSpecifies the IP address for the NetBIOS server. Master browserDesignates the current NetBIOS server as a master browser, rather than a WINS server. TimeoutSpecifies the initial time in seconds the server waits for a response to an NBNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers. RetriesSpecifies the number of times to retry sending a NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab

ASDM User Guide

28-58

OL-10106-01

Chapter 28

General Tunnel Group

The Add or Edit Tunnel Group window for WebVPN Remote Access, Group Aliases and URLs tab, lets you specify alternative names for the group (group aliases) and specify incoming URLs for the group. Specifying the group alias creates one or more alternate names by which the user can refer to a tunnel-group. The group alias that you specify here appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. If you want the actual name of the tunnel group to appear on this list, specify it as an alias. This feature is useful when the same group is known by several common names, such as Devtest and QA. Specifying a group URL eliminates the need for the user to select a group at login. When a user logs in, the security appliance looks for the users incoming URL in the tunnel-group-policy table. If it finds the URL and if this feature is enabled, then the security appliance automatically selects the appropriate server and presents the user with only the username and password fields in the login window. If the URL is disabled, then the dropdown list of groups is also displayed, and the user must make the selection. You can configure multiple URLs (or no URLs) for a group. Each URL can be enabled or disabled individually. You must use a separate specification for each URL specified. You must specify the entire URL, which can use either the http or https protocol. You cannot associate the same URL with multiple groups. The security appliance verifies the uniqueness of the URL before accepting it for a tunnel group.
Fields

Group AliasesContains the following entries:


AliasSpecifies an alternative name for the tunnel group. Add/RemoveAdds or removes a selected group alias from the list. EnableEnables the selected alias, so it appears on the dropdown list at logon. This check box

is checked by default.

Note

You cannot change the status of a disabled alias in the Alias/Status table merely by checking Enable and clicking OK, then Apply. You must first remove the disabled alias, then re-add it with the Enable check box checked.

Alias/Status Shows whether each selected alias is enabled or disabled.

Group URLsContains the following entries:


URL (http or https)Specifies a URL to add to the list; for example, http://www.cisco.com.

You must include the http:// or https:// protocol in the URL.


Add/RemoveAdds or removes a selected group URL from the list. EnableEnables the selected URL. The default is enabled.

Note

You cannot change the status of a disabled URL in the URL/Status table merely by checking Enable and clicking OK, then Apply. You must first remove the disabled URL, then re-add it with the Enable check box checked.

URL/StatusShows whether each selected URL is enabled or disabled.

ASDM User Guide OL-10106-01

28-59

Chapter 28 Tunnel Group

General

Example

You can set up different login screens for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that refers to that customization profile, as the following example shows. This example displays the company logo instead of the default Cisco logo when the user logs in using WebVPN:
Step 1

Define a WebVPN customization named salesgui and change the default logo to mycompanylogo.gif. You must have previously loaded mycompanylogo.gif onto the flash memory of the security appliance and saved the configuration. Set up a username and associate it with the WebVPN customization youve just defined. Create a WebVPN tunnel-group named sales. Specify that you want to use the salesgui customization for this tunnel group. Set the group URL to the address that the user enters into the browser to log in to the security appliance; for example, if the security appliance has the IP address 192.168.3.3, set the group URL to https://192.168.3.3. The security appliance maps this URL to the sales tunnel group and applies the salesgui customization profile to the login screen that the user sees.

Step 2 Step 3 Step 4 Step 5

Step 6

Save the configuration to memory.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab
Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab Use this tab to select a customized look and feel for the WebVPN end-user logon web page.
Fields

Webpage CustomizationSelects a previously defined web-page customization. NewOpens a dialog box in which you can configure a new web-page customization.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

28-60

OL-10106-01

Chapter 28

General VPN System Options

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

WebVPN End User Set-up

VPN System Options


Configuration > VPN > General > VPN System Options The VPN System Options window lets you configure features specific to VPN sessions on the security appliance.
Fields

Enable inbound IPSec sessions to bypass interface access-lists. Group policy and per-user authorization access lists still apply to the traffic.Enables or disables this feature. Be aware that the inbound sessions bypass only the interface ACLs. Configured group-policy, user, and downloaded ACLs still apply. Limit the maximum number of active IPSec VPN sessionsEnables or disables limiting the maximum number of active IPSec VPN sessions. The range depends on the hardware platform and the software license. Maximum Active IPSec VPN SessionsSpecifies the maximum number of active IPSec VPN sessions allowed. This field is active only when you select the preceding check box to limit the maximum number of active IPSec VPN sessions. L2TP Tunnel Keep-alive TimeoutSpecifies the frequency, in seconds, of keepalive messages. The range is 10 through 300 seconds. The default is 60 seconds. Compression SettingsSpecifies the features for which you want to enable compression: WebVPN, and SSL VPN Client. Compression is enabled by default.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Zone Labs Integrity Server


Configuration > VPN > General > Zone Labs Integrity Server

ASDM User Guide OL-10106-01

28-61

Chapter 28 Zone Labs Integrity Server

General

The Zone Labs Integrity Server panel lets you configure the security appliance to support a Zone Labs Integrity Server. This server is part of the Integrity System, a system designed to enforce security policies on remote clients entering the private network. In essence, the security appliance acts as a proxy for the client PC to the Firewall Server and relays all necessary Integrity information between the Integrity client and the Integrity server.

Note

The current release of the security appliance supports one Integrity Server at a time even though the user interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session.
Fields

Server IP addressType the IP address of the Integrity Server. Use dotted decimal notation. AddAdds a new server IP address to the list of Integrity Servers. This button is active when an address is entered in the Server IP address field. DeleteDeletes the selected server from the list of Integrity Servers. Move UpMoves the selected server up in the list of Integrity Servers. This button is available only when there is more than one server in the list. Move DownMoves the selected server down in the list of Integrity Servers. This button is available only when there is more than one server in the list. Server PortType the security appliance port number on which it listens to the active Integrity server. This field is available only if there is at least one server in the list of Integrity Servers. The default port number is 5054, and it can range from 10 to 10000. This field is only available when there is a server in the Integrity Server list. InterfaceChoose the interface security appliance interface on which it communicates with the active Integrity Server. This interface name menu is only available when there is a server in the Integrity Server list. Fail TimeoutType the number of seconds that the security appliance should wait before it declares the active Integrity Server to be unreachable. The default is 10 and the range is from 5 to 20. Enable SSL AuthenticationCheck to enable authentication of the remote client SSL certificate by the security appliance. By default, client SSL authentication is disabled. Close connection on timeoutCheck to close the connection between the security appliance and the Integrity Server on a timeout. By default, the connection remains open. ApplyClick to apply the Integrity Server setting to the security appliance running configuration. ResetClick to remove Integrity Server configuration changes that have not yet been applied.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-62

OL-10106-01

Chapter 28

General Easy VPN Remote

Easy VPN Remote


Configuration > VPN > Easy VPN Remote Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate a VPN tunnel to an Easy VPN server, which can be a security appliance, a Cisco VPN 3000 Concentrator, an IOS-based router, or a firewall acting as an Easy VPN server. The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode (NEM). The mode of operation determines whether the Easy VPN Client inside hosts are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode. Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN Client private network from those on the enterprise network. The Easy VPN Client performs Port Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither required for the Easy VPN Client inside interface or the inside hosts. NEM makes the inside interface and all inside hosts routable across the enterprise network over the tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode supports automatic tunnel initiation. The configuration must store the group name, user name, and password. Automatic tunnel initiation is disabled if secure unit authentication is enabled. The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed directly.
Fields

Enable Easy VPN RemoteEnables the Easy VPN Remote feature and makes available the rest of the fields on this window for configuration. ModeSelects either Client mode or Network extension mode.
Client modeUses Port Address Translation (PAT) mode to isolate the addresses of the inside

hosts, relative to the client, from the enterprise network.


Network extension modeMakes those addresses accessible from the enterprise network.

Note

If the Easy VPN client is using NEM and has connections to secondary servers, establish an ASDM connection to each headend and check Enable Reverse Route Injection on the Configuration > VPN > IPSec > IPSec Rules > Tunnel Policy (Crypto Map) - Advanced tab to configure dynamic announcements of the remote network using RRI.

Auto connectConfigures the Easy VPN Remote connection to automatically initiate IPSec

data tunnels when split tunneling is configured. IPSec data tunnels are automatically initiated and sustained when in network extension mode, except when split-tunneling is configured.

Group SettingsSpecifies whether to use a pre-shared key or an X.509 certificate for user authentication.
Pre-shared keyEnables the use of a pre-shared key for authentication and makes available the

subsequent Group Name, Group Password, and Confirm Password fields for specifying the group policy name and password containing that key.
Group NameSpecifies the name of the group policy to use for authentication. Group PasswordSpecifies the password to use with the specified group policy.

ASDM User Guide OL-10106-01

28-63

Chapter 28 Advanced Easy VPN Properties

General

Confirm PasswordRequires you to confirm the group password just entered. X.509 CertificateSpecifies the use of an X.509 digital certificate, supplied by a Certificate

Authority, for authentication.


Select TrustpointLets you select a trustpoint, which can be an IP address or a hostname, from

the drop-down list. To define a trustpoint, click the link to Trustpoint(s) configuration at the bottom of this area.
Send certificate chainEnables sending a certificate chain, not just the certificate itself. This

action includes the root certificate and any subordinate CA certificates in the transmission.

User SettingsConfigures user login information.


User NameConfigures the VPN username for the Easy VPN Remote connection. Xauth

provides the capability of authenticating a user within IKE using TACACS+ or RADIUS. Xauth authenticates a user (in this case, the Easy VPN hardware client) using RADIUS or any of the other supported user authentication protocols. The Xauth username and password parameters are used when secure unit authentication is disabled and the server requests Xauth credentials. If secure unit authentication is enabled, these parameters are ignored, and the security appliance prompts the user for a username and password.
User PasswordConfigures the VPN user password for the Easy VPN Remote connection. Confirm PasswordRequires you to confirm the user password just entered.

Easy VPN Server To Be AddedAdds or removes an Easy VPN server. Any ASA or VPN 3000 Concentrator Series can act as a Easy VPN server. A server must be configured before a connection can be established. The security appliance supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order. The first server in the Easy VPN Server(s) list is the primary server. You can specify a maximum of ten backup servers in addition to the primary server.
Name or IP AddressThe name or IP address of an Easy VPN server to add to the list. AddMoves the specified server to the Easy VPN Server(s) list. RemoveMoves the selected server from the Easy VPN Server(s) list to the Name or IP

Address file. Once you do this, however, you cannot re-add the same address unless you re-enter the address in the Name or IP Address field.
Easy VPN Server(s)Lists the configured Easy VPN servers in priority order. Move Up/Move DownChanges the position of a server in the Easy VPN Server(s) list. These

buttons are available only when there is more than one server in the list.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Advanced Easy VPN Properties


Configuration > VPN > Easy VPN Remote > Advanced

ASDM User Guide

28-64

OL-10106-01

Chapter 28

General Advanced Easy VPN Properties

Device Pass-Through

Certain devices like Cisco IP phones, printers, and the like are incapable of performing authentication, and therefore of participating in individual unit authentication. To accommodate these devices, the device pass-through feature, enabled by the MAC Exemption attributes, exempts devices with the specified MAC addresses from authentication when Individual User Authentication is enabled. The first 24 bits of the MAC address indicate the manufacturer of the piece of equipment. The last 24 bits are the units serial number in hexadecimal format.
Tunneled Management

When operating an ASA model 5505 device behind a NAT device, use the Tunneled Management attributes to specify how to configure device management in the clear or through the tunneland specify the network or networks allowed to manage the Easy VPN Remote connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device. When operating a Cisco ASA 5505 behind a NAT device, use the vpnclient management command to specify how to configure device management with additional encryption or without itand specify the hosts or networks to be granted administrative access. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device.
Fields

MAC ExemptionConfigures a set of MAC addresses and masks used for device pass-through for the Easy VPN Remote connection
MAC AddressExempts the device with the specified MAC address from authentication. The

format for specifying the MAC address this field uses three hex digits, separated by periods; for example, 45ab.ff36.9999.
MAC MaskThe format for specifying the MAC mask in this field uses three hex digits,

separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.
AddAdds the specified MAC address and mask pair to the MAC Address/Mask list. RemoveMoves the selected MAC address and mask pair from the MAC Address/MAC list to

the individual MAC Address and MAC Mask fields.

Tunneled ManagementConfigures IPSec encryption for device management and specifies the network or networks allowed to manage the Easy VPN hardware client connection through the tunnel. Selecting Clear Tunneled Management merely removes that IPSec encryption level and does not affect any other encryption, such as SSH or https, that exists on the connection.
Enable Tunneled ManagementAdds a layer of IPSec encryption to the SSH or HTTPS

encryption already present in the management tunnel.


Clear Tunneled ManagementUses the encryption already present in the management tunnel,

without additional encryption.


IP Address Specifies the IP address of the host or network to which you want to grant

administrative access to the Easy VPN hardware client through the VPN tunnel. You can individually add one or more IP addresses and their respective network masks.
MaskSpecifies the network mask for the corresponding IP address. AddMoves the specified IP address and mask to the IP Address/Mask list. RemoveMoves the selected IP address and mask pair from the IP Address/Mask list to the

individual IP Address and Mask fields in this area.

ASDM User Guide OL-10106-01

28-65

Chapter 28 Advanced Easy VPN Properties

General

IP Address/MaskLists the configured IP address and mask pairs to be operated on by the

Enable or Clear functions in this area.

IPSec Over TCPConfigure the Easy VPN Remote connection to use TCP-encapsulated IPSec.
EnableEnables IPSec over TCP.

Note

Choose Configuration > VPN > IPSec > Pre-Fragmentation, double-click the outside interface, and set the DF Bit Setting Policy to Clear if you configure the Easy VPN Remote connection to use TCP-encapsulated IPSec. The Clear setting lets the security appliance send large packets.

Enter Port NumberSpecifies the port number to use for the IPSec over TCP connection.

Server CertificateConfigures the Easy VPN Remote connection to accept only connections to Easy VPN servers with the specific certificates specified by the certificate map. Use this parameter to enable Easy VPN server certificate filtering. To define a certificate map, go to Configuration > VPN > IKE > Certificate Group Matching > Rules.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

28-66

OL-10106-01

C H A P T E R

29

WebVPN
WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and both web-enabled and legacy applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The network administrator provides access to WebVPN resources on a user or group basis. Users have no direct access to resources on the internal network. WebVPN works on the platform in single, routed mode. For information on configuring WebVPN for end users, see WebVPN End User Set-up.

WebVPN Security Precautions


WebVPN connections on the security appliance are very different from remote access IPSec connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to reduce security risks. In a WebVPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Nor does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web server presents before communicating with it. To minimize the risks involved with SSL certificates:

Configure a group policy for all users who need WebVPN access and enable the WebVPN feature only for that group policy. Limit Internet access for WebVPN users. One way to do this is to clear the Enable URL entry check box on the Configuration > VPN > General > Group Policy > WebVPN panel. Then configure links to specific targets within the private network (Configuration > VPN > WebVPN > Servers and URLs).

ASDM User Guide OL-10106-01

29-1

Chapter 29 WebVPN Security Precautions

WebVPN

Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

ACLs
Configuration > VPN > WebVPN > ACLs You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted. The security appliance supports only an inbound ACL on an interface. At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security appliance denies it. ACEs are referred to as rules in this topic.

This pane lets you add and edit WebVPN ACLs and the ACL entries that each ACL contains. It also displays summary information about ACLS and ACEs, and lets you enable or disable them, and change their priority order.
Fields

Add ACLClick to add an ACL or ACE. To insert a new ACE before or after an existing ACE, click Insert or Insert After. EditClick to edit the highlighted ACE. When you delete an ACL, you also delete all of its ACEs. No warning or undelete. DeleteClick to delete the highlighted ACL or ACE. When you delete an ACL, you also delete all of its ACEs. No warning or undelete. Move UP/Move DownHighlight an ACL or ACE and click these buttons to change the order of ACLs and ACEs. The security appliance checks WebVPN ACLs and their ACEs in priority order according to their position in the ACLs list box until it finds a match. +/-Click to expand (+) or collapse (-) to view or hide the list of ACEs under each ACL. NoDisplays the priority of the ACEs under each ACL. The order in the list determines priority. EnabledShows whether the ACE is enabled. When you create an ACE, by default it is enabled. Clear the check box to disable an ACE. AddressDisplays the IP address or URL of the application or service to which the ACE applies. ServiceDisplays the TCP service to which the ACE applies. ActionDisplays whether the ACE permits or denies WebVPN access. TimeDisplays the time range associated with the ACE. Logging (Interval)Displays the configured logging behavior, either disabled or with a specified level and time interval.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

29-2

OL-10106-01

Chapter 29

WebVPN WebVPN Security Precautions

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add ACL
This pane lets you create a new ACL.
Fields

ACL NameEnter a name for the ACL. Maximum 55 characters.

Add/Edit ACE
Configuration > VPN > WebVPN > ACLs > Add/Edit ACLs An Access Control Entry permits or denies access to specific URLs and services. You can configure multiple ACEs for an ACL. ACLs apply ACEs in priority order, acting on the first match.
Fields

ActionPermits or denies access to the specific networks, subnets, hosts, and web servers specified in the Filter group box. FilterSpecifies a URL or an IP address to which you want to apply the filter (permit or deny user access).
URLApplies the filter to the specified URL. Protocols (unlabeled)Specifies the protocol part of the URL address. ://xSpecifies the URL of the Web page to which to apply the filter. TCPApplies the filter to the specified IP address, subnet, and port. IP AddressSpecifies the IP address to which to apply the filter. NetmaskLists the standard subnet mask to apply to the address in the IP Address box. ServiceIdentifies the service (such as https, kerberos, or any) to be matched. Displays a list

of services from which you can select the service to display in the Service box.
Boolean operator (unlabeled)Lists the boolean conditions (equal, not equal, greater than, less

than, or range) to use in matching the service specified in the service box.

Rule Flow DiagramGraphically depicts the traffic flow using this filter. This area might be hidden. OptionsSpecifies the logging rules. The default is Default Syslog.
LoggingChoose enable if you want to enable a specific logging level. Syslog LevelGrayed out until you select Enable for the Logging attribute. Lets you select the

type of syslog messages you want the security appliance to display.


Log IntervalLets you select the number of seconds between log messages. Time RangeLets you select the name of a predefined time-range parameter set.

ASDM User Guide OL-10106-01

29-3

Chapter 29 APCF

WebVPN

...Click to browse the configured time ranges or to add a new one.

Examples

Here are examples of WebVPN ACLs: Action Deny Deny Deny Permit Deny Deny Permit Filter url http://*.yahoo.com/ url cifs://fileserver/share/directory url https://www.company.com/ directory/file.html url https://www.company.com/directory url http://*:8080/ url http://10.10.10.10 url any Effect Denies access to all of Yahoo! Denies access to all files in the specified location. Denies access to the specified file. Permits access to the specified location Denies HTTPS access to anywhere via port 8080. Denies HTTP access to 10.10.10.10. Permits access to any URL. Usually used after an ACL that denies url access.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

APCF
Configuration > VPN > WebVPN > APCF WebVPN includes an Application Profile Customization Framework option that lets the security appliance handle non-standard applications and web resources so they display correctly over a WebVPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application. The script is in XML and uses sed (stream editor) syntax to transform strings/text. You can configure multiple APCF profiles on a security appliance to run in parallel. Within an APCF profile script, multiple APCF rules can apply. In this case, the security appliance processes the oldest rule first, based on configuration history, the next oldest rule next, and so forth. You can store APCF profiles on the security appliance flash memory, or on an HTTP, HTTPS, FTP, or TFTP server. Use this panel to add, edit, and delete APCF packages, and to put them in priority order.
Fields

APCF File LocationDisplays information about the location of the APCF package. This can be on the security appliance flash memory, or on an HTTP, HTTPS, FTP, or TFTP server. Add/EditClick to add or edit a new or existing APCF profile.

ASDM User Guide

29-4

OL-10106-01

Chapter 29

WebVPN APCF

DeleteClick to remove an existing APCF profile. There is no confirmation or undo. Move Up/Move DownClick to rearrange APCF profiles within a list. This determines the order in which the security appliance attempts to use APCF profiles.

Add/Edit APCF Profile


Configuration > VPN > WebVPN > APCF > Add/Edit APCF Profile This panel lets you add or edit and APCF package, which includes identifying its location, which can be either on the security appliance flash memory, or on an HTTP, HTTPS, or TFTP server.
Fields

Flash fileCheck to locate an APCF file stored on the security appliance flash memory. PathDisplays the path to an APCF file stored on flash memory after you browse to locate it. You can also manually enter the path in this field. Browse FlashClick to browse flash memory to locate the APCF file. A Browse Flash Dialog panel displays. Use the Folders and Files columns to locate the APCF file. Highlight the APCF file and click OK. The path to the file then displays in the Path field.

Note

If you do not see the name of an APCF file that you recently downloaded, click the Refresh button. Upload Click to upload an APCF file from a local computer to the security appliance flash file system. The Upload APCF package pane displays. URLCheck to use an APCF file stored on an HTTP, HTTPS or TFTP server. http/https/tftp (unlabeled)Identify the server type. URL (unlabeled)Enter the path to the HTTP, HTTPS, or TFTP server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload APCF package


Configuration > VPN > WebVPN > APCF > Upload APCF Package
Fields

Local File PathShows the path to the APCF file on your computer. Click Browse Local to automatically insert the path in this field, or enter the path.

ASDM User Guide OL-10106-01

29-5

Chapter 29 Auto Signon

WebVPN

Browse LocalClick to locate and choose the APCF file on your computer that you want to transfer. The Select File Path dialog box displays the contents of the folder you last accessed on your local computer. Navigate to the APCF file, select it, and click Open. ASDM inserts the file path into the Local File Path field. Flash File System PathDisplays the path on the security appliance to upload the APCF file. Browse FlashClick to identify the location on the security appliance to which you want to upload the APCF file. The Browse Flash dialog box displays the contents of flash memory. File NameLocated in the Browse Flash dialog box that opens when you click Browse Flash, this field displays the name of the APCF file you selected on your local computer. We recommend that you use this name to prevent confusion. Confirm that this file displays the correct filename, and click OK. The Browse Flash dialog box closes. ASDM inserts the destination file path in the Flash File System Path field. Upload FileClick when you have identified the location of the APCF file on your computer, and the location where you want to download it to the security appliance. A Status window appears and remains open for the duration of the file transfer. Following the transfer, an Information window displays the message, File is uploaded to flash successfully. Click OK. The Upload Image dialog window removes the contents of the Local File Path and Flash File System Path fields, indicating you can upload another file. To do so, repeat these instructions. Otherwise, click the Close button. CloseCloses the Upload Image dialog window. Click this button after you upload the APCF file to flash memory or if you decide not to upload it. If you do upload it, the filename appears in the APCF File Location field of the APCF window. If you do not upload it, a Close Message dialog box prompts, Are you sure you want to close the dialog without uploading the file? Click OK if you do not want to upload the file. The Close Message and Upload Image dialog boxes close, revealing the APCF Add/Edit pane. Otherwise, click Cancel in the Close Message dialog box. The dialog box closes, revealing the Upload Image dialog box again, with the values in the fields intact. Click Upload File.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Auto Signon
Configuration > VPN > WebVPN > Auto Signon The Auto Signon window or tab lets you configure or edit auto signon for WebVPN users. Auto signon is a simplified single signon method that you can use if you do not already have an SSO method deployed on your internal network. With auto signon configured for particular internal servers, the security appliance passes the login credentials that the WebVPN user used to login to the security appliance (username and password) to those particular internal servers. You configure the security appliance to

ASDM User Guide

29-6

OL-10106-01

Chapter 29

WebVPN Auto Signon

respond to a specific authentication method for a particular range of servers. The authentication methods you can configure the security appliance to respond to are NTLM authentication, HTTP Basic authentication, or both methods. Auto signon is a straight-forward method for configuring SSO for particular internal servers. This section describes the procedure for setting up SSO with auto signon. If you already have SSO deployed using Computer Associates SiteMinder SSO server and want to configure the security appliance to support this solution, see SSO Servers. If you use SSO with HTTP Forms protocol and want to configure the security appliance to support this method, see AAA Setup.
Fields

IP AddressDisplay only. In conjunction with the following Mask, displays the IP address range of the servers to be authenticated to as configured with the Add/Edit Auto Signon dialog box. You can specify a server using either the server URI or the server IP address and mask. MaskDisplay only. In conjunction with the preceding IP Address, displays the IP address range of the servers configured to support auto signon with the Add/Edit Auto Signon dialog box. URIDisplay only. Displays a URI mask that identifies the servers configured with the Add/Edit Auto Signon dialog box. Authentication TypeDisplay only. Displays the type of authenticationbasic HTTP, NTLM, or basic and NTLMas configured with the Add/Edit Auto Signon dialog box. Add/EditClick to add or edit an auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method. DeleteClick to delete an auto signon instruction selected in the Auto Signon table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Auto Signon Entry


You can get to this panel through various paths. The Add/Edit Auto Signon Entry dialog box lets you add or edit a new auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method.
Fields

IP BlockClick this button to specify a range of internal servers using an IP address and mask.
IP AddressEnter the IP address of the first server in the range for which you are configuring

auto-signon.
MaskIn the subnet mask menu, click the subnet mask that defines the server address range of

the servers supporting auto signon.

ASDM User Guide OL-10106-01

29-7

Chapter 29 CSD Setup

WebVPN

URIClick this button to specify a server supporting auto signon by URI, then enter the URI in the field next to this button. Authentication TypeThe authentication method assigned to the servers. For the specified range of servers, the security appliance can be configured to respond to HTTP Basic authentication requests, NTLM authentication requests, or requests using either method.
BasicClick this button to assign basic HTTP authentication. NTLMClick this button use NTLMv1 authentication. Basic and NTLMClick this button use either HTTP Basic or NTLMv1 authentication.

Note

If you configure one method for a range of servers (e.g., HTTP Basic) and one of those servers attempts to authenticate with a different method (e.g., NTLM), the security appliance does not pass the users login credentials to that server,
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

CSD Setup
Configuration > VPN > WebVPN > CSD Setup This window lets you view the version and state of the CSD distribution package, and install, upgrade, enable, and disable CSD.
Fields

CSD Setup

Secure Desktop ImageDisplays the CSD distribution package loaded into the running configuration. This field should display the filename in the format securedesktop_asa_<n>_<n>*.pkg. Use the Browse Flash button to insert or modify the value in this field. You can also use this field to view the version of CSD. (The Configuration CSD Secure Desktop Manager also displays the CSD version.) Enable Secure DesktopCheck and click Apply to do the following:
a. Make sure the file is a valid CSD distribution package. b. Create an sdesktop folder on disk0 if one is not already present. c. Insert a data.xml (CSD configuration) file into the sdesktop folder if one is not already present. d. Load the data.xml file into the running configuration.

Note

If you transfer or replace the data.xml file, disable and then enable CSD to load the file.

ASDM User Guide

29-8

OL-10106-01

Chapter 29

WebVPN CSD Setup

e. Enable CSD.

Browse FlashClick to view the contents of the flash device and choose or type the filename of the CSD distribution package to install into the running configuration. You can use this button to install, upgrade or downgrade CSD. Click Apply to save the CSD setup.

Note

If you click the Browse Flash button to upgrade or downgrade the CSD distribution package, select the package to install, and click OK, the Uninstall CSD dialog window asks you if you want to delete the CSD distribution currently in the running configuration from the flash device. Click Yes if you want to save space on the flash device, or click No to reserve the option to revert to this version of CSD. UploadLets you transfer a copy of a CSD distribution package from your local computer to the flash device. To prepare to install or upgrade CSD, use your Internet browser to download a securedesktop_asa_<n>_<n>*.pkg file from http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop to any location on your PC. Then use this button to transfer a copy from you local computer to the flash device. Finally, click Browse Flash to install it into the running configuration. UninstallLets you remove the CSD image and configuration file (sdesktop/data.xml) from the running configuration. If you click this button, the Uninstall CSD dialog window asks if you want to delete the CSD image that was named in the Secure Desktop Image field and all CSD data files (including the entire CSD configuration) from the flash device. Click Yes if you want to remove these files from both the running configuration and the flash device, or click No to remove them from the running configuration, but retain them on the flash device.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Upload Image
Configuration > VPN > WebVPN > CSD Setup > Upload This dialog window lets you transfer a copy of a CSD distribution package from your local computer to the flash device on the security appliance. Use this window to install or upgrade CSD.

Note

Before using this window, use your Internet browser to download a securedesktop_asa_<n>_<n>*.pkg file from http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop to any location on your local computer.
Fields

Use the fields and options in this window as follows:

ASDM User Guide OL-10106-01

29-9

Chapter 29 CSD Setup

WebVPN

Local File PathSpecifies the path to the securedesktop_asa_<n>_<n>*.pkg file on your local computer. Click Browse Local to automatically insert the path in this field, or enter the path. For example: D:\Documents and Settings\Windows_user_name.AMER\My Documents\My Downloads\securedesktop_asa_3_1_1_16.pkg

Browse LocalClick to select the path of the securedesktop_asa_<n>_<n>*.pkg file to be transferred. The Selected File Path dialog box displays the contents of the folder you last accessed on your local computer. Navigate to the securedesktop_asa_<n>_<n>*.pkg file, select it, and click Open. ASDM inserts the file path into the Local File Path field.

Flash File System PathSpecifies the destination path on the flash device of the security appliance and the name of the destination file. Click Browse Flash to automatically insert the path into this field, or enter the path. For example, disk0:/securedesktop_asa_3_1_1_16.pkg

Browse FlashClick to select the target directory for the file. The Browse Flash dialog box displays the contents of the flash card. File NameLocated in the Browse Flash dialog box that opens if you click Browse Flash, this field displays the name of the CSD distribution package you selected on your local computer. We recommend that you use this name to prevent confusion. Confirm that this field displays the same name of the local file you selected and click OK. The Browse Flash dialog box closes. ASDM inserts the destination file path into the Flash File System Path field. Upload FileUploads the securedesktop_asa_<n>_<n>*.pkg file from your local computer to the flash device. A Status window appears and remains open for the duration of the file transfer. Following the transfer, an Information window displays the message, File is uploaded to flash successfully. Click OK. The Upload Image dialog window removes the contents of the Local File Path and Flash File System Path fields, indicating you can upload another file. To do so, repeat these instructions. Otherwise, click the Close button. CloseCloses the Upload Image dialog window. Click this button after you upload the CSD distribution package to the flash device or if you decide not to upload it. If you uploaded it, the filename appears in the Secure Desktop Image field of the CSD Setup window. If you did not upload it, a Close Message dialog box prompts, Are you sure you want to close the dialog without uploading the file? Click OK if you do not want to upload the file. The Close Message and Upload Image dialog boxes close, revealing the CSD Setup pane. Otherwise, click Cancel in the Close Message dialog box. The dialog box closes, revealing the Upload Image dialog box again, with the values in the fields intact. Click Upload File.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

29-10

OL-10106-01

Chapter 29

WebVPN Cache

Cache
Configuration > VPN > WebVPN > Cache Caching enhances WebVPN performance. It stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.
Fields

Enable cacheCheck to enable caching. ParametersLets you define the terms for caching.
Enable caching of compressed contentCheck to cache compressed content. When you disable

this parameter, the security appliance stores objects before it compresses them.
Maximum Object SizeEnter the maximum size in KB of a document that the security

appliance can cache. The security appliance measures the original content length of the object, not rewritten or compressed content. The range is 0 to 10,000 KB; the default is 1000 KB
Minimum Object SizeEnter the minimum size in KB of a document that the security

appliance can cache. The security appliance measures the original content length of the object, not rewritten or compressed content. The range is 0 to 10,000 KB; the default is 0 KB.

Note

The Maximum Object Size must be greater than the Minimum Object Size.
LM FactorEnter an integer between 1 and 100; the default is 20.

The LM factor sets the policy for caching objects which have only the last-modified timestamp. This revalidates objects that have no server-set change values. The security appliance estimates the length of time since the object has changed, also called the expiration time. The estimated expiration time equals the time elapsed since the last change multiplied by the LM factor. Setting the LM factor to 0 forces immediate revalidation, while setting it to 100 results in the longest allowable time until revalidation.
Expiration TimeEnter an integer between 0 and 900 to set the number of minutes to cache

objects without revalidating them. The default is one minute. The expiration time sets the amount of time to for the security appliance to cache objects that have neither a last-modified time stamp nor an explicit server-set expiry time.

Restore Cache DefaultClick to restore default values for all cache parameters.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

29-11

Chapter 29 Content Rewrite

WebVPN

Content Rewrite
Configuration > VPN > WebVPN > Content Rewrite The Content Rewrite panel lists all applications for which content rewrite is enabled or disabled. WebVPN processes application traffic through a content transformation/rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic which may have different semantics and access control rules depending on whether the user is using an application within or independently of an SSL VPN device. You might not want some applications and web resources, for example, public websites, to go through the security appliance. The security appliance therefore lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN connection. You can create multiple rewrite rules. The rule number is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.
Fields

Content Rewrite
Rule NumberDisplays an integer that indicates the position of the rule in the list. Rule NameProvides the name of the application for which the rule applies. Rewrite EnabledDisplays content rewrite as enabled or disabled. Resource MaskDisplays the resource mask.

Add/EditClick to add a rewrite entry or edit a selected rewrite entry. DeleteClick to delete a selected rewrite entry.

.Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Content Rewrite Rule


Configuration > VPN > WebVPN > Content Rewrite > Add/Edit Content Rewrite Rule

Enable content rewriteCheck to enable content rewrite for this rewrite rule. Rule Number(Optional) Enter a number for this rule. This number specifies the position of the rule in the list. Rules without a number are at the end of the list. The range is 1 to 65534. Rule Name(Optional) Provide an alphanumeric string that describes the rule, maximum 128 characters. Resource MaskEnter the resource mask. This is a word, length up to 300 characters.

ASDM User Guide

29-12

OL-10106-01

Chapter 29

WebVPN Java Trustpoint

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Java Trustpoint
Configuration > VPN > WebVPN > Java Trustpoint Java objects which have been transformed by WebVPN can subsequently be signed using a PKCS12 digital certificate associated with a trustpoint. In the Java Trustpoint pane, you can configure the WebVPN Java object signing facility to use a PKCS12 certificate and keying material from a specified trustpoint location. To import a trustpoint, see Configuration > Properties > Certificate > Trustpoint > Import.
Fields

Java TrustpointChoose the configured trustpoint that you want to employ in Java object signing.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Encoding
Configuration > VPN > WebVPN > Encoding This window lets you specify the character encoding for WebVPN portal pages to remote clients. Character encoding, also called character coding and a character set, is the pairing of raw data (such as 0s and 1s) with characters to represent the data. The language determines the character encoding method to use. Some languages use the same method, while others do not. Usually, the geographic region determines the default encoding method used by the browser, but the remote user can change this. The browser can also detect the encoding specified on the page, and render the document accordingly. The encoding attribute lets you specify the value of the character-encoding method into the WebVPN portal page to ensure that the browser renders it properly, regardless of the region in which the user is using the browser, or any changes made to the browser.

ASDM User Guide OL-10106-01

29-13

Chapter 29 Encoding

WebVPN

By default, the security appliance applies the Global WebVPN Encoding Type to pages from Common Internet File System servers. The mapping of CIFS servers to their appropriate character encoding, globally with the Global WebVPN Encoding Type attribute, and individually with the file-encoding exceptions displayed in the table, provides for the accurate handling and display of CIFS pages when the proper rendering of filenames or directory paths, as well as pages, are an issue.
Fields

Global WebVPN Encoding Type This attribute determines the character encoding that all WebVPN portal pages inherit except for those from the CIFS servers listed in the table. You can type the string, or select one from the drop-down list, which contains only the most common values, as follows:
big5 gb2312 ibm-850 iso-8859-1 shift_jis

Note

If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family.

unicode windows-1252 none

If you choose none or specify a value that the browser on the WebVPN client does not support, it uses its own default encoding. You can type a string consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive. The command interpreter converts upper-case to lower-case when you save the security appliance configuration.

CIFS ServerName or IP address of each CIFS server for which the encoding requirement differs from the Global WebVPN Encoding Type attribute setting. A difference in the encoding of the CIFS server filename and directory indicates that you might need to add an entry for the server to ensure the encoding is correct.

Encoding TypeDisplays the character encoding override for the associated CIFS server. AddClick once for each CIFS server for which you want to override the Global WebVPN Encoding Type setting. EditSelect a CIFS server in the table and click this button to change its character encoding. DeleteSelect a CIFS server in the table and click this button to delete the associated entry from the table.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

29-14

OL-10106-01

Chapter 29

WebVPN Encoding

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add\Edit Encoding
Configuration > VPN > WebVPN > Encoding > Add\Edit This dialog window lets you maintain exceptions to the Global WebVPN Encoding Type attribute setting in the Configuration > VPN > WebVPN > Encoding window. That window contains the Add and Edit buttons that open this dialog box.
Fields

CIFS ServerEnter the name or IP address of a CIFS server for which the encoding requirement differs from the Global WebVPN Encoding Type attribute setting. The security appliance retains the case you specify, although it ignores the case when matching the name to a server. Encoding Type Choose the character encoding that the CIFS server should provide for WebVPN portal pages. You can type the string, or select one from the drop-down list, which contains only the most common values, as follows:
big5 gb2312 ibm-850 iso-8859-1 shift_jis

Note

If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family.

unicode windows-1252 none

If you choose none or specify a value that the browser on the WebVPN client does not support, it uses its own default encoding. You can type a string consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive. The command interpreter converts upper-case to lower-case when you save the security appliance configuration.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

29-15

Chapter 29 Port Forwarding

WebVPN

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Port Forwarding
Configuration > VPN > WebVPN > Port Forwarding Port forwarding lets users access TCP-based applications over a WebVPN connection. Such applications include the following: Lotus Notes Outlook Express Outlook Perforce Sametime Secure FTP (FTP over SSH) SSH Telnet Windows Terminal Service XDDTS

Other TCP-based applications may also work, but we have not tested them. Protocols that use UDP do not work.

Note

Port forwarding supports only those TCP applications that use static TCP ports. Applications that use dynamic ports or multiple TCP ports are not supported. For example, SecureFTP, which uses port 22, works over WebVPN port forwarding, but standard FTP, which uses ports 20 and 21, does not. Port forwarding does not support connections to personal digital assistants.
Port Forwarding and JRE

Because port forwarding requires downloading the Java applet and configuring the local client, and because doing so requires administrator permissions on the local system, it is unlikely that users will be able to use applications when they connect from public remote systems.

Caution

Make sure Sun Microsystems Java Runtime Environment (JRE) 1.5.x is installed on the remote computers to support port forwarding (application access) and digital certificates. If JRE 1.4.x is running and the user authenticates with a digital certificate, the application fails to start because JRE cannot access the web browser's certificate store. The Java applet displays in its own window on the end user HTML interface. It shows the contents of the list of forwarded ports available to the user, as well as which ports are active, and amount of traffic in bytes sent and received.

ASDM User Guide

29-16

OL-10106-01

Chapter 29

WebVPN Port Forwarding

Port Forwarding and User Authentication Via Digital Certificates Incompatibility

Neither port forwarding nor the ASDM JAVA applet work with user authentication using digital certificates. JAVA does not have the ability to access the web browser keystore. Therefore JAVA cannot use certificates that the browser uses to authenticate users, and the application cannot start.
Fields

Configure port forwarding lists for application access over WebVPN groupTo configure application access, create one or more named lists of applications, and then assign a list, by name, to a user (Configuration > Properties > Device Administration > User Accounts > Add/Edit User Account / WebVPN tab) or a group policy (Configuration > VPN > General > Add/Edit Group Policy > WebVPN tab). You can associate a user or group policy with one list only.
List NameDisplays the names of application lists configured for WebVPN. Local TCP PortDisplays the local port that listens for traffic for the application. Remote ServerDisplays the IP address or DNS name of the remote server. Remote TCP PortDisplays the remote port that listens for traffic for the application. DescriptionDisplays text that describes the TCP application.

Add/EditClick to add or modify a port forwarding list. DeleteClick to remove an existing port forwarding list. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

WebVPN End User Set-up

Add/Edit Port Forwarding List


Configuration > VPN > WebVPN > Port Forwarding > Add/Edit Port Forwarding List The Add/Edit Port Forwarding List panels let you add or edit a named list of TCP applications to associate with users or group policies for access over WebVPN connections.
Fields

List NameEnter an alpha-numeric name for the list. Maximum 64 characters.


Local TCP PortDisplays the local port that listens for traffic for the application. Remote ServerDisplays the IP address or DNS name of the remote server. Remote TCP PortDisplays the remote port that listens for traffic for the application. DescriptionDisplays text that describes the TCP application.

ASDM User Guide OL-10106-01

29-17

Chapter 29 Proxies

WebVPN

Add/EditClick to add or modify a port forwarding list. DeleteClick to remove an existing port forwarding list. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Port Forwarding Entry


Configuration > VPN > WebVPN > Port Forwarding > Add/Edit Port Forwarding List > Add/Edit Port Forwarding Entry The Add/Edit Port Forwarding Entry panels let you configure specific applications for a named port forwarding list.
Fields

Local TCP PortType a port number for the application to use. You can use a local port number only once for a listname. To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535. Remote ServerType either the DNS name or IP address of the remote server. We recommend using hostnames so that you do not have to configure the client applications for specific IP addresses. Remote TCP PortType the well-know port number for the application. DescriptionType a description of the application. Maximum 64 characters.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Proxies
Configuration > VPN > WebVPN > Proxies The security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as an intermediary between users and the Internet. Requiring all Internet access via a server you control provides another opportunity for filtering to assure secure Internet access and administrative control.

ASDM User Guide

29-18

OL-10106-01

Chapter 29

WebVPN Proxy Bypass

Be aware that HTTP/HTTPS proxy does not support connections to personal digital assistants.
Fields

HTTPLets you define an HTTP proxy server.


IP AddressEnter the IP address of the HTTP proxy server. PortEnter the port that listens for HTTP requests. The default port is 80.

HTTPSLets you define an HTTPS proxy server.


IP AddressEnter the IP address of the HTTPS proxy server. PortEnter the port that listens for HTTPS requests. The default port is 443.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Proxy Bypass
Configuration > VPN > WebVPN > Proxy Bypass You can configure the security appliance to use proxy bypass when applications and web resources work better with the special content rewriting this feature provides. Proxy bypass is an alternative method of content rewriting that makes minimal changes to the original content. It is often useful with custom web applications. You can configure multiple proxy bypass entries. The order in which you configure them is unimportant. The interface and path mask or interface and port uniquely identify a proxy bypass rule. If you configure proxy bypass using ports rather than path masks, depending on your network configuration, you might need to change your firewall configuration to allow these ports access to the security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can change, so you might need to use multiple pathmask statements to exhaust the possibilities. A path is the text in a URL that follows the domain name. For example, in the URL www.mycompany.com/hrbenefits, hrbenefits is the path. Similarly, for the URL www.mycompany.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*.
Fields

InterfaceDisplays the VLAN configured for proxy bypass. PortDisplays the port configured for proxy bypass. Path MaskDisplays the URI path to match for proxy bypass. URLDisplays the target URLs. RewriteDisplays the rewrite options. These are a combination of XML, link, or none. Add/EditClick to add a proxy bypass entry or edit a selected entry.

ASDM User Guide OL-10106-01

29-19

Chapter 29 Proxy Bypass

WebVPN

DeleteClick to delete a proxy bypass entry.

.Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Proxy Bypass Rule


Configuration > VPN > WebVPN > Proxy Bypass > Add/Edit Proxy Bypass Rule This panel lets you set rules for when the security appliance performs little or no content rewriting.
Fields

Interface NameSelect the VLAN for proxy bypass. Bypass ConditionSpecify either a port or a URI for proxy bypass.
PortSelect to use a port for proxy bypass. Valid port numbers are 20000-21000. Port (unlabeled)Enter a high-numbered port for the security appliance to reserve for proxy

bypass.
Path MaskSelect to use a URL for proxy bypass. Path MaskEnter a URL for proxy bypass. It can contain a regular expression.

URLDefine target URLs for proxy bypass.


ProtocolSelect either http or https as the protocol. URL (unlabeled)Enter a URL to which you want to apply proxy bypass.

Content to RewriteSpecifies the content to rewrite. The choices are none or a combination of XML, links, and cookies.
XMLCheck to rewrite XML content. HostnameCheck to rewrite links.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

29-20

OL-10106-01

Chapter 29

WebVPN SSL VPN Client

SSL VPN Client


Configuration > VPN > WebVPN > SSL VPN Client This window lets you enable the security appliance to download SVC image files to remote computers. The SVC Image Files pane displays files existing in flash memory identified as SVC images. The order of the files in this pane indicates the order in which they are downloaded to the remote computer. SVC is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance. To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation. After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates. The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system.
Fields

EnableEnables the security appliance to download SVC image files to remote computers. AddDisplays the Add SSL VPN Client Image window, where you can specify a file in flash memory as an SVC image file, or where you can browse flash memory for a file to specify as an SVC image. You can also upload a file from a local computer to the flash memory. ReplaceDisplays the Replace SSL VPN Client Image window, where you can specify a file in flash memory as an SVC image to replace an SVC image hightlighted in the SVC Image Files table. You can also upload a file from a local computer to the flash memory. DeleteDeletes an SVC image that you hightlight in the SVC Image Files pane. Move Up and Move Downchanges the order in which the security appliance downloads the SVC images to the remote computer. It downloads the SVC image at the top of the SVC Image Files pane first. Therefore, you should move the SVC image used by the most commonly-encountered operating system to the top of the pane.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

29-21

Chapter 29 SSL VPN Client

WebVPN

For More Information

WebVPN End User Set-up

Add SSL VPN Client Image


Configuration > VPN > WebVPN > SSL VPN Client> Add SSL VPN Client Image In this window, you can specify a filename for a file on the security appliance flash memory that you want to identify as an SSL VPN Client (SVC) image. You can also browse the flash memory for a file to identify, or you can upload a file from a local computer to the flash memory.
Fields

Flash SVC ImageSpecify the filename of the file in flash memory that you want to identify as an SSL VPN Client (SVC) image. Browse FlashDisplays the Browse Flash Dialog window where you can view all the files on flash memory. UploadDisplays the Upload Image window where you can upload a file from a local PC that you want to identify as an SVC image.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add SSL VPN Client Browse Flash Dialog


Configuration > VPN > WebVPN > SSL VPN Client> Add SSL VPN Client Image > Browse Flash Dialog In this window, you can browse the flash memory of the security appliance for a file that you want to identify as an SSL VPN Client (SVC) image. You can also browse the flash memory for a file to identify, or you can upload a file from a local computer to the flash memory.
Fields

Flash SVC ImageIdentifies the filename of the file in flash memory that you want to identify as an SSL VPN Client (SVC) image. Browse FlashDisplays the Browse Flash Dialog window where you can view all the files on flash memory. UploadDisplays the Upload Image window where you can upload a file from a local PC that you want to identify as an SVC image.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

29-22

OL-10106-01

Chapter 29

WebVPN SSL VPN Client

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add SSL VPN Client Upload Flash Dialog


Configuration > VPN > WebVPN > SSL VPN Client> Add SSL VPN Client Image > Browse Flash Dialog In this window, you can specify the path of a file on the local computer or in flash memory of the security appliance that you want to identify as an SSL VPN Client (SVC) image. You can also browse the local computer or the flash memory of the security appliance for a file to identify.
Fields

Local File PathIdentifies the filename of the file in on the local computer that you want to identify as an SSL VPN Client (SVC) image. Browse LocalDisplays the Select File Path window where you can view all the files on local computer and where you can select a file to identify as an SVC image. Flash File System PathIdentifies the filename of the file in the flash memory of the security appliance that you want to identify as an SSL VPN Client (SVC) image. Browse FlashDisplays the Browse Flash Dialog window where you can view all the files on flash memory of the security appliance and where you can select a file to identify as an SVC image.

Replace SSL VPN Client Image


Configuration > VPN > WebVPN > SSL VPN Client> Replace SSL VPN Client Image In this window, you can specify a filename for a file on the security appliance flash memory that you want to identify as an SSL VPN Client (SVC) image to replace a file previously identified as an SVC image. You can also browse the flash memory for a file to identify, or you can upload a file from a local computer to the flash memory.
Fields

Flash SVC ImageSpecify the filename of the file in flash memory that you want to identify as an SSL VPN Client (SVC) image. Browse FlashDisplays the Browse Flash Dialog window where you can view all the files on flash memory. UploadDisplays the Upload Image window where you can upload a file from a local PC that you want to identify as an SVC image.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

29-23

Chapter 29 SSO Servers

WebVPN

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Replace SSL VPN Client Upload Flash Dialog


Configuration > VPN > WebVPN > SSL VPN Client > Replace SSL VPN Client Image > Browse > Flash Dialog In this window, you can specify the path of a file on the local computer or in flash memory of the security appliance that you want to identify as an SSL VPN Client (SVC) image. You can also browse the local computer or the flash memory of the security appliance for a file to identify.
Fields

Local File PathIdentifies the filename of the file in on the local computer that you want to identify as an SSL VPN Client (SVC) image. Browse LocalDisplays the Select File Path window where you can view all the files on local computer and where you can select a file to identify as an SVC image. Flash File System PathIdentifies the filename of the file in the flash memory of the security appliance that you want to identify as an SSL VPN Client (SVC) image. Browse FlashDisplays the Browse Flash Dialog window where you can view all the files on flash memory of the security appliance and where you can select a file to identify as an SVC image.

SSO Servers
Configuration > VPN > WebVPN > SSO Servers The SSO Server window lets you configure or delete single sign-on (SSO) for WebVPN users using Computer Associates SiteMinder SSO server. SSO support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. You can choose from three methods when configuring SSO: Auto Signon using basic HTTP and/or NTLMv1 authentication, HTTP Form protocol, or Computer Associates eTrust SiteMinder (formerly Netegrity SiteMinder). This section describes the procedure for setting up SSO with SiteMinder.

To configure SSO with basic HTTP or NTLM authentication, see Auto Signon. To configure SSO with the HTTP Form protocol, see AAA Setup.

The SSO mechanism either starts as part of the AAA process (HTTP Forms) or just after successful user authentication to a AAA server (SiteMinder). In both cases, the WebVPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN server sends an SSO authentication request, including username and password, to the authenticating server using HTTPS. If the server approves the authentication request, it returns an SSO authentication cookie to the WebVPN server. This cookie is kept on the security appliance on behalf of the user and used to authenticate the user to secure websites within the domain protected by the SSO server.

ASDM User Guide

29-24

OL-10106-01

Chapter 29

WebVPN SSO Servers

SSO authentication with SiteMinder is separate from AAA and occurs after the AAA process completes. To set up SSO for a user or group, you must first configure a AAA server (RADIUS, LDAP and so forth). After a user authenticates to the AAA server, the WebVPN server uses HTTPS to send an authentication request to the SiteMinder SSO server. Besides configuring the security appliance, you must also configure your CA SiteMinder Policy Server with the Cisco authentication scheme. See Adding the Cisco Authentication Scheme to SiteMinder.
Fields

Server NameDisplay only. Displays the names of configured SSO Servers. The minimum number of characters is 4, and the maximum is 31. Authentication TypeDisplay only. Displays the type of SSO server. The security appliance currently supports the SiteMinder type. URLDisplay only. Displays the SSO server URL to which the security appliance makes SSO authentication requests. Secret KeyDisplay only. Displays the secret key used to encrypt authentication communications with the SSO server. The key can be comprised of any regular or shifted alphanumeric character. There is no minimum or maximum number of characters. Maximum RetriesDisplay only. Displays the number of times the security appliance retries a failed SSO authentication attempt. The range is 1 to 5 retries, and the default number of retries is 3. Request Timeout (seconds)Display only. Displays the number of seconds before a failed SSO authentication attempt times out. The range is 1 to 30 seconds, and the default number of seconds is 5. Add/EditOpens the Add/Edit SSO Server dialog box. DeleteDeletes the selected SSO server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Adding the Cisco Authentication Scheme to SiteMinder


Besides configuring the security appliance for SSO with SiteMinder, you must also configure your CA SiteMinder Policy Server with the Cisco authentication scheme, provided as a Java plug-in.

Note

Configuring the SiteMinder Policy Server requires experience with SiteMinder. This section presents general tasks, not a complete procedure. Refer to the CA SiteMinder documentation for the complete procedure for adding a custom authentication scheme.

ASDM User Guide OL-10106-01

29-25

Chapter 29 SSO Servers

WebVPN

To configure the Cisco authentication scheme on your SiteMinder Policy Server, perform the following tasks:
Step 1

With the Siteminder Administration utility, create a custom authentication scheme being sure to use the following specific arguments:

In the Library field, enter smjavaapi. In the Secret field, enter the same secret configured in the Secret Key field of the Add SSO Server dialog to follow. In the Parameter field, enter CiscoAuthAPI.

Step 2

Copy the file cisco_vpn_auth.jar from the CD to the default library directory for the SiteMinder server.

Add/Edit SSO Server


Configuration > VPN > WebVPN > SSO Servers > Add/Edit SSO Server

Note

This SSO method uses CA SiteMinder. You can also set up SSO using the HTTP Form protocol, or Basic HTML and NTLM authentication. To use the HTTP Form protocol, see AAA Setup. To set use basic HTML or NTLM authentication, use the auto-signon command at the command line interface.
Fields

Server NameIf adding a server, enter the name of the new SSO server. If editing a server, this field is display only; it displays the name of the selected SSO server. Authentication TypeDisplay only. Displays the type of SSO server. The type currently supported by the security appliance is SiteMinder. URLEnter the SSO server URL to which the security appliance makes SSO authentication requests. Secret KeyEnter a secret key used to encrypt authentication requests to the SSO server. Key characters can be any regular or shifted alphanumeric characters. There is no minimum or maximum number of characters. The secret key is similar to a password: you create it, save it, and configure it. It is configured on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme. Maximum RetriesEnter the number of times the security appliance retries a failed SSO authentication attempt before the authentication times-out. The range is from 1 to 5 retries inclusive, and the default is 3 retries. Request TimeoutEnter the number of seconds before a failed SSO authentication attempt times out. The range is from1 to 30 seconds inclusive, and the default is 5 seconds.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

29-26

OL-10106-01

Chapter 29

WebVPN Servers and URLs

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Servers and URLs


Configuration > VPN > WebVPN > Servers and URLs The Servers and URLs lets you view, add, and populate lists servers and URLs for access over WebVPN.

Note

File access requires that you configure a NetBIOS server (Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN > NetBIOS Servers).
Fields

Configure lists of servers and URLs for access over WebVPNTo configure file and URL access, create one or more named lists of file servers and URLs, and then assign the listname to individual users (Configuration > Properties > Device Administration > User Accounts > Add/Edit User Account / WebVPN tab > Other) or a group policy (Configuration > VPN > General > Add/Edit Group Policy > WebVPN tab > Other). You can associate a user or group policy with only one list.

List NameNames of server and URL lists configured for WebVPN. URL Display NameNames end users see for the individual servers and URLs in the list. URLURLs or paths to servers in the list. AddClick to add a list of servers and URLs. EditSelect a list in the Servers and URLs box and click this button to modify it. DeleteSelect a list in the Servers and URLs box and click this button to remove it. ASDM removes the list without confirming the request.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

WebVPN Access
Configuration > VPN > WebVPN > WebVPN Access The WebVPN Access panel lets you accomplish the following tasks:

ASDM User Guide OL-10106-01

29-27

Chapter 29 WebVPN Access

WebVPN

Enable or disable security appliance interfaces for WebVPN sessions Choose a port for WebVPN connections Set a global timeout value for WebVPN sessions Set a maximum number of simultaneous WebVPN sessions Configure the amount of security appliance memory that WebVPN can use.

To configure WebVPN services for individual users, the best practice is to use the Configuration > VPN > General > Group Policy >Add/Edit >WebVPN panel. Then use the Configuration > Properties >Device Administration >User Accounts > VPN Policy panel to assign the group policy to a user.
Fields

Configure access parameters for WebVPNLets you enable or disable WebVPN connections on configured security appliance interfaces.
InterfaceDisplays names of all configured interfaces. WebVPN EnabledDisplays current status for WebVPN on the interface.

A green check next to Yes indicates that WebVPN is enabled. A red circle next to No indicates that WebVPN is disabled.
Enable/DisableClick to enable or disable WebVPN on the highlighted interface.

Port NumberEnter the port number that you want to use for WebVPN sessions. The default port is 443, for HTTPS traffic; the range is 1 through 65535. If you change the port number, All current WebVPN connections terminate, and current users must reconnect. You also lose connectivity to ASDM, and a prompt displays, inviting you to reconnect. Default Idle TimeoutEnter the amount of time, in seconds, that a WebVPN session can be idle before the security appliance terminates it. This value applies only if the Idle Timeout value in the group policy for the user is set to zero (0), which means there is no timeout value; otherwise the group policy Idle Timeout value takes precedence over the timeout you configure here. The minimum value you can enter is 1 minute. The default is 30 minutes (1800 seconds). Maximum is 24 hours (86400 seconds). We recommend that you set this attribute to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the Simultaneous Logins attribute for the group policy is set to one, the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Max. Sessions LimitEnter the maximum number of WebVPN sessions you want to allow. Be aware that the different ASA models support WebVPN sessions as follows: ASA 5510 supports a maximum of 150; ASA 5520 maximum is 750; ASA 5540 maximum is 2500. WebVPN Memory SizeEnter the percent of total memory or the amount of memory in kilobytes that you want to allocate to WebVPN processes. The default is 50% of memory. Be aware that the different ASA models have different total amounts of memory as follows: ASA 5510256 MB; ASA5520 512 MB: ASA 55401GB. When you change the memory size, the new setting takes effect only after the system reboots. WebVPN Memory (unlabeled)Choose to allocate memory for WebVPN either as a percentage of total memory or as an amount of memory in kilobytes.

ASDM User Guide

29-28

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Enable Tunnel Group Drop-down List on WebVPN Login Check to include a drop-down list of configured tunnel groups on the WebVPN end-user interface. Users select a tunnel group from this list when they log on. This field is checked by default. If you uncheck it, the user cannot select a tunnel group at logon.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

WebVPN End User Set-up

Webpage Customization
Configuration > VPN > WebVPN > Customization Webpage Customization lets you customize the appearance of the WebVPN page that appears to WebVPN users when they connect to the security appliance. You can also customize pages that display to WebVPN users after the security appliance authenticates them, including the WebVPN Home page and the Application Access page.
Fields

Customization Objects tableDisplays the default WebVPN customization object (DfltCustomization), and any customization objects you add. AddAdds a new customization object and displays the Add Customization Object dialog box where you can further customize. EditFor the highlighted object in the Customization Object table, the Edit button displays the Edit Customization Object dialog box, where you can further customize. DeleteDeletes the highlighted object in the Customization Object table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

29-29

Chapter 29 Webpage Customization

WebVPN

Add/Edit Webpage Customization Object > Select Font


You can get to this dialog box from various paths. The Select Font dialog box lets you specify a font family, style, weight, and size.
Fields

Font FamilyLets you customize the font family.


Do not specifySpecifies the default. Use selectionEnables a list of font families that you can select from.

Font StyleLets you customize the font style.


Do not specifySpecifies the default. Use selectionEnables a list of font styles that you can select from.

Font SizeLets you customize the font size.


Do not specifySpecifies the default. Use selectionEnables a list of font sizes that you can select from.

Font WeightLets you customize the font weight.


Do not specifySpecifies the default. Use selectionEnables a list of font weights that you can select from.

PreviewDisplays a preview of your selection.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Select Foreground Color


You can get to this dialog box from various paths. The Select Foreground Color dialog box lets you conveniently select custom colors that comprise a style.
Fields

Do not specifySpecifies to use the default. Use selectionEnables the Swatches, HSB, and RGB tabs where you can select colors.
Swatches tabLets you conveniently select custom colors. Click on a color block to select a

color.
HSB tabLets you select custom colors defined by hue, saturation, and brightness (HSB).

ASDM User Guide

29-30

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Adjust the Spectrum Bar to the basic color of the light spectrum you desire. Then click and drag the mouse over the color plane until you reach the desired shade. Do this for the hue, saturation, and brightness settings. Alternatively, you can adjust the H, S, and B settings manually by clicking the H, S, and B radio buttons and selecting the up or down arrow. The R, G, and B fields display a translation to RGB values as you drag the mouse.
RGB tabLets you select custom colors defined by red, green, and blue (RGB).

Adjust the red, green, and blue slide bars to the shade that you desire. Alternatively, you can click the up and down arrows on the RGB values to make the values increase or decrease.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Select Background Color


You can get to this dialog box from various paths. The Select Background Color dialog box lets you conveniently select custom colors that comprise a style.
Fields

Do not specifySpecifies to use the default. Use selectionEnables the Swatches, HSB, and RGB tabs where you can select colors.
Swatches tabLets you conveniently select custom colors. Click on a color block to select a

color.
HSB tabLets you select custom colors defined by hue, saturation, and brightness (HSB).

Adjust the Spectrum Bar to the basic color of the light spectrum you desire. Then click and drag the mouse over the color plane until you reach the desired shade. Do this for the hue, saturation, and brightness settings. Alternatively, you can adjust the H, S, and B settings manually by clicking the H, S, and B radio buttons and selecting the up or down arrow. The R, G, and B fields display a translation to RGB values as you drag the mouse.
RGB tabLets you select custom colors defined by red, green, and blue (RGB).

Adjust the red, green, and blue slide bars to the shade that you desire. Alternatively, you can click the up and down arrows on the RGB values to make the values increase or decrease.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

29-31

Chapter 29 Webpage Customization

WebVPN

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Page Title Tab


Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Title Page Tab The Page Title Tab lets you customize the WebVPN page that appears to WebVPN users when they initially connect to the security appliance, including the page style, the title, and the logo.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Page StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and appears

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

TitleLets you configure the title of the WebVPN page, including the text and style of the text.
TextEnter the text that you want to appear in the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and appears

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Titlebar LogoLets you specify your own custom logo that appears on the WebVPN page.
NoneNo logo appears on the WebVPN page. DefaultThe Cisco logo appears on the WebVPN page. CustomEnter the filename of a custom logo, or click the Browse Flash button to browse for

a file.
Browse FlashBrowse for a custom file. Upload LogoDisplays the Upload Logo dialog box where you can browse for logo files

located on the computer running ASDM.

ASDM User Guide

29-32

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Sample PreviewDisplays the upload logo using your current title and logo settings.
Preview in BrowserDisplays your current settings in a browser window.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Page Title Tab > Upload Logo
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Title Page Tab > Upload Logo Dialog Box The Upload Logo panel lets you locate a logo file on the computer you are using to run ASDM, and to upload that logo to the security appliance.
Fields

Local File PathDisplays the path to the logo that you define using the Browse Local button. Browse LocalClick to browse the fie structure of the computer you are using to run ASDM and locate the logo. Flash File System PathDisplays the path to the logo that you define using the Browse Flash button. Browse FlashClick to browse the file structure of Flash memory on the security appliance to decide where you want to locate the logo. Upload FileClick to display the Browse Flash dialog box. The name of the logo file you have selected appears in the File Name box. Click OK to set this path to flash memory.

You return to the Upload Logo panel. Click the Upload button to upload the new logo file to Flash memory. This logo now appears in the Preview box.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Login Page Tab > Login Box Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Login Page Tab > Login Box Tab

ASDM User Guide OL-10106-01

29-33

Chapter 29 Webpage Customization

WebVPN

The Login Box tab lets you customize the Login box of the WebVPN page that appears to WebVPN users when they initially connect to the security appliance, including the title and the message.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Login TitleLets you specify the text to appear in the Login box title and the style of the login title.
TextEnter the text that you want to appear in the Title of the Login Box. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Login MessageLets you specify the message that appears in the Login box, and the style of that message.
TextEnter the text that you want to appear as the message in the Login box. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the Login Title and Login Message using your settings.
Preview in BrowserDisplays the Login Title and Login Message using your current settings

in a browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

29-34

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Add/Edit Webpage Customization Object > Login Page Tab > Login Prompts Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Login Page Tab > Login Prompts Tab The Login Prompts tab lets you customize the login prompts of the WebVPN page that appears to WebVPN users when they initially connect to the security appliance, including the username, password, and group prompts.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org. Username PromptLets you customize the username prompt, including the text that appears and the style of that text.
TextEnter the text to display for the username prompt. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Password PromptLets you customize the password prompt, including the text that appears and the style of that text.
TextEnter the text to display for the password prompt. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Group PromptLets you customize the group prompt, including the text that appears and the style of that text.
TextEnter the text to display for the group prompt. StyleDefine the style with CSS parameters (maximum 256 characters). Configure buttonLets you configure the font, foreground color, and background color, and

displays HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the Login box using your current username, password, and group prompt settings.

ASDM User Guide OL-10106-01

29-35

Chapter 29 Webpage Customization

WebVPN

Preview in BrowserDisplays the Login box using your current username, password, and group prompt settings in a browser window.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Login Page Tab > Login Buttons Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Login Page Tab > Login Buttons Tab The Login Buttons tab lets you customize the Login and Clear buttons of the WebVPN page that appears to WebVPN users when they initially connect to the security appliance.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Login ButtonLets you customize the Login button, including the text that appears on the button and the style of the button.
TextEnter the text to display on the Login button. StyleDefine the style of the Login button with CSS parameters (maximum 256 characters). Configure buttonLets you configure the font, foreground color, and background color, and

displays HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

ClearLets you customize the Clear button, including the text that appears on the button and the style of the button.
TextEnter the text to display on the Clear button. StyleDefine the style of the Login button with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

ASDM User Guide

29-36

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Sample PreviewDisplays the Login and clear buttons using your current settings.
Preview in BrowserDisplays the Login and Clear buttons using your current settings in a

browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Logout Page Tab


Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Logout Page Tab The Logout Page tab lets you customize the Logout page that appears to WebVPN users when they Log out of WebVPN service.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Logout TitleLets you specify the text to appear in the Logout box title and the style of the logout title.
TextEnter the text that you want to appear as the message in the Logout page. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Logout MessageLets you specify the message to appear on the Logout page.
TextEnter the text that you want to appear as the message in the Logout page. StyleDefine the style with CSS parameters (maximum 256 characters).

ASDM User Guide OL-10106-01

29-37

Chapter 29 Webpage Customization

WebVPN

ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the Logout page using your settings.


Preview in BrowserDisplays the page using your current settings in a browser window.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > Border Color Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > Border Color Tab The Border Color tab lets you customize the border of the WebVPN Home page that appears to WebVPN users after they are authenticated by the security appliance.
Fields

Border StyleUse any Cascading Style Sheet (CSS) parameters to define the style, including font styles, and HTML and RGB colors. To easily change the style, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

ConfigureLets you configure the font, foreground color, and background color, and displays HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools. Sample PreviewDisplays the WebVPN Home page using your border settings.
Preview in BrowserDisplays the WebVPN Home page using your border settings in a browser

window.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

29-38

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > Web Applications Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > Web Applications Tab The Web Applications tab lets you customize the Web Applications box of the WebVPN Home page that appears to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

TitleLets you customize the title of the Web Applications box.


TextEnter the text that you want to appear as the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

MessageLets you customize the message (under the title) of the Web Applications box,
TextEnter the text that you want to appear as the message. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

DropdownLets you customize the drop-down list of the Web Applications box.
TextEnter the text that you want to appear in the drop-down list. StyleDefine the style with CSS parameters (maximum 256 characters).

ASDM User Guide OL-10106-01

29-39

Chapter 29 Webpage Customization

WebVPN

ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the WebVPN Home page using your Web Application settings.
Preview in BrowserDisplays the WebVPN Home page using your Web Application in a

browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > Application Access Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > Application Access Tab The Applications Access tab lets you customize the Applications Access box of the WebVPN Home page that appears to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

TitleLets you customize the title of the Applications Access box.


TextEnter the text that you want to appear as the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

MessageLets you customize the message under the title of the Applications Access box
TextEnter the text that you want to appear as the message.

ASDM User Guide

29-40

OL-10106-01

Chapter 29

WebVPN Webpage Customization

StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the WebVPN Home page using your Application Access settings.
Preview in BrowserDisplays the WebVPN Home page using your Application Access settings

in a browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > Browse Network Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > Browse Network Tab The Browse Networks tab lets you customize the Browse Networks box of the WebVPN Home page that appears to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

TitleLets you customize the title of the Browse Networks box.


TextEnter the text that you want to appear as the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

MessageLets you customize the message under the title of the Browse Networks box

ASDM User Guide OL-10106-01

29-41

Chapter 29 Webpage Customization

WebVPN

TextEnter the text that you want to appear as the message. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

DropdownLets you customize the drop-down list of the Browse Networks box.
TextEnter the text that you want to appear in the drop-down list. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays the WebVPN Home page using your Browse Networks settings.
Preview in BrowserDisplays the WebVPN Home page using your Browse Networks settings

in a browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > Web Bookmarks Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > Web Bookmarks Tab The Web Bookmarks tab lets you customize the Web Bookmarks title and the appearance of the bookmarks links on the WebVPN Home page that appears to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

ASDM User Guide

29-42

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Bookmark TitleLets you customize the title.


TextEnter the text that you want to appear as the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Bookmark Links StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools

Sample PreviewDisplays the WebVPN Home page using your Web Bookmarks settings.
Preview in BrowserDisplays the WebVPN Home page using your Web Bookmarks settings

in a browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Home Page Tab > File Bookmarks Tab
Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Home Page Tab > File Bookmarks Tab The File Bookmarks tab lets you customize the File Bookmarks title and the appearance of the bookmarks links on the WebVPN Home page that appears to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Bookmark TitleLets you customize the title.

ASDM User Guide OL-10106-01

29-43

Chapter 29 Webpage Customization

WebVPN

TextEnter the text that you want to appear as the title. StyleDefine the style with CSS parameters (maximum 256 characters). ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Bookmark Links StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools

Sample PreviewDisplays the WebVPN Home page using your File Bookmarks settings.
Preview in BrowserDisplays the WebVPN Home page using your File Bookmarks settings in

a browser window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Application Access Window Tab


Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Application Access Window Tab The Application Access Window tab lets you customize the Application Access window that appears to authenticated WebVPN users that select Application Access on the WebVPN Home page.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Window StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

ASDM User Guide

29-44

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Warning MessageEnter the text that you want to appear as the warning message. Show application details in the application access windowLets you disable the display of application details that appear on the Application Access Window. Sample PreviewDisplays the Application Access Window using your settings.
Preview in BrowserDisplays the Application Access Window using your settings in a browser

window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Prompt Dialog Tab


Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Prompt Dialog Tab The Prompt Dialog tab lets you customize the appearance of dialog messages that appear to authenticated WebVPN users.
Fields

This tab contains several Style fields. Use any Cascading Style Sheet (CSS) parameters to define the style. To easily change the font, background color and foreground color, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.

Dialog Title StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Dialog Message StyleDefine the style with CSS parameters (maximum 256 characters).
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Dialog Border StyleDefine the style with CSS parameters (maximum 256 characters).

ASDM User Guide OL-10106-01

29-45

Chapter 29 Webpage Customization

WebVPN

ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.

Sample PreviewDisplays a sample of a dialog message using your settings.


Preview in BrowserDisplays a sample of a dialog message using your settings in a browser

window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Add/Edit Webpage Customization Object > Quick Style Configuration


Configuration > VPN > WebVPN > Webpage Customization > Add/Edit Customization Objects > Quick Style Configuration > The Quick Style Configuration dialog box lets you apply a single style to multiple WebVPN window customization settings.
Fields

Select Fieldsclick the fields that you want to share a single style. Specify StyleLets you specify a custom style to use for the fields you have selected.
Use custom styleclick disable the default style, and supply the custom style. StyleDefine the style of the WebVPN page with Cascading Style Sheet (CSS) parameters

(maximum 256 characters), including font styles, and HTML and RGB colors. To easily change the style, use the Configure button. You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML. RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others. HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine. For more information about CSS, visit the World Wide Web Consortium (W3C) website at www.w3.org.
ConfigureLets you configure the font, foreground color, and background color, and displays

HTML color swatches, and HSB (Hue, Saturation, Brightness) and RGB (Red, Green, Blue) selection tools.
PreviewDisplays a sample of the style you selected.

Use default stylesEnables default styles.

ASDM User Guide

29-46

OL-10106-01

Chapter 29

WebVPN Webpage Customization

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

29-47

Chapter 29 Webpage Customization

WebVPN

ASDM User Guide

29-48

OL-10106-01

C H A P T E R

30

WebVPN End User Set-up


This ections is for the system administrator who sets up WebVPN for end users. It summarizes configuration requirements and tasks for the user remote system. It also specifies information to communicate to users to get them started using WebVPN. This section includes the following topics:

Requiring Usernames and Passwords Communicating Security Tips Configuring Remote Systems to Use WebVPN Features Capturing WebVPN Data

Note

We assume you have already configured the security appliance for WebVPN.

Requiring Usernames and Passwords


Depending on your network, during a remote session users might have to log in to any or all of the following: the computer itself, an Internet service provider, WebVPN, mail or file servers, or corporate applications. Users might have to authenticate in many different contexts, requiring different information, such as a unique username, password, or PIN. Table 30-1 lists the type of usernames and passwords that WebVPN users might need to know.
Table 30-1 Usernames and Passwords to Give to WebVPN Users

Login Username/ Password Type Computer Internet Service Provider WebVPN File Server

Purpose Access the computer Access the Internet Access remote network Access remote file server

Entered When Starting the computer Connecting to an Internet service provider Starting WebVPN Using the WebVPN file browsing feature to access a remote file server

Corporate Application Login Access firewall-protected internal server Using the WebVPN web browsing feature to access an internal protected website Mail Server Access remote mail server via WebVPN Sending or receiving e-mail messages

ASDM User Guide OL-10106-01

30-1

Chapter 30 Communicating Security Tips

WebVPN End User Set-up

Communicating Security Tips


Advise users always to log out from the WebVPN session. (To log out of WebVPN, click the logout icon on the WebVPN toolbar or close the browser.) Advise users that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secure.

Configuring Remote Systems to Use WebVPN Features


Table 30-2 includes the following information about setting up remote systems to use WebVPN:

Starting WebVPN Using the WebVPN Floating Toolbar Web Browsing Network Browsing and File Management Using Applications (Port Forwarding) Using E-mail via Port Forwarding Using E-mail via Web Access Using E-mail via e-mail proxy WebVPN requirements, by feature WebVPN supported applications Client application installation and configuration requirements Information you might need to provide end users Tips and use suggestions for end users

Table 30-2 also provides information about the following:


It is possible you have configured user accounts differently and that different WebVPN features are available to each user. Table 30-2 organizes information by feature, so you can skip over the information for unavailable features.

ASDM User Guide

30-2

OL-10106-01

Chapter 30

WebVPN End User Set-up Configuring Remote Systems to Use WebVPN Features

Table 30-2

WebVPN Remote System Configuration and End User Requirements

Task Starting WebVPN

Remote System or End User Requirements Connection to the Internet

Specifications or Use Suggestions Any Internet connection is supported, including:


Home DSL, cable, or dial-ups Public kiosks Hotel hook-ups Airport wireless nodes Internet cafes

WebVPN-supported browser

We recommend the following browsers for WebVPN. Other browsers might not fully support WebVPN features. On Microsoft Windows:

Internet Explorer version 6.0 Netscape version 7.2 Mozilla version 1.7 and later Firefox 1.x

On Linux:

Mozilla version 1.7 Netscape version 7.2 Firefox 1.x Netscape version 7.2

On Solaris:

On Macintosh OS X:

Safari version 1.0 Firefox 1.x

Cookies enabled on browser URL for WebVPN

Cookies must be enabled on the browser in order to access applications via port forwarding. An https address in the following form: https://address where address is the IP address or DNS hostname of an interface of the security appliance (or load balancing cluster) on which WebVPN is enabled. For example: https://10.89.192.163 or https://cisco.example.com.

WebVPN username and password [Optional] Local printer WebVPN does not support printing from a web browser to a network printer. Printing to a local printer is supported.

ASDM User Guide OL-10106-01

30-3

Chapter 30 Configuring Remote Systems to Use WebVPN Features

WebVPN End User Set-up

Table 30-2

WebVPN Remote System Configuration and End User Requirements (continued)

Task Using the WebVPN Floating Toolbar

Remote System or End User Requirements

Specifications or Use Suggestions A floating toolbar is available to simplify the use of WebVPN. The toolbar lets you enter URLs, browse file locations, and choose preconfigured web connections without interfering with the main browser window. If you configure your browser to block popups, the floating toolbar cannot display. The floating toolbar represents the current WebVPN session. If you click the Close button, the security appliance prompts you to confirm that you want to close the WebVPN session.

Tip

TIP: To paste text into a text field, use Ctrl-V. (Right-clicking is disabled on the WebVPN toolbar.)

Web Browsing

Usernames and passwords for protected websites

Using WebVPN does not ensure that communication with every site is secure. See Communicating Security Tips. The look and feel of web browsing with WebVPN might be different from what users are accustomed to. For example:

The WebVPN title bar appears above each web page You access websites by:
Entering the URL in the Enter Web

Address field on the WebVPN Home page


Clicking on a preconfigured website link

on the WebVPN Home page


Clicking a link on a webpage accessed via

one of the previous two methods Also, depending on how you configured a particular account, it might be that:

Some websites are blocked Only the websites that appear as links on the WebVPN Home page are available

ASDM User Guide

30-4

OL-10106-01

Chapter 30

WebVPN End User Set-up Configuring Remote Systems to Use WebVPN Features

Table 30-2

WebVPN Remote System Configuration and End User Requirements (continued)

Task Network Browsing and File Management

Remote System or End User Requirements File permissions configured for shared remote access

Specifications or Use Suggestions Only shared folders and files are accessible via WebVPN.

Server name and passwords for protected file servers Domain, workgroup, and server names where folders and files reside Users might not be familiar with how to locate their files through your organization network. Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server.

ASDM User Guide OL-10106-01

30-5

Chapter 30 Configuring Remote Systems to Use WebVPN Features

WebVPN End User Set-up

Table 30-2

WebVPN Remote System Configuration and End User Requirements (continued)

Task Using Applications

Remote System or End User Requirements


Note

Specifications or Use Suggestions

On Macintosh OS X, only the Safari browser supports this feature. Because this feature requires installing Sun Microsystems Java Runtime Environment and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that users will be able to use applications when they connect from public remote systems.

(called Port Forwarding Note or Application Access)

Caution

Users should always close the Application Access window when they finish using applications by clicking the Close icon. Failure to quit the window properly can cause Application Access or the applications themselves to be disabled. See User must have administrator access on the PC if you use DNS names to specify servers because modifying the hosts file requires it. If JRE is not installed, a pop-up window displays, directing users to a site where it is available. On rare occasions, the WebVPN port forwarding applet fails with JAVA exception errors. If this happens, do the following:
1. 2. 3.

Client applications installed Cookies enabled on browser Administrator privileges

Sun Microsystems Java Runtime Environment (JRE) version 1.4.x and 1.5.x installed. Javascript must be enabled on the browser. By default, it is enabled.

Clear the browser cache and close the browser. Verify that no JAVA icons are in the computer task bar. Close all instances of JAVA. Establish a WebVPN session and launch the port forwarding JAVA applet.

Client applications configured, if necessary.


Note

The Microsoft Outlook client does not require this configuration step.

To configure the client application, use the servers locally mapped IP address and port number. To find this information:
1.

All non-Windows client applications require configuration. To see if configuration is necessary for a Windows application, check the value of the Remote Server.

Start WebVPN on the remote system and click the Application Access link on the WebVPN Home page. The Application Access window appears. In the Name column, find the name of the server you want to use, then identify its corresponding client IP address and port number (in the Local column). Use this IP address and port number to configure the client application. Configuration steps vary for each client application.

2.

If the Remote Server contains the server hostname, you do not need to configure the client application. If the Remote Server field contains an IP address, you must configure the client application.

3.

Note

Clicking a URL (such as one in an -e-mail message) in an application running over WebVPN does not open the site over WebVPN. To open a site over WebVPN, cut and paste the URL into the Enter WebVPN (URL) Address field.

ASDM User Guide

30-6

OL-10106-01

Chapter 30

WebVPN End User Set-up Capturing WebVPN Data

Table 30-2

WebVPN Remote System Configuration and End User Requirements (continued)

Task Using E-mail via Application Access

Remote System or End User Requirements Fulfill requirements for Application Access (See Using Applications)
Note

Specifications or Use Suggestions To use mail, start Application Access from the WebVPN Home page. The mail client is then available for use.

If you are using an IMAP client and you lose your mail server connection or are unable to make a new connection, close the IMAP application and restart WebVPN. We have tested Microsoft Outlook Express versions 5.5 and 6.0. WebVPN should support other SMTPS, POP3S, or IMAP4S e-mail programs via port forwarding, such as Netscape Mail, Lotus Notes, and Eudora, but we have not verified them.

Other mail clients

Using E-mail via Web Access

Web-based e-mail product installed

Supported products include:

Outlook Web Access For best results, use OWA on Internet Explorer 6.x or higher, Mozilla 1.7, or Firefox 1.x.

Lotus iNotes

Other web-based e-mail products should also work, but we have not verified them. Using E-mail via E-mail Proxy SSL-enabled mail application installed Do not set the security appliance SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS. Supported mail applications:

Microsoft Outlook Microsoft Outlook Express versions 5.5 and 6.0 Netscape Mail version 7 Eudora 4.2 for Windows 2000

Other SSL-enabled mail clients should also work, but we have not verified them. Mail application configured

Capturing WebVPN Data


The CLI capture command lets you log information about websites that do not display properly over a WebVPN connection. This data can help your Cisco customer support engineer troubleshoot problems. The following sections describe how to use the capture command:

Creating a Capture File Using a Browser to Display Capture Data

Note

Enabling WebVPN capture affects the performance of the security appliance. Be sure to disable the capture after you generate the capture files needed for troubleshooting.

ASDM User Guide OL-10106-01

30-7

Chapter 30 Capturing WebVPN Data

WebVPN End User Set-up

Creating a Capture File


Perform the following steps to capture data about a WebVPN session to a file.
Step 1

To start the WebVPN capture utility, use the capture command from privileged EXEC mode. capture capture_name type webvpn user webvpn_username where:

capture_name is a name you assign to the capture, which is also prepended to the name of the capture files. webvpn_user is the username to match for capture.

The capture utility starts.


Step 2

A WebVPN user logs in to begin a WebVPN session. The capture utility is capturing packets. Stop the capture by using the no version of the command. no capture capture_name The capture utility creates a capture_name.zip file, which is encrypted with the password koleso.

Step 3 Step 4

Send the .zip file to Cisco Systems, or attach it to a Cisco TAC service request. To look at the contents of the .zip file, unzip it using the password koleso.

The following example creates a capture named hr, which captures WebVPN traffic for user2 to a file:
hostname# capture hr type webvpn user user2 WebVPN capture started. capture name hr user name user2 hostname# no capture hr

Using a Browser to Display Capture Data


Perform the following steps to capture data about a WebVPN session and view it in a browser.
Step 1

To start the WebVPN capture utility, use the capture command from privileged EXEC mode. capture capture_name type webvpn user webvpn_username where:

capture_name is a name you assign to the capture, which is also prepended to the name of the capture files. webvpn_username is the username to match for capture.

The capture utility starts.


Step 2

A WebVPN user logs in to begin a WebVPN session. The capture utility is capturing packets. Stop the capture by using the no version of the command.

Step 3

Open a browser and in the address box enter https://IP_address or hostname of the security appliance/webvpn_capture.html

ASDM User Guide

30-8

OL-10106-01

Chapter 30

WebVPN End User Set-up Capturing WebVPN Data

The captured content displays in a sniffer format.


Step 4

When you finish examining the capture content, stop the capture by using the no version of the command.

ASDM User Guide OL-10106-01

30-9

Chapter 30 Capturing WebVPN Data

WebVPN End User Set-up

ASDM User Guide

30-10

OL-10106-01

C H A P T E R

31

E-Mail Proxy
E-mail proxies extend remote e-mail capability to WebVPN users. When users attempt an e-mail session via e-mail proxy, the e-mail client establishes a tunnel using the SSL protocol. The e-mail proxy protocols are as follows:
POP3S

POP3S is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs. POP3S is for receiving e-mail.
IMAP4S

IMAP4S is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 993, and connections are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authentication occurs. IMAP4S is for receiving e-mail.
SMTPS

SMTPS is one of the e-mail proxies WebVPN supports. By default the Security Appliance listens to port 988, and connections are automatically allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port. After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs. SMTPS is for sending e-mail.

Configuring E-Mail Proxy


Configuring e-mail proxy on the consists of the following tasks:

Enabling e-Mail proxy on interfaces. Configuring e-mail proxy default servers. Setting AAA server groups and a default group policy. Configuring delimiters.

Configuring E-mail proxy also has these requirements:


Users who access e-mail from both local and remote locations via e-mail proxy require separate e-mail accounts on their e-mail program for local and remote access. E-mail proxy sessions require that the user authenticate.

ASDM User Guide OL-10106-01

31-1

Chapter 31 AAA

E-Mail Proxy

AAA
Configuration > Features > VPN > E-mail Proxy > AAA This panel has three tabs:

POP3S Tab IMAP4S Tab SMTPS Tab

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

POP3S Tab
Configuration > Features > VPN > E-mail Proxy > AAA > POP3S Tab The POP3S AAA panel associates AAA server groups and configures the default group policy for POP3S sessions.
Fields

AAA server groupsClick to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups. group policiesClick to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies. Authentication Server GroupSelect the authentication server group for POP3S user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for POP3S (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails. Authorization Server GroupSelect the authorization server group for POP3S user authorization. The default is to have no authorization servers configured. Accounting Server GroupSelect the accounting server group for POP3S user accounting. The default is to have no accounting servers configured. Default Group PolicySelect the group policy to apply to POP3S users when AAA does not return a CLASSID attribute. The length must be between 4 and 15 alphanumeric characters. If you do not specify a default group policy, and there is no CLASSID, the security appliance can not establish the session. Authorization SettingsLets you set values for usernames that the security appliance recognizes for POP3S authorization. This applies to POP3S users that authenticate with digital certificates and require LDAP or RADIUS authorization.

ASDM User Guide

31-2

OL-10106-01

Chapter 31

E-Mail Proxy AAA

User the entire DN as the usernameSelect to use the Distinguished Name for POP3S

authorization.
Specify individual DN fields as the usernameSelect to specify specific DN fields for user

authorization. You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco Systems, Inc.
Primary DN FieldSelect the primary DN field you want to configure for POP3S authorization.

The default is CN. Options include the following: DN Field Country (C) Common Name (CN) DN Qualifier (DNQ) E-mail Address (EA) Generational Qualifier (GENQ) Given Name (GN) Initials (I) Locality (L) Name (N) Organization (O) Organizational Unit (OU) Serial Number (SER) Surname (SN) State/Province (S/P) Title (T) User ID (UID) Definition The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. A specific DN attribute. The e-mail address of the person, system or entity that owns the certificate. A generational qualifier such as Jr., Sr., or III. The first name of the certificate owner. The first letters of each part of the certificate owners name. The city or town where the organization is located. The name of the certificate owner. The name of the company, institution, agency, association, or other entity. The subgroup within the organization. The serial number of the certificate. The family name or last name of the certificate owner. The state or province where the organization is located. The title of the certificate owner, such as Dr. The identification number of the certificate owner.

Secondary DN Field(Optional) Select the secondary DN field you want to configure for

POP3S authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

31-3

Chapter 31 AAA

E-Mail Proxy

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

IMAP4S Tab
Configuration > Features > VPN > E-mail Proxy > AAA > IMAP4S Tab The IMAP4S AAA panel associates AAA server groups and configures the default group policy for IMAP4S sessions.
Fields

AAA server groupsClick to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups. group policyClick to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies. Authentication Server GroupSelect the authentication server group for IMAP4S user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for IMAP4S (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails. Authorization Server GroupSelect the authorization server group for IMAP4S user authorization. The default is to have no authorization servers configured. Accounting Server GroupSelect the accounting server group for IMAP4S user accounting. The default is to have no accounting servers configured. Default Group PolicySelect the group policy to apply to IMAP4S users when AAA does not return a CLASSID attribute. If you do not specify a default group policy, and there is no CLASSID, the security appliance can not establish the session. Authorization SettingsLets you set values for usernames that the security appliance recognizes for IMAP4S authorization. This applies to IMAP4S users that authenticate with digital certificates and require LDAP or RADIUS authorization.
User the entire DN as the usernameSelect to use the fully qualified domain name for IMAP4S

authorization.
Specify individual DN fields as the usernameSelect to specify specific DN fields for user

authorization. You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco. Systems, Inc.

ASDM User Guide

31-4

OL-10106-01

Chapter 31

E-Mail Proxy AAA

Primary DN FieldSelect the primary DN field you want to configure for IMAP4S

authorization. The default is CN. Options include the following: DN Field Country (C) Common Name (CN) DN Qualifier (DNQ) E-mail Address (EA) Generational Qualifier (GENQ) Given Name (GN) Initials (I) Locality (L) Name (N) Organization (O) Organizational Unit (OU) Serial Number (SER) Surname (SN) State/Province (S/P) Title (T) User ID (UID) Definition The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. A specific DN attribute. The e-mail address of the person, system or entity that owns the certificate. A generational qualifier such as Jr., Sr., or III. The first name of the certificate owner. The first letters of each part of the certificate owners name. The city or town where the organization is located. The name of the certificate owner. The name of the company, institution, agency, association, or other entity. The subgroup within the organization. The serial number of the certificate. The family name or last name of the certificate owner. The state or province where the organization is located. The title of the certificate owner, such as Dr. The identification number of the certificate owner.

Secondary DN Field(Optional) Select the secondary DN field you want to configure for

IMAP4S authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

SMTPS Tab
Configuration > Features > VPN > E-mail Proxy > AAA > SMTPS Tab The SMTPS AAA panel associates AAA server groups and configures the default group policy for SMTPS sessions.

ASDM User Guide OL-10106-01

31-5

Chapter 31 AAA

E-Mail Proxy

Fields

AAA server groupsClick to go to the AAA Server Groups panel (Configuration > Features > Properties > AAA Setup > AAA Server Groups), where you can add or edit AAA server groups. group policyClick to go to the Group Policy panel (Configuration > Features > VPN > General > Group Policy), where you can add or edit group policies. Authentication Server GroupSelect the authentication server group for SMTPS user authentication. The default is to have no authentication servers configured. If you have set AAA as the authentication method for SMTPS (Configuration > Features AAA > VPN > E-Mail Proxy > Authentication panel), you must configure an AAA server and select it here, or authentication always fails. Authorization Server GroupSelect the authorization server group for SMTPS user authorization. The default is to have no authorization servers configured. Accounting Server GroupSelect the accounting server group for SMTPS user accounting. The default is to have no accounting servers configured. Default Group PolicySelect the group policy to apply to SMTPS users when AAA does not return a CLASSID attribute. If you do not specify a default group policy, and there is no CLASSID, the security appliance can not establish the session. Authorization SettingsLets you set values for usernames that the security appliance recognizes for SMTPS authorization. This applies to SMTPS users that authenticate with digital certificates and require LDAP or RADIUS authorization.
User the entire DN as the usernameSelect to use the fully qualified domain name for SMTPS

authorization.
Specify individual DN fields as the usernameSelect to specify specific DN fields for user

authorization. You can choose two DN fields, primary and secondary. For example, if you choose EA, users authenticate according to their e-mail address. Then a user with the Common Name (CN) John Doe and an e-mail address of johndoe@cisco.com cannot authenticate as John Doe or as johndoe. He must authenticate as johndoe@cisco.com. If you choose EA and O, John Does must authenticate as johndoe@cisco.com and Cisco. Systems, Inc.
Primary DN FieldSelect the primary DN field you want to configure for SMTPS

authorization. The default is CN. Options include the following: DN Field Country (C) Common Name (CN) DN Qualifier (DNQ) E-mail Address (EA) Generational Qualifier (GENQ) Given Name (GN) Initials (I) Locality (L) Name (N) Definition The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations. The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. A specific DN attribute. The e-mail address of the person, system or entity that owns the certificate. A generational qualifier such as Jr., Sr., or III. The first name of the certificate owner. The first letters of each part of the certificate owners name. The city or town where the organization is located. The name of the certificate owner.

ASDM User Guide

31-6

OL-10106-01

Chapter 31

E-Mail Proxy Access

DN Field Organization (O) Organizational Unit (OU) Serial Number (SER) Surname (SN) State/Province (S/P) Title (T) User ID (UID)

Definition The name of the company, institution, agency, association, or other entity. The subgroup within the organization. The serial number of the certificate. The family name or last name of the certificate owner. The state or province where the organization is located. The title of the certificate owner, such as Dr. The identification number of the certificate owner.

Secondary DN Field(Optional) Select the secondary DN field you want to configure for

SMTPS authorization. The default is OU. Options include all of those in the preceding table, with the addition of None, which you select if you do not want to include a secondary field.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Access
Configuration > VPN > E-Mail Proxy > Access The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy. You can configure e-mail proxies on individual interfaces, and you can configure e-mail proxies for one interface and then apply your settings to all interfaces. You cannot configure e-mail proxies for management-only interfaces, or for subinterfaces.
Fields

InterfaceDisplays the names of all configured interfaces. POP3S EnabledShows whether POP3S is enabled for the interface. IMAP4s EnabledShows whether IMAP4S is enabled for the interface. SMTPS EnabledShows whether SMTPS is enabled for the interface. EditClick to edit the e-mail proxy settings for the highlighted interface.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

31-7

Chapter 31 Authentication

E-Mail Proxy

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Edit E-Mail Proxy Access


Configuration > VPN > E-Mail Proxy > Access > Edit E-Mail Proxy Access The E-mail Proxy Access screen lets you identify interfaces on which to configure e-mail proxy. You can configure e-mail proxies on individual interfaces, and you can configure e-mail proxies for one interface and then apply your settings to all interfaces.
Fields

InterfaceDisplays the name of the selected interface. POP3S EnabledSelect to enable POP3S for the interface. IMAP4s Enabledelect to enable IMAP4S for the interface. SMTPS EnabledSelect to enable SMTPS for the interface. Apply to all interfaceSelect to apply the settings for the current interface to all configured interfaces.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Authentication
Configuration > Features > VPN >E-mail Proxy > Authentication This panel lets you configure authentication methods for e-mail proxy sessions.
Fields

POP3S/IMAP4S/SMTPS AuthenticationLet you configure authentication methods for each of the e-mail proxy types. You can select multiple methods of authentication.

AAASelect to require AAA authentication. This option requires a configured AAA server. The user presents a username, server and password. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other.

ASDM User Guide

31-8

OL-10106-01

Chapter 31

E-Mail Proxy Default Servers

CertificateCertificate authentication does not work for e-mail proxies in the current security appliance software release. Piggyback HTTPSSelect to require piggyback authentication. This authentication scheme requires a user to have already established a WebVPN session. The user presents an e-mail username only. No password is required. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other. SMTPS e-mail most often uses piggyback authentication because most SMTP servers do not allow users to log in.

Note

IMAP generates a number of sessions that are not limited by the simultaneous user count but do count against the number of simultaneous logins allowed for a username. If the number of IMAP sessions exceeds this maximum and the WebVPN connection expires, a user cannot subsequently establish a new connection. There are several solutions: - The user can close the IMAP application to clear the sessions with the security appliance, and then establish a new WebVPN connection. - The administrator can increase the simultaneous logins for IMAP users (Configuration > Features > VPN > General > Group Policy > Edit Group Policy > General). - Disable HTTPS/Piggyback authentication for e-mail proxy.

Mailhost(SMTPS only) Select to require mailhost authentication. This option appears for SMTPS only because POP3S and IMAP4S always perform mailhost authentication. It requires the users e-mail username, server and password.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Default Servers
Configuration > Features > VPN > E-mail Proxy > Default Servers This panel lets you identify proxy servers to the security appliance. Enter the IP address and port of the appropriate proxy server.
Fields

POP3S/IMAP4S/SMTPS Default ServerLet you configure a default server, port and non-authenticated session limit for e-mail proxies. Name or IP AddressType the DNS name or IP address for the default e-mail proxy server.

ASDM User Guide OL-10106-01

31-9

Chapter 31 Delimiters

E-Mail Proxy

PortType the port number on which the security appliance listens for e-mail proxy traffic. Connections are automatically allowed to the configured port. The e-mail proxy allows only SSL connections on this port. After the SSL tunnel establishes, the e-mail proxy starts, and then authentication occurs. For POP3s the default port is 995, for IMAP4S it is 993, and for SMTPS it is 988.

Enable non-authenticated session limitSelect to restrict the number of non-authenticated e-mail proxy sessions. E-mail proxy connections have three states:
1. 2. 3.

A new e-mail connection enters the unauthenticated state. When the connection presents a username, it enters the authenticating state. When the security appliance authenticates the connection, it enters the authenticated state.

This feature lets you set a limit for sessions in the process of authenticating, thereby preventing DOS attacks. When a new session exceeds the set limit, the security appliance terminates the oldest non-authenticating connection. If there are no non-authenticating connections, the oldest authenticating connection is terminated. The does not terminate authenticated sessions.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Delimiters
Configuration > Features > VPN > E-mail Proxy > Delimiters This panel lets you configure username/password delimiters and server delimiters for e-mail proxy authentication.
Fields

POP3S/IMAP4S/SMTPS DelimitersLet you configure username/password and server delimiters for each of the e-mail proxies.
Username/Password DelimiterSelect a delimiter to separate the VPN username from the

e-mail username. Users need both usernames when using AAA authentication for e-mail proxy and the VPN username and e-mail username are different. Users enter both usernames, separated by the delimiter you configure here, and also the e-mail server name, when they log in to an e-mail proxy session.

Note

Passwords for WebVPN e-mail proxy users cannot contain characters that are used as delimiters.

ASDM User Guide

31-10

OL-10106-01

Chapter 31

E-Mail Proxy Delimiters

Server DelimiterSelect a delimiter to separate the username from the name of the e-mail

server. It must be different from the VPN Name Delimiter. Users enter both their username and server in the username field when they log in to an e-mail proxy session. For example, using : as the VPN Name Delimiter and @ as the Server Delimiter, when logging in to an e-mail program via e-mail proxy, the user would enter their username in the following format: vpn_username:e-mail_username@server.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

31-11

Chapter 31 Delimiters

E-Mail Proxy

ASDM User Guide

31-12

OL-10106-01

C H A P T E R

32

Configuring SSL Settings


SSL
Configuration > Properties > SSL The security appliance uses the Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) to achieve secure message transmission for both ASDM and WebVPN sessions. The SSL window lets you configure SSL versions for clients and servers and encryption algorithms. It also lets you apply previously configured trustpoints to specific interfaces, and to configure a fallback trustpoint for interfaces that do not have an associated trustpoint.
Fields

Server SSL VersionChoose to specify the SSL/TLS protocol version the security appliance uses when acting as a server. You can make only one selection.

Options for Server SSL versions include the following: Any Negotiate SSL V3 Negotiate TLS V1 SSL V3 Only TLS V1 Only The security appliance accepts SSL version 2 client hellos, and negotiates either SSL version 3 or TLS version 1. The security appliance accepts SSL version 2 client hellos, and negotiates to SSL version 3. The security appliance accepts SSL version 2 client hellos, and negotiates to TLS version 1. The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3. The security appliance accepts only TLSv1 client hellos, and uses only TLS version 1.

Note

To use WebVPN port forwarding, you must select Any or Negotiate SSL V3. The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.

Client SSL VersionChoose to specify the SSL/TLS protocol version the security appliance uses when acting as a server. You can make only one selection.

ASDM User Guide OL-10106-01

32-1

Chapter 32 SSL

Configuring SSL Settings

Options for Client SSL versions include the following: any sslv3-only tlsv1-only The security appliance sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1. The security appliance sends SSL version 3 hellos, and accepts only SSL version 3. The security appliance sends TLSv1 client hellos, and accepts only TLS version 1.

EncryptionLets you set SSL encryption algorithms.


Available AlgorithmsLists the encryption algorithms the security appliance supports that are

not in use for SSL connections. To use, or make active, an available algorithm, highlight the algorithm and click Add.
Active AlgorithmsLists the encryption algorithms the security appliance supports and is

currently using for SSL connections. To discontinue using, or change an active algorithm to available status, highlight the algorithm and click Remove.
Add/RemoveClick to change the status of encryption algorithms in either the Available or

Active Algorithms columns.


Move Up/Move DownHighlight an algorithm and click these buttons to change its priority.

The security appliance attempts to use an algorithm

TrustpointsLets you select a fallback trustpoint, and displays configured interfaces and the configured trustpoints associated with them. To enroll a trustpoint, go to Configuration > Properties > Certificate > Enrollment.
Fallback TrustpointClick to select a trustpoint to use for interfaces that have no trustpoint

associated with them. If you select None, the security appliance uses the default RSA key-pair and certificate.

Note

The trustpoint must have a certificate associated with it to display in this drop-down list.
Interface and Trustpoint columnsDisplay configured interfaces and the trustpoint, if any, for

the interface.
EditClick to change the trustpoint for the highlighted interface.

ApplyClick to apply your changes. ResetClick to remove changes you have made and reset SSL parameters to the values that they held when you opened the window.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

32-2

OL-10106-01

Chapter 32

Configuring SSL Settings SSL

Edit SSL Trustpoint


Configuration > Properties > SSL > Edit SSL Trustpoint
Fields

InterfaceDisplays the name of the interface you are editing. Enrolled TrustpointClick to select a previously enrolled trustpoint to associate with the named interface.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

32-3

Chapter 32 SSL

Configuring SSL Settings

ASDM User Guide

32-4

OL-10106-01

C H A P T E R

33

Configuring Certificates
Digital certificates provide digital identification for authentication. A digital certificate contains information that identifies a device or user, such as the name, serial number, company, department, or IP address. CAs issue digital certificates in the context of a PKI, which uses public-key/private-key encryption to ensure security. CAs are trusted authorities that sign certificates to verify their authenticity, thus guaranteeing the identity of the device or user. A CA certificate is one used to sign other certificates. A CA certificate that is self-signed is called a root certificate; one issued by another CA certificate is called a subordinate certificate. CAs also issue identity certificates, which are the certificates for specific systems or hosts. For authentication using digital certificates, there must be at least one identity certificate and its issuing CA certificate on a security appliance, which allows for multiple identities, roots and certificate hierarchies.
For More Information

Authenticating, Enrolling for, and Managing Digital Certificates

Authentication
Configuration > Properties > Certificate > Authentication The Authentication panel lets you authenticate a CA certificate, which associates the CA certificate with a trustpoint and installs it on the security appliance. You can edit an existing trustpoint configuration or you can create a new one. If the trustpoint you select is configured for manual enrollment, you should obtain the CA certificate manually and import it here. If the trustpoint you select is configured for automatic enrollment, the security appliance uses the SCEP protocol to contact the CA, and then automatically obtains and installs the certificate.
Fields

Trustpoint NameDisplays a list containing the trustpoints available from which to obtain the CA certificate. Click a trustpoint in the list and edit its configuration, or add a new trustpoint. EditClick to modify a trustpoint configuration currently appearing in the Trustpoint Name box. NewAdd a new trustpoint configuration to the list.

ASDM User Guide OL-10106-01

33-1

Chapter 33 Enrollment

Configuring Certificates

FingerprintSpecify a key consisting of alphanumeric characters the security appliance uses to authenticate the CA certificate. If you provide a fingerprint, the security appliance compares it to the computed fingerprint of the CA certificate and accepts the certificate only if the two values match. If there is no fingerprint, the security appliance accepts the certificate without one. Import from a fileFor manual enrollment only, identify a file from which to import the certificate. You can type the pathname of the file in the box or you can click Browse and search for the file.
BrowseDisplays the Load Certificate File dialog box that lets you navigate to the file

containing the certificate.


Enter the certificate text in base64 formatFor manual enrollment, enter the trustpoint configuration in base64 format. AuthenticateComplete the authentication procedure.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Authenticating, Enrolling for, and Managing Digital Certificates

Enrollment
Configuration > Properties > Certificate > Enrollment The Enrollment panel lets you select a trustpoint configuration from the list, edit a trustpoint configuration or create a new one. However, for automatic enrollment, you cannot generate an enrollment request until you have authenticated the CA certificate. For automatic enrollment, the security appliance contacts the CA using SCEP protocol, obtains the identity certificates, and installs them on the device. For manual enrollment, an enrollment request dialog box appears containing the certificate enrollment request. Use this enrollment request to obtain the identity certificate from the management interface of the CA. The identity certificate obtained must be in base64 or hexadecimal format. You can then import it in the Import Certificate dialog box.
Fields

Trustpoint NameSpecify the trustpoint for which to generate the enrollment request. Select the name from a list, edit the name currently appearing in the box, or add a new trustpoint configuration. EditModify the trustpoint configuration currently appearing in the Trustpoint Name box. NewAdd a new trustpoint configuration to the list. EnrollInitiate the enrollment process with the CA.

ASDM User Guide

33-2

OL-10106-01

Chapter 33

Configuring Certificates Import Certificate

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Authenticating, Enrolling for, and Managing Digital Certificates

Import Certificate
Configuration > Properties > Certificate > Import Certificate The Import Certificate panel lets you install the device certificate that you received from the CA during manual enrollment. To import certificates from a CA, there should be a CA certificate associated with the selected trustpoint. If not, the security appliance displays a warning.
Fields

Trustpoint NameSpecify the name of the trustpoint from which you received the certificate. Select the name from a list, edit the name currently appearing in the box, or add a new trustpoint configuration. EditModify the trustpoint configuration currently appearing in the Trustpoint Name box. NewAdd a new trustpoint configuration to the list. Import from a fileIdentify a file from which to import the identity certificate. You can type the pathname of the file in the box or you can click Browse and search for the file.
BrowseDisplays the Load CA certificate file dialog box that lets you navigate to the file

containing the certificate.

Enter the certificate text in base64 formatFor manual enrollment, lets you use cut and paste to transfer the certificate data to this security appliance from the source exported.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Key Pair
Configuration > Properties > Certificate > Key Pair
ASDM User Guide OL-10106-01

33-3

Chapter 33 Key Pair

Configuring Certificates

RSA key pairs are required to enroll for identity certificates. The security appliance supports multiple key pairs.
Fields

Key-pair NameDisplays the name given to the key pair(s). TypeDisplays the type, which is RSA. UsageDisplays how an RSA key pair is to be used. There are two types of usage for RSA keys: general purpose, the default, and special. When you select Special, the security appliance generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required. SizeDisplays the modulus size of the key pair(s): 512, 768, 1024, and 2048. The default modulus size is 1024. AddOpens the Add Key Pair dialog box. Show DetailsDisplays the name, date generated, type, modulus size, usage and DER-encoded key data. DeleteDeletes the selected key pair. RefreshUpdates the display.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add Key Pair


Configuration > Properties > Certificate > Key Pair > Add Key Pair The Add Key Pair dialog box lets you add a new key pair to the list of key pairs.
Fields

NameSpecify a name for the key pair(s): the default key <Default-RSA-Key> or a specific key. The security appliance uses the default key pair when a trustpoint has no key pairs configured. SizeSpecify the modulus size of the key pair(s): 512, 768, 1024, and 2048. The default modulus size is 1024. TypeSpecify the type, which can be RSA only. UsageSpecify how the key pair is to be used. There are two types of usage for RSA keys: general purpose, the default, or special. When you click Special, the security appliance generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required. Generate NowGenerate the key pair.

ASDM User Guide

33-4

OL-10106-01

Chapter 33

Configuring Certificates Manage Certificate

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Key Pair Details


Configuration > Properties > Certificate > Key Pair > Show Details The Key-pair Details dialog box displays information about the selected key-pair.
Fields

Key PairDisplays the name given to the key pair. Generation TimeDisplays time and date that the key was generated. TypeDisplays the type of key pair (RSA). SizeDisplays the modulus size. For RSA keys, the size can be 512, 768, 1024, or 2048. The default modulus size is 1024. UsageDisplays how an RSA key pair is to be used. There are two types of usage for RSA keys: general purpose, the default, and special. When the purpose of the key pair is Special, the security appliance generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required. Key DataDisplays the DER-encoded key data.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Manage Certificate
Configuration > Properties > Certificate > Manage Certificates The Manage Certificates panel displays all of your certificates in a table and lets you add/edit a certificate, display certificate information, refresh a display and delete certificates from the security appliance.
Fields

SubjectIdentifies the owner of the certificate.

ASDM User Guide OL-10106-01

33-5

Chapter 33 Manage Certificate

Configuring Certificates

TypeIdentifies the type: CA, RA general, RA encryption, RA signature, identity. TrustpointIdentifies the trustpoint. StatusIdentifies the status: Available or Pending:
Available means that the CA has accepted the enrollment request and has issued an identity

certificate.
Pending means that the enrollment request is still in process and that the CA has not issued the

identity certificate yet.


UsageIdentifies how the certificate is used: signature, general purpose, or encryption. AddDisplays the Add Certificate dialog box, which lets you add CA/RA/Identity certificates onto the security appliance. You can use this dialog box to import a certificate from a file you have exported or use cut and paste to enter a certificate onto the security appliance. Show DetailsDisplays the Certificate Details dialog box, which shows the following information about the selected certificate:
GeneralDisplays the values for type, serial number, status, usage, CRL distribution point,

and the time within which the certificate is valid. This applies to both available and pending status.
Subject Displays the X.500 fields of the subject DN or certificate owner and their values.

This applies only to available status.


IssuerDisplays the X.500 fields of the entity that granted the certificate. This applies only to

available status.

RefreshRenews the display of the table in the Manage Certificates panel. DeleteDisplays the Delete Certificate dialog box that asks you to confirm the certificate removal. If you delete a CA certificate, the security appliance deletes all the associated identity certificates as well.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Authenticating, Enrolling for, and Managing Digital Certificates

Add Certificate
Configuration > Properties > Certificate > Manage Certificates > Add Certificate The Add Certificate dialog box lets you manually add CA/RA/Identity certificates.
Fields

Trustpoint NameSpecify the certificate to add to the Manage Certificates table.

ASDM User Guide

33-6

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

EditModify the trustpoint configuration currently appearing in the Trustpoint Name box. NewAdd a new trustpoint configuration to the list. Certificate TypeSpecify the type: CA, RA general, RA encryption, RA signature, Identity. Serial NumberInclude the serial number of the security appliance in the certificate. Import from a fileIdentify a file from which to import the certificate. You can type the pathname of the file in the box or you can click Browse and search for the file.
BrowseDisplay the Add Certificate dialog box that lets you navigate to the file containing the

certificate.

Enter the certificate text in base64 formatLets you use cut and paste to transfer the certificate data to this security appliance from the source text that was exported, which should be in hexadecimal format only.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Trustpoint
A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Configuration
Configuration > Properties > Certificate > Trustpoint > Configuration The Configuration panel lets you identify a CA, which can be a root CA, and have a self-signed certificate that contains its own public key. In the Configuration panel, you can add, edit, or delete a CA as a trustpoint, and request a CRL.
Fields

Trustpoint NameDisplays the name of the trustpoint, for example, an IP address or a hostname. Device Certificate SubjectDisplays the subject DN owning the certificate for the security appliance system. CA Certificate SubjectDisplays the subject name of the CA certificate. AddOpens the Add Trustpoint Configuration dialog box. EditOpens the Edit Trustpoint Configuration dialog box. DeleteRemoves the selected trustpoint. Request CRLRetrieves the Certificate Revocation List for the selected trustpoint. To view it, see Monitoring > Properties > CRL.

ASDM User Guide OL-10106-01

33-7

Chapter 33 Trustpoint

Configuring Certificates

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > Enrollment Settings Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Enrollment Settings Tab The Enrollment Settings tab lets you add a trustpoint to the trustpoint table. The Edit Trustpoint Configuration > Enrollment Settings tab lets you modify information about the selected trustpoint.
Fields

Trustpoint NameSpecify the name of the trustpoint corresponding to a CA. For example, this can be an IP address or a hostname. Generate a self-signed certificate on enrollmentClick to generate a self-signed device certificate for the security appliance during enrollment. This provides a way to create self-signed certificates for use when terminating SSL connections. This feature is not checked by default. When this option is checked, you can configure only the key pair and the certificate parameters. Key PairSelect a previously defined key pair in the list. Before you add a trustpoint, you should configure a key pair. So if this list is empty, you can add the key pair by selecting New Key Pair. Show DetailsDisplay information about the key pair including its name, when it was generated, its type (RSA), its modulus, its usage (general purpose or special) and the key data in DER-encoded format. New Key PairOpen the Add Key Pair dialog box, which lets you enter a name, size, type, and usage for a new key pair. Challenge PasswordSpecify a challenge phrase that is registered with the CA during enrollment. Confirm Challenge PasswordVerify the challenge password. Use manual enrollmentSpecify intention to generate a PKCS10 certification request. The CA issues a certificate to the security appliance based on the request and the certificate is installed on the security appliance by importing the new certificate. Use automatic enrollmentSpecify intention to use SCEP mode. When the indicated trustpoint is configured for SCEP enrollment, the security appliance then downloads the certificates using the SCEP protocol. Enrollment URLSpecify the name of the URL for automatic enrollment. The maximum length is 1000 characters (effectively unbounded). Retry PeriodAfter requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the specified retry period, it sends another certificate request. Use this field to specify the number of minutes between attempts to send an enrollment request; the valid range is 1- 60 minutes. The default value is 1.

ASDM User Guide

33-8

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

Retry CountAfter requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the specified retry period, it sends another certificate request. The security appliance repeats the request until either it receives a response or reaches the retry count specified. Use this field to specify the maximum number of attempts to send an enrollment request, the valid range is 0, 1-100 retries. The default value is 0, which means an unlimited number of retries. Certificate ParametersDisplay the Certificate Parameters dialog box, which lets you specify attributes and their values to include in the certificate during enrollment, such as subject DN, FQDN, and so on.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Key Pair


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Enrollment Settings > Add/Edit Key Pair The Add Key Pair dialog box lets you add a new key pair to the list of key pairs.
Fields

NameSpecify a name for the key pair(s): the default key <Default-RSA-Key> or a specific key. The security appliance uses the default key pair when a trustpoint has no key pairs configured. SizeSpecify the modulus size of the key pair(s): 512, 768, 1024, and 2048. The default modulus size is 1024. UsageSpecify how the key pair is to be used. There are two types of usage for RSA keys: general purpose, the default, or special. When you click Special, the security appliance generates two key pairs, one for signature use and one for encryption use. This implies that two certificates for the corresponding identity are required. Generate NowGenerate the key pair.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

33-9

Chapter 33 Trustpoint

Configuring Certificates

Certificate Parameters
Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Enrollment Settings > Certificate Parameters The Certificate Parameters dialog box lets you specify the subject DN, FQDN, IP address to include during enrollment. Use this dialog box to include the device serial number.
Fields

Subject DNSpecify the attributes and values to use for the X.500 name of the subject. The subject is the owner of the certificate.
Click Edit to display the Edit DN dialog box to select the attributes and values for the Subject

DN.

FQDNInclude the fully qualified domain name in the Subject Alternative Name extension of the certificate. The FQDN is the part of a URL that completely identifies the server program that a request is addressed to; for example www.examplesite.com. E-mailInclude the indicated e-mail address in the Subject Alternative Name extension of the certificate. IP AddressInclude the indicated IP address in the Subject Alternative Name extension of the certificate. Include device serial numberInclude the security appliances serial number in the certificate during enrollment.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Edit DN
Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Enrollment Settings > Certificate Parameters > Edit DN Edit DN Select one of the following attributes in the Attributes list, type the value in the Value box, and click Add. Select as many as are needed.
Fields

Common Name (CN)An individuals given name; for example, Pat. Department (OU)Organizational Unit or a subgroup of a larger organization such as an enterprise or a university; for example, Geology department. Company Name (O)Organization such as an enterprise or university; for example, University of Oz. Country (C)Two-letter designation for a specific country; for example, OZ.

ASDM User Guide

33-10

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

State (St)State or Province within a country; for example, Kansas. Location (L)Address of the subject; for example, 49 Wizard St. Email Address (EA)Pat@univoz.org.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > Revocation Check Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Revocation Check Tab The Revocation Check tab lets you specify whether to check certificates for revocation, and if you do, the method to use. When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking forces the security appliance to check that the CA has not revoked a certificate every time it uses that certificate for authentication. The security appliance supports two methods for checking revocation status: CRL and OCSP.
Fields

Do not check certificates for revocationSelect if you want the security appliance not to check certificates for revocation status. Check certificates for revocationSelect to have the security appliance check certificates for revocation status. You must also specify at least one revocation method. Revocation methodsSpecify the revocation methods to use in checking certificates. If you specify more than one method, the security appliance applies methods in the order you set here. It uses the second method only if the first returns an error, for example, if the server is unavailable. Methods available include CRL and OCSP.
CRLThe security appliance retrieves, parses, and caches the complete certificate revocation

list to determine the status of a certificate.


OCSP The security appliance localizes certificate status on a Validation Authority, which it

can query for the status of a specific certificate.


AddClick either CRL or OCSP in the left to add it as a revocation checking method. RemoveClick either CRL or OCSP in the right to remove it as a revocation checking method. Move Up/Move DownUse these buttons to have the security appliance first use the method you prefer. Consider certificate valid if revocation checking returns errorsCheck to have the security appliance accept a certificate even if errors occur during a revocation check.

ASDM User Guide OL-10106-01

33-11

Chapter 33 Trustpoint

Configuring Certificates

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab The CRL Retrieval Policy tab lets you specify whether to retrieve CRLs from CRL DPs or from URLs listed in the Static URLs table.
Fields

Use CRL Distribution Point from the certificateClick to retrieve CRLs from the distribution point listed in the certificate. Use Static URLs configured belowClick to add up to five URLs from which the security appliance should attempt to obtain a CRL. AddDisplays the Add Static URL box. Use this box to add up to five URLs.
URL:Select URL type: HTTP, LDAP, or SCEP. ://Type the location that distributes the CRLs.

EditDisplay the Edit Static URL box for you to modify the selected URL. DeleteRemove the selected URL. Move UpMove the selected URL up in the table, until it is at the top. Move DownMove the selected URL down in the table, until it is at the bottom.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Static URL


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > CRL Retrieval Policy Tab > Add/Edit Static URL
Fields
URL:Select URL type: HTTP, LDAP, or SCEP.

ASDM User Guide

33-12

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

://Type the location that distributes the CRLs.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > CRL Retrieval Method Tab The CRL Retrieval Method tab lets you specify how to retrieve CRLs, including LDAP, HTTP and SCEP. You can enable all methods. If you enable several methods, ASDM uses them in the order you specify.
Fields

Enable Lightweight Directory Access Protocol (LDAP)Check to enable. Specify LDAP parameters as follows:
NameIdentify the person who has access to the CRL on the server. PasswordSpecify a password for the person listed under Name. Confirm PasswordVerify the password. Default ServerSpecify the hostname or IP address of the LDAP server. Default PortSpecify the LDAP server port number. The default is 389.

Enable HTTPSpecify HTTP as a protocol to use for CRL retrieval. Enable Simple Certificate Enrollment Protocol (SCEP)Use the same method of retrieving the CRL as for enrollment, but not at enrollment time.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > OCSP Rules Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > OCSP Rules Tab

ASDM User Guide OL-10106-01

33-13

Chapter 33 Trustpoint

Configuring Certificates

The OCSP Rules tab lets you configure OCSP certificate matching rules. These rules provide flexibility in that you can assign OCSP server URLs via a trustpoint While you can configure multiple match rules for a trustpoint, only one match rule within a trustpoint can apply to a certificate map.
Fields

Certificate MapDisplays the name of the certificate map to match to this OCSP rule. Certificate maps match user permissions to specific fields in a certificate. You must configure the certificate map before you configure OCSP rules (Configuration > VPN > IKE > Certificate Group Matching > Rules). TrustpointDisplays the name of the trustpoint the security appliance uses to validate responder certificates. IndexDisplays the priority number for the rule. The security appliance examines OCSP rules in priority order, and applies the first one that matches. URLSpecifies the URL for the OCSP server for this trustpoint. AddClick to add a new OCSP rule. EditClick to edit an existing OCSP rule. DeleteClick to delete an OCSP rule.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint OCSP Rule dialog box


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > OCSP Rules Tab > Add/Edit Trustpoint OCSP Rule You can configure OCSP rules for a trustpoint that override the OCSP server URL specified within the AuthorityInfoAccess (AIA) field of the remote user certificate.

Certificate MapSelect the name of the certificate map to match to this OCSP rule. Certificate maps match user permission groups to specific fields in a certificate. Their function with OCSP is to let the security appliance access a particular OCSP server for revocation status, as well as to let you specify a trustpoint to validate the responder certificate. This lets you check revocation status via a trustpoint other than the trustpoint authenticating the remote user certificate. You must configure the certificate map before you configure OCSP rules (Configuration > VPN > IKE > Certificate Group Matching > Rules).

TrustpointSelect the trustpoint that you want to use for this OCSP rule. You must have already configured this trustpoint. IndexEnter a number to determine the execution order of the match rules. The security appliance searches the match rules lowest to highest, according to this index, and applies the first rule that matches.

ASDM User Guide

33-14

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

URLSpecify the URL for the OCSP server for this trustpoint. The security appliance uses OCSP servers in this order: 1. OCSP URL in a match certificate override rule (as configured here) 2. OCSP URL configured in the Add/Edit Trustpoint Configuration > Advanced Tab > OCSP Options attribute 3. AIA field of remote user certificate It you do not set this URL attribute, the OCSP server specified the Advanced Tab > OCSP Options attribute applies, and if that is not set, the OCSP server in the Authority Info Access (AIA) extension of the remote user certificate applies. If the AIA does not have an AIA extension and you do not set a valid OCSP server here or in the Advanced tab, revocation status checking fails. The security appliance supports only HTTP URLs, and you can specify only one URL per trustpoint.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Add/Edit Trustpoint Configuration > Advanced Tab


Configuration > Properties > Certificate > Trustpoint > Configuration > Add/Edit Trustpoint Configuration > Advanced Tab The Advanced tab lets you specify CRL and OCSP options. When a certificate is issued, it is valid for a fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to security concerns or a change of name or association. CAs periodically issue a signed list of revoked certificates. Enabling revocation checking forces the security appliance to check that the CA has not revoked the certificate being verified. The security appliance supports two methods of checking revocation status: CRL and OCSP.
Fields

CRL Options
Cache Refresh TimeSpecify the number of minutes between cache refreshes. The default

number of minutes is 60. The range is 1-1440. To avoid having to retrieve the same CRL from a CA repeatedly, The security appliance can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the security appliance removes the least recently used CRL until more space becomes available.
Enforce next CRL updateRequire valid CRLs to have a Next Update value that has not

expired. Clearing the box allows valid CRLs with no Next Update value or a Next Update value that has expired.

OCSP Options

ASDM User Guide OL-10106-01

33-15

Chapter 33 Trustpoint

Configuring Certificates

Server URL:Enter the URL for the OCSP server. The security appliance uses OCSP servers

tin the following order: 1. OCSP URL in a match certificate override rule (Add/Edit Trustpoint Configuration > OCSP Rules tab) 2. OCSP URL configured in this OCSP Options attribute 3. AIA field of remote user certificate
Disable nonce extensionBy default the OCSP request includes the nonce extension, which

cryptographically binds requests with responses to avoid replay attacks. It works by matching the extension in the request to that in the response, ensuring that they are the same. Disable the nonce extension if the OCSP server you are using sends pre-generated responses that do not contain this matching nonce extension.

Accept certificates issued by this trustpointSpecify whether or not the security appliance should accept certificates from Trustpoint Name. Accept certificates issued by the subordinate CAs of this trustpoint Use the configuration of this trustpoint to validate any remote user certificate issued by the CA corresponding to this trustpointWhen enabled, the configuration settings active when a remote user certificate is being validated can be taken from this trustpoint if this trustpoint is authenticated to the CA that issued the remote certificate.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Export
Configuration > Properties > Certificate > Trustpoint > Export The Export panel lets you export a trustpoint configuration with all associated keys and certificates in PKCS12 format, which must be in base64 format. An entire trustpoint configuration includes the entire chain (root CA certificate, identity certificate, key pair) but not enrollment settings (subject name, FQDN and so on). This feature is commonly used in a failover or load balancing configuration to replicate trustpoints across a group of security appliances; for example, remote access clients calling in to a central organization that has several units to service the calls. These units must have equivalent trustpoint configurations. In this case, an administrator can export a trustpoint configuration and then import it across the group of security appliances.
Fields

Trustpoint NameClick a trustpoint in the list and edit its configuration, or add a new trustpoint configuration. EditModify the trustpoint configuration currently appearing in the Trustpoint Name box NewAdd a new trustpoint configuration to the list. Encryption PassphraseSpecify the passphrase used to encrypt the PKCS12 file for export.

ASDM User Guide

33-16

OL-10106-01

Chapter 33

Configuring Certificates Trustpoint

Confirm PassphraseVerify the encryption passphrase. Export to a fileSpecify the name of the PKCS12-format file to use in exporting the trustpoint configuration; PKCS12 is the public key cryptography standard, which can be base64 encoded or hexadecimal.
BrowseDisplay the Select a File dialog box that lets you navigate to the file to which you

want to export the trustpoint configuration.

Display the trustpoint configuration in PKCS12 formatDisplay the Export Trustpoint Configuration dialog box, which displays the trustpoint configuration in a text box. You can use cut and paste to extract the data and place it in the window of the Import panel. To exit, click OK. ExportExport the trustpoint configuration.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Import
Configuration > Properties > Certificate > Trustpoint > Import The Import panel lets you install an entire trustpoint configuration in PKCS12 format. An entire trustpoint configuration includes the entire chain (root CA certificate, RA certificate, identity certificate, key pair) but not enrollment sets (subject name, FQDN and so on). This feature is commonly used in a failover or load balancing configuration to replicate trustpoints across a group of security appliances; for example, remote access clients calling in to a central organization that has several units to service the calls. These units must have equivalent trustpoint configurations. In this case, an administrator can export a trustpoint configuration and then import it across the group of security appliances.
Fields

Trustpoint NameIdentify the trustpoint. When importing from another security appliance for failover or load balancing, you can use the same trustpoint name as the security appliance from which the trustpoint configuration was exported. However make sure that a trustpoint/key pair with the same name does not already exist. Decryption PassphraseSpecify the encryption passphrase specified during the export of the trustpoint configuration. Confirm PassphraseVerify the passphrase. Import from a fileIdentify a file from which to import the certificate. The text imported from a file should be PKCS12 data, in either base64 or hexadecimal format. You can type the pathname of the file in the box or you can click Browse and search for the file.
BrowseDisplay the Load Certificate File dialog box that lets you navigate to the file

containing the trustpoint configuration.

ASDM User Guide OL-10106-01

33-17

Chapter 33 Authenticating, Enrolling for, and Managing Digital Certificates

Configuring Certificates

Enter the trustpoint configuration in PKCS12 formatlets you paste the trustpoint configuration in PKCS12 format, which can be in either base64 or hexadecimal format. In this case, you use cut and paste to enter the data into the text box. ImportImport the trustpoint configuration.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authenticating, Enrolling for, and Managing Digital Certificates


This section describes how to enroll for a digital certificate. Once enrolled, you can use the certificate for authenticating the device to VPN and SSL peers.

Summary of Configuration Steps


Here are the basic steps for enrolling with a CA and getting an identity certificate to use for authenticating tunnels. This example shows both automatic (SCEP) enrollment and manual enrollment. For information on fields not defined in this procedure, click the Help button.
1. 2. 3. 4. 5.

Generating a key pair for the identity certificate. The key pair is RSA. Creating a trustpoint. Configuring an enrollment URL. Authenticating the CA. Enrolling with the CA, which places an identity certificate onto the security appliance.

Note

Authenticating and Enrolling are two separate phases of the process. You must authenticate. Then you can enroll using either automatic enrollment or manual enrollment.

Generating the Key Pair


Begin by generating a key pair for the certificate. Generated key pairs are identified by labels that you provide when you configure the key pair. RSA Key pairs come in two types: general purpose and usage. General purpose is the default type and generates a single pair of keys. Usage type generates two key pairs, one for signature use and one for encryption use, thus requiring two certificates for the corresponding identity. To generate an RSA key pair using ASDM, follow this procedure:
Step 1

Under Configuration > Features > Device Administration > Certificate > Key Pair, click Add.

ASDM User Guide

33-18

OL-10106-01

Chapter 33

Configuring Certificates Authenticating, Enrolling for, and Managing Digital Certificates

Step 2 Step 3 Step 4

Configure the information in the Add Key Pair dialog box: Click Generate Now. To view the key pair generated, click Show Details. ASDM displays information about the key pair.

Enrolling for a Certificate Using Automatic Enrollment (SCEP)


Create a trustpoint. A trustpoint represents a CA/identity pair and contains the identity of the CA, specific configuration parameters, and an association with one enrolled identity certificate. To create a trustpoint, follow these steps:
Step 1 Step 2

Under Configuration > Features > Device Administration > Certificate >Trustpoint > Configuration, click Add. Configure the basic information in the Add Trustpoint Configuration dialog box. For all other parameters, you can accept the default values.
a. b.

Trustpoint NameType the trustpoint name in the Trustpoint Name box. Enrollment URLIn the Enrollment Settings panel, under the Enrollment Mode group box, for SCEP enrollment, click Use automatic enrollment. Then type the enrollment URL in the box. For example, type 10.20.30.40/cgi-bin/pkiclient.exe. If you want password verification for the certificate, type the password into the Challenge Password and Confirm Password boxes. If you need to revoke the certificate, you can provide this password to the CA administrator to identify that you are the certificate owner. This password is not saved in the configuration, so you should make a note of it.

c.

Step 3

Configure the configuration parameters next. At the very least, you need to configure a subject name for the certificate using X.500 fields; for example, common name (CN) and organizational unit (OU).
a. b. c. d.

In the Enrollment Settings panel, select the key pair you configured for this trustpoint in the Key Pair list. In the Enrollment Settings panel, click Certificate Parameters. To add subject DN values, click Edit in the Certificate Parameters dialog box. In the Edit DN box under DN Attribute to be Added, select an attribute in the Attribute list and type a value in the Value box. Then click Add. For example, first select Command Name (CN) and type Pat in the Value box; then select Department (OU) and type Engineering in the Value box. After entering all subject DN information, click OK. Optionally type values for FQDN, E-mail, and IP Address, and check the Include device serial number option. Click OK.

e. f. g. Step 4

Click Apply. If you have preview commands checked, ASDM displays the CLI commands based on the ASDM configuration for you to either send or cancel. Click Send. Do this for all features you configure using this procedure.

ASDM User Guide OL-10106-01

33-19

Chapter 33 Authenticating, Enrolling for, and Managing Digital Certificates

Configuring Certificates

Authenticating to the CA
Authenticating to the CA puts the CA certificate onto the security appliance. If you configure the trustpoint for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, you must paste the CA certificate into the text box or point to the file with the browse button. This section shows SCEP enrollment. To authenticate to the CA, follow these steps:
Step 1 Step 2 Step 3

Under Configuration > Features > Device Administration > Certificate > Authentication, select the name of the trustpoint in the Trustpoint Name list. Click Authenticate. When ASDM displays the Authentication Successful dialog, click OK.

Enrolling with the CA


After you have configured the trustpoint and authenticated with it, you can enroll for an identity certificate. To enroll for an identity certificate using ASDM, follow these steps:
Step 1 Step 2

Under Configuration > Features > Device Administration > Certificate > Enrollment, select the trustpoint in the Trustpoint Name list. Click Enroll. After completing the action, ASDM displays the Copy Trustpoint Configuration to Standby dialog box, which tells you how to export the trustpoint configuration and how to check the enrollment status. This message is relevant only in a failover configuration; if you have not configured failover, you can ignore this step and click OK. If you have configured failover, you should follow the instructions in the dialog box to back up the certificate to the standby device.

Enrolling for a Certificate Using Manual Enrollment


Use this method when you receive an identity certificate from a CA through a means other than automatic enrollment.
Step 1 Step 2 Step 3 Step 4 Step 5

Under Configuration > Features > Device Administration > Certificate >Trustpoint > Configuration, click Add. On the Add Trustpoint Configuration dialog, type the name in the Trustpoint Name box. In the Enrollment Settings panel, select a key pair from the Key Pair list or add a new key pair by clicking New Key Pair. Optionally, type a password in the Challenge Password box and confirm it in the Confirm Challenge Password box. Click the Use manual enrollment option.

ASDM User Guide

33-20

OL-10106-01

Chapter 33

Configuring Certificates Authenticating, Enrolling for, and Managing Digital Certificates

Step 6

Click Certificate Parameters.


a. b.

To add subject DN values, click Edit in the Certificate Parameters dialog box. In the Edit DN box under DN Attribute to be Added, select an attribute in the Attribute list and type a value in the Value box. Then click Add. For example, first select Command Name (CN) and type Pat in the Value box; then select Department (OU) and type Engineering in the Value box. After adding all subject DN attributes, click OK. Optionally, type values for FQDN, E-mail, and IP Address, and click the Include device serial number option. Click OK.

c. d. e. Step 7 Step 8

Click on Configuration > Features > Device Administration > Certificate > Enrollment and select the trustpoint in the Trustpoint Name list. Click Enroll. The Enrollment Request dialog box displays, which describes what to do next. After reading the instructions, click OK. Either send the request by e-mail or enroll using the CAs web interface.

Step 9

After you receive the certificate from the CA, click Configuration > Features > Device Administration > Certificate > Import Certificate and select the name of the trustpoint in the Trustpoint Name list. Select a method for importing the certificate.

Step 10

Import from a FileType the filename or browse for the file. There must be a CA certificate associated with the selected trustpoint on your system and you must have received an identity certificate in a file from the CA. Enter the certificate text in base64 formatPaste the text from the identity certificate you received from the CA into the text box. For more information, click Help.

Step 11 Step 12

Click Import. To save the certificate enrollment configuration to flash, click Save.

Additional Steps for a Failover Configuration


To back up the identity certificate, CA certificate, and keys to other security appliances in your network, first export them to a file or use the export feature to display the certificate in a popup window for copying and pasting onto another security appliance through the import feature.

Exporting the Certificate to a File or PKCS12 data


To export a trustpoint configuration, follow these steps:
Step 1 Step 2 Step 3

Go to Configuration > Features > Device Administration > Certificate > Trustpoint > Export. Fill in the Trustpoint Name, Encryption Passphrase, and Confirm Passphrase fields. For information on these fields, click Help. Select a method for exporting the trustpoint configuration.

Export to a FileType the filename or browse for the file.

ASDM User Guide OL-10106-01

33-21

Chapter 33 Authenticating, Enrolling for, and Managing Digital Certificates

Configuring Certificates

Step 4

Display the trustpoint configuration in PKCS12 formatDisplay the entire trustpoint configuration in a text box and then copy it for importing. For more information, click Help.

Click Export.

Importing the Certificate onto the Standby Device


To import a trustpoint configuration, follow these steps:
Step 1 Step 2

Go to Configuration > Features > Device Administration > Certificate > Trustpoint > Import. Fill in the Trustpoint Name, Decryption Passphrase, and Confirm Passphrase fields. For information on these fields, click Help. The decryption passphrase is the same as the encryption passphrase used when the trustpoint configuration was exported. Select a method for importing the trustpoint configuration.

Step 3

Import from a FileType the filename or browse for the file. Enter the trustpoint configuration in PKCS12 formatPaste the entire trustpoint configuration from the exported source into a text box. For more information, click Help.

Managing Certificates
To manage certificates, go to Configuration > Features > Device Administration > Certificate > Manage Certificates. You can use this panel to add a new certificate and delete a certificate. You can also display information about a certificate by clicking the Show Detail button.The Certificate Details dialog box displays three tables: General, Subject and Issuer. The General table displays the following information:

TypeCA, RA, or Identity. Serial numberSerial number of the certificate. StatusAvailable, in progress, error, fail. UsageGeneral purpose or signature. CRL DPURL for of the distribution point containing the CRL for validating the certificate. Dates/times within which the certificate is valid Valid from, valid to.

The Subject panel displays the following information:


NameThe name of the person or entity that owns the certificate. Serial NumberThe serial number of the security appliance. X.500 fields for the subject of the certificateCN, OU, etc. Hostname of the certificate holderFor example, wland.com. Serial Number of the hostnameThe serial number of the security appliance.

ASDM User Guide

33-22

OL-10106-01

Chapter 33

Configuring Certificates Authenticating, Enrolling for, and Managing Digital Certificates

The Issuer panel displays the X.500 DN fields for the entity that granted the certificate.

Common name (CN) Organizational unit or department (OU) Organization (O) Locality (L) State (ST) Country code (C) Email address of the issuer (EA)

ASDM User Guide OL-10106-01

33-23

Chapter 33 Authenticating, Enrolling for, and Managing Digital Certificates

Configuring Certificates

ASDM User Guide

33-24

OL-10106-01

C H A P T E R

34

CSD
Configuration > CSD Manager The CSD Manager window displays the following message if you choose this menu option and Cisco Secure Desktop is not installed or enabled:
Please install and/or enable Cisco Secure Desktop

Click the Cisco Secure Desktop link to open the Configuration >VPN > WebVPN/CSD Setup window.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

34-1

Chapter 34

CSD

ASDM User Guide

34-2

OL-10106-01

C H A P T E R

35

Configuring IPS
If you are managing a Cisco ASA 5500 series security appliance equipped with an AIP SSM, you can configure the IPS features of the AIP SSM through ASDM. When you select Configuration > IPS, ASDM retrieves IDM from the AIP SSM and displays it as part of the ASDM interface. For more information about configuring IPS features, refer to the IDM online help, which is available from the IDM panels displayed in ASDM, or visit the documentation on Cisco.com: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_installation_and_configuration_g uides_list.html

ASDM User Guide OL-10106-01

35-1

Chapter 35

Configuring IPS

ASDM User Guide

35-2

OL-10106-01

C H A P T E R

36

Configuring Trend Micro Content Security


ASDM lets you configure activation codes and other, basic operational parameters for the Content Security and Control (CSC) SSM as well as CSC-related features.

Managing the CSC SSM


This section contains the following topics:

About the CSC SSM, page 36-1 Getting Started with the CSC SSM, page 36-3 Determining What Traffic to Scan, page 36-5

About the CSC SSM


The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it. Figure 36-1 illustrates the flow of traffic through an adaptive security appliance that has the following:

A CSC SSM installed and setup. A service policy that determines what traffic is diverted to the SSM for scans.

In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from outside to SMTP servers protected by the adaptive security appliance.

Note

The CSC SSM can scan FTP file transfers only when FTP inspection is enabled on the adaptive security appliance. By default, FTP inspection is enabled.

ASDM User Guide OL-10106-01

36-1

Chapter 36 Managing the CSC SSM

Configuring Trend Micro Content Security

Figure 36-1

Flow of Scanned Traffic with CSC SSM

Security Appliance Main System modular service policy Request forwarded outside Diverted Traffic Reply sent Server

Request sent inside Reply forwarded Client

CSC SSM

You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. The CSC SSM GUI appears in a separate web browser, which may prompt you for the CSC SSM password. Use of the CSC SSM GUI is explained in the Cisco Content Security and Control SSM Administrator Guide.

Note

ASDM and the CSC SSM maintain separate passwords. You can configure their passwords to be identical; however, changing one of these two passwords does not affect the other password. The connection between the host running ASDM and the adaptive security appliance is made through a management port on the adaptive security appliance. The connection to the CSC SSM GUI is made through the SSM management port. Because these two connections are required to manage the CSC SSM, any host running ASDM must be able to reach the IP address of both the adaptive security appliance management port and the SSM management port. Figure 36-2 shows an adaptive security appliance with a CSC SSM that is connected to a dedicated management network. While use of a dedicated management network is not required, we recommend it. Of particular interest in Figure 36-2 are the following:

An HTTP proxy server is connected to the inside network and to the management network. This enables the CSC SSM to contact the Trend Micro update server. The management port of the adaptive security appliance is connected to the management network. To permit management of the adaptive security appliance and the CSC SSM, hosts running ASDM must be connected to the management network. The management network includes an SMTP server for email notifications for the CSC SSM and a syslog server that the CSC SSM can send system log messages to.

ASDM User Guide

36-2

148386

content security scan

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security Managing the CSC SSM

Figure 36-2

CSC SSM Deployment with a Management Network Security Appliance inside 192.168.100.1

Trend Micro Update Server

HTTP Proxy

Main System management port 192.168.50.1

outside 10.6.13.67

Internet

ASDM

CSC SSM 192.168.50.38 SSM management port

Syslog

Notifications SMTP Server

Getting Started with the CSC SSM


Before you receive the security benefits provided by a CSC SSM, you must perform several steps beyond simple hardware installation of the SSM. This procedure provides an overview of those steps. To configure the adaptive security appliance and the CSC SSM, perform the following steps:
Step 1

If the CSC SSM did not come pre-installed in a Cisco ASA 5500 series adaptive security appliance, install it and connect a network cable to the management port of the SSM. For assistance with installation and connecting the SSM, see the Cisco ASA 5500 Series Hardware Installation Guide.
The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for email notifications and syslogging.

Step 2

With the CSC SSM, you should have received a Product Authorization Key (PAK). Use the PAK to register the CSC SSM at the following URL: http://www.cisco.com/go/license After you register, you will receive activation keys by email. The activation keys are required before you can complete Step 5.

Step 3

Gather the following information, for use in Step 5.


Activation keys, received after completing Step 2. SSM management port IP address, netmask, and gateway IP address. The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets. DNS server IP address.

ASDM User Guide OL-10106-01

148387

36-3

Chapter 36 Managing the CSC SSM

Configuring Trend Micro Content Security

Step 4

HTTP proxy server IP address (required only if your security policies require use of a proxy server for HTTP access to the Internet). Domain name and hostname for the SSM. An email address and an SMTP server IP address and port number, for email notifications. IP addresses of hosts or networks allowed to manage the CSC SSM. Password for the CSC SSM.

In ASDM, verify time settings on the adaptive security appliance. Time setting accuracy is important for logging of security events and for automatic updates of CSC SSM software.

If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP.

Step 5

Run the CSC Setup wizard.


If you have not run the CSC Setup wizard, choose Configuration > Trend Micro Content Security and the wizard starts automatically. If you are rerunning the wizard, choose Configuration > Trend Micro Content Security, connect to and log into the CSC SSM, choose CSC Setup > Wizard Setup, and click Launch Wizard Setup.

For assistance with windows of the CSC Setup wizard, click the Help button.
Step 6

Configure service policies to divert to the CSC SSM the traffic that you want scanned. If you create a global service policy to divert traffic for scans, all traffic (inbound and outbound) for the supported protocols is scanned. To maximize performance of the adaptive security appliance and the CSC SSM, scan only traffic from untrusted sources. For a discussion of best practices for diverting traffic to the CSC SSM, see Determining What Traffic to Scan. If you want to create a global service policy that diverts traffic for scans, perform the following steps:
a.

Choose Configuration > Security Policies > Service Policy Rules and click Add. The Add Service Policy Rule Wizard appears.

b.

Click the Global - applies to all interfaces radio button and click Next >. The Traffic Classification Criteria window appears. Click the Create a new traffic class radio button, type a name for the traffic class in the adjacent field, and check the Any traffic check box. Click Next >. The Rules Actions window appears. Click the CSC Scan tab and check the Enable CSC scan for this traffic flow check box. Choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable by making the applicable selection in the area labeled: If CSC card fails, then. Click Finish. The new service policy appears in the Service Policy Rules pane. Click Apply. The adaptive security appliance begins diverting traffic to the CSC SSM, which performs the content security scans enabled by the license you purchased.

c.

d. e. f.

g.

ASDM User Guide

36-4

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security Managing the CSC SSM

Step 7

(Optional) Review the default content security policies in the CSC SSM GUI. The default content security policies are suitable for most implementations. Modifying them is advanced configuration that you should perform only after reading the Cisco Content Security and Control SSM Administrator Guide. You review the content security policies by viewing the enabled features in the CSC SSM GUI. The availability of features depends on the license level you purchased. By default, all features included in the license you purchased are enabled. With a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. With a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. To access the CSC SSM GUI, in ASDM choose Configuration > Trend Micro Content Security, and then select one of the following: Web, Mail, File Transfer, or Updates. The blue links on these panes, beginning with the word Configure, open the CSC SSM GUI.

Determining What Traffic to Scan


The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the destination port of the packet requesting the connection is the well known port for the protocol, that is, CSC SSM can scan only the following connections:

FTP connections opened to TCP port 21. HTTP connections opened to TCP port 80. POP3 connections opened to TCP port 110. SMTP connections opened to TCP port 25.

You can choose to scan traffic for all of these protocols or any combination of them. For example, if you do not allow network users to receive POP3 email, you would not want to configure the adaptive security appliance to divert POP3 traffic to the CSC SSM (you would want to block it instead). To maximize performance of the adaptive security appliance and the CSC SSM, divert to the CSC SSM only the traffic that you want the CSC SSM to scan. Needlessly diverting traffic that you do not want to scan, such as traffic between a trusted source and destination, can adversely affect network performance. The action of scanning traffic with the CSC SSM is enabled on the CSC Scan tab of the Add Service Policy Rule WizardRule Actions window. Service policies that include a CSC scan action can be applied globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. Adding the csc command to your global policy ensures that all unencrypted connections through the adaptive security appliance are scanned by the CSC SSM; however, this may mean that traffic from trusted sources is needlessly scanned. If you enable CSC scans in interface-specific service policies, it is bi-directional. This means that when the adaptive security appliance opens a new connection, if a CSC scan action is active on either the inbound or the outbound interface of the connection and if the service policy identifies traffic for scanning, the adaptive security appliance diverts it to the CSC SSM.

ASDM User Guide OL-10106-01

36-5

Chapter 36 Managing the CSC SSM

Configuring Trend Micro Content Security

However, bi-directionality means that if you divert to the CSC SSM any of the supported traffic types that cross a given interface, the CSC SSM is likely performing needless scans on traffic from your trusted inside networks. For example, URLs and files requested from web servers on a DMZ network are unlikely to pose content security risks to hosts on an inside network and you probably do not want the adaptive security appliance to divert such traffic to the CSC SSM. Therefore, we highly recommend that the service policies defining CSC scans use access lists to limit the traffic selected. Specifically, use access lists that match the following:

HTTP connections to outside networks. FTP connections from clients inside the adaptive security appliance to servers outside the adaptive security appliance. POP3 connections from clients inside the security appliance to servers outside the adaptive security appliance. Incoming SMTP connections destined to inside mail servers.

In Figure 36-3, the adaptive security appliance should be configured to divert traffic to CSC SSM requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP requests from the inside network to the web server on the DMZ network should not be scanned.
Figure 36-3 Common Network Configuration for CSC SSM Scanning

Security appliance 192.168.10.0 inside outside 192.168.30.0 Internet

192.168.20.0 (dmz)

Web server

Mail server

There are many ways you could configure the adaptive security appliance to identify the traffic that you want to scan. One approach is to define two service policies, one on the inside interface and the other on the outside interface, each with access lists that matches traffic to be scanned. Figure 36-4 shows service policy rules that select only the traffic that should be scanned.

ASDM User Guide

36-6

143800

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security CSC Setup

Figure 36-4

Optimized Traffic Selection for CSC Scans

In the inside-policy, the first class, inside-class1, ensures that HTTP traffic between the inside network and the DMZ network is not scanned. The Match column indicates this by displaying the Do not match icon. This does not mean the adaptive security appliance blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. It simply exempts the traffic from being matched by the service policy applied to the inside interface and thus prevents the adaptive security appliance from sending the traffic to the CSC SSM. The second class of the inside-policy, inside-class, matches FTP, HTTP, and POP3 traffic between the inside network and any destination. HTTP connections to the DMZ network are exempted due to inside-class1. As previously mentioned, policies applying a CSC scan action to a specific interface are effective on both ingress and egress traffic, but by specifying 192.168.10.0 as the source network, inside-class1 matches only connections initiated by the hosts on the inside network. In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This protects the SMTP server and thus protects inside users who download email from the SMTP server on the DMZ network without having to scan connections from SMTP clients to the server. If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could add a rule to the outside policy that matches HTTP traffic from any source to the DMZ network. Because the policy is applied to the outside interface, the rule would only match connections from HTTP clients outside the adaptive security appliance.

CSC Setup
The panes under CSC Setup let you configure basic operational parameters for the CSC SSM. You must complete the Setup Wizard once before you can configure each pane separately. After you complete the Setup Wizard, you can modify each pane individually without using the Setup Wizard again. Additionally, you cannot access the panes under Home > Content Security or Monitoring > Trend Micro Content Security until you complete the Setup Wizard. If you try to access these panes prior to completing the Setup Wizard, a dialog box appears and lets you access the Setup Wizard directly. For an introduction to CSC SSM, see About the CSC SSM.

Activation/License IP Configuration

ASDM User Guide OL-10106-01

36-7

Chapter 36 CSC Setup

Configuring Trend Micro Content Security

Host/Notification Settings Management Access Host/Networks Password Wizard Setup Summary

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the panes under the CSC Setup node are available only in the admin context.

For More Information

Managing the CSC SSM

Activation/License
Configuration > Trend Micro Content Security > CSC Setup > Activation/License The Activation/License pane lets you configure activation codes for the following two components of the CSC SSM:

Base License Plus License

You can use ASDM to configure CSC licenses only once each for the two licenses. Renewed license activation codes are downloaded automatically with scheduled software updates.
Fields

ProductDisplay only. Shows the name of the component. Activation CodeContains the activation code for the corresponding Product field. License StatusDisplay only. Shows information about the status of the license. If the license is valid, the expiration date appears. If expiration date has passed, this field indicates that the license has expired. NodesDisplay only. Shows the maximum number of network devices supported by the Base License of your CSC SSM. The Plus License does not affect the number of network devices supported; therefore, the Nodes field does not appear in the Plus License area.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

36-8

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security CSC Setup

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the Activation/License pane is available only in the admin context.

For More Information

Managing the CSC SSM

IP Configuration
Configuration > Trend Micro Content Security > CSC Setup > IP Configuration The IP Configuration pane lets you configure IP addresses and other relevant details for the CSC SSM, the DNS servers it should use, and a proxy server for retrieving CSC SSM software updates.
Fields

Management InterfaceContains parameters for management access to the CSC SSM.


IP AddressSets the IP address for management access to the CSC SSM. MaskSets the netmask for the network containing the management IP address of the CSC

SSM.
GatewaySets the IP address for the gateway device. This is the gateway device for the

network containing the management IP address of the CSC SSM.

DNS ServersContains parameters about DNS servers for the network containing the management IP address of the CSC SSM.
Primary DNSSets the IP address of the primary DNS server. Secondary DNS(Optional) Sets the IP address of the secondary DNS server.

Proxy Server(Optional) Contains parameters for an optional HTTP proxy server, used by the CSC SSM to contact a CSC SSM software update server. If your network configuration does not require the CSC SSM to use a proxy server, you can leave the boxes in this group empty.
Proxy Server(Optional) Sets the IP address of the proxy server. Proxy Port(Optional) Sets the listening port of the proxy server.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

36-9

Chapter 36 CSC Setup

Configuring Trend Micro Content Security

1. In multiple-context mode, the IP Configuration pane is available only in the admin context.

For More Information

Managing the CSC SSM

Host/Notification Settings
Configuration > Trend Micro Content Security > CSC Setup > Host/Notification Settings The Host/Notification Settings pane lets you configure details about hostname, domain name, email notifications, and a domain name for emails to be excluded from detailed scanning.
Fields

Host and Domain NamesContains information about the hostname and domain name of the CSC SSM.
HostNameSets the hostname of the CSC SSM. Domain NameSets the domain name that contains the CSC SSM.

Incoming E-mail Domain NameContains information about a trusted incoming email domain name for SMTP-based email.
Incoming Email DomainSets the incoming email domain name. The CSC SSM scans SMTP

email sent to this domain. The types of threats that the CSC SSM scans for depends upon the license you purchased for the CSC SSM and the configuration of the CSC SSM software.

Note

CSC SSM lets you configure a list of many incoming email domains. ASDM displays only the first domain in the list. To configure additional incoming email domains, access the CSC SSM interface. To do so, choose Configuration > Trend Micro Content Security > Email and click one of the links to access the CSC SSM. After logging in to the CSC SSM, choose Mail (SMTP) > Configuration, and click the Incoming Mail tab.

Notification SettingsContains information required for email notification of events.


Administrator E-mailSets the email address for the account to which notification emails

should be sent.
E-mail Server IP AddressSets the IP address of the SMTP server. PortSets the port to which the SMTP server listens.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the Host/Notification Settings pane is available only in the admin context.

ASDM User Guide

36-10

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security CSC Setup

For More Information

Managing the CSC SSM

Management Access Host/Networks


Configuration > Trend Micro Content Security > CSC Setup > Management Access Host/Networks The Management Access Host/Networks pane lets you control the hosts and networks from which management access to the CSC SSM is permitted. You must specify at least one permitted host or network. You can specify a maximum of eight permitted hosts or networks.
Fields

IP AddressSets the address of a host or network you want to add to the Selected Hosts/Network list. MaskSets the netmask for the host or network you specified in the IP Address field. To allow all hosts and networks, enter 0.0.0.0 in the IP Address field and choose 0.0.0.0 from the Mask list.

Selected Hosts/NetworksDisplays the hosts or networks trusted for management access to the CSC SSM. ASDM requires that you configure at least one host or network. You can configure a maximum of eight hosts or networks. To remove a host or network from the list, choose its entry in the list and click Delete.

Add >>Adds to the Selected Hosts/Networks list the host or network you specified in the IP Address field. DeleteRemoves the host or network selected in the Selected Hosts/Networks list.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the Management Access Host/Networks pane is available only in the admin context.

For More Information

Managing the CSC SSM

Password
Configuration > Trend Micro Content Security > CSC Setup > Password The Password pane lets you change the password required for management access to the CSC SSM. The CSC SSM has a password that is maintained separately from the ASDM password. You can configure them to be identical but changing the CSC SSM password does not affect the ASDM password.

ASDM User Guide OL-10106-01

36-11

Chapter 36 CSC Setup

Configuring Trend Micro Content Security

If ASDM is connected to the CSC SSM and you change the CSC SSM password, the connection to the CSC SSM is dropped. Because of this, ASDM displays a confirmation dialog box before changing the password.

Tip

Whenever the connection to the CSC SSM is dropped, you can reestablish it by using the Connection to Device icon on the status bar. To do so, click the icon and then click Reconnect in the Connection to Device dialog box. ASDM prompts you for the CSC SSM password, which is the new password you configured.

Note

The default password is cisco. Passwords appears as asterisks when you type them. Passwords must be at least five characters long and no more than 32 characters long.
Fields

Old PasswordRequires the current password for management access to the CSC SSM. New PasswordSets the new password for management access to the CSC SSM. Confirm New PasswordVerifies the new password for management access to the CSC SSM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the Password pane is available only in the admin context.

For More Information

Managing the CSC SSM

Wizard Setup
Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup The Wizard Setup pane lets you start the Setup Wizard. Before you can directly access any of the other panes under CSC Setup, you must complete the Setup Wizard. After you complete the Setup Wizard, you can change any panes related to the CSC SSM without using the Setup Wizard again.
Fields

Launch Setup Wizard buttonStarts the CSC SSM Setup Wizard.

ASDM User Guide

36-12

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security CSC Setup

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

1. In multiple-context mode, the Wizard pane is available only in the admin context.

For More Information

Managing the CSC SSM

Summary
Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup (Final Window) The Summary pane displays the results of your actions while using the CSC Setup Wizard. The Summary pane lets you check your work before you exit the wizard. If you want to change any of the settings, you can use the < Back button to go to the panes containing those settings, make the needed changes, and use the Next > button to return to the Summary pane.

Note

After you click Finish, you can change any panes related to the CSC SSM without using the Setup Wizard again.
Fields

Activation Codes areaDisplay only. Summarizes the settings you made on the Activation Codes Configuration pane.
Base fieldShows the base license activation code. Plus fieldShows the plus license activation code, if you entered one. If not, this field is blank.

IP Parameters areaDisplay only. Summarizes the settings you made on the IP Configuration pane, including the following information:
IP address and netmask for the management interface of the CSC SSM. IP address of the gateway device for the networking containing the CSC SSM management

interface.
Primary DNS server IP address. Secondary DNS server IP address (if configured). Proxy server and port (if configured).

Host and Domain Names areaDisplay only. Summarizes the settings you made on the Host Configuration pane, including the following information:
Hostname of the CSC SSM. Domain name for the domain containing the CSC SSM. Domain name for incoming email.

ASDM User Guide OL-10106-01

36-13

Chapter 36 Web

Configuring Trend Micro Content Security

Administrator email address. Email server IP address and port number.

Management Access List areaDisplay only. Summarizes the settings you made on the Management Access Configuration pane. The drop-down list contains the hosts and networks from which the CSC SSM will allow management connections. Password areaDisplay only. Indicates whether you changed the password on the Password Configuration pane. < Back buttonLets you go to preceding panes of the CSC Setup Wizard. Next > buttonOn the Summary pane, this button is dimmed; however, if you use the Back > button to access any of the preceding panes in the wizard, this button lets you return to the Summary pane. Finish buttonCompletes the CSC Setup Wizard and saves all the settings you made while using the wizard. Cancel buttonExits the CSC Setup Wizard without saving any of the settings you made. If you click the Cancel button, ASDM displays a dialog box to confirm your decision.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Web
Configuration > Trend Micro Content Security > Web The Web pane lets you view whether web-related features are enabled and lets you access the CSC SSM for configuring web-related features.

Note

Accessing the CSC SSM requires the CSC SSM password, which the browser displaying the CSC SSM GUI prompts you for. Sessions in the CSC SSM browser window timeout after ten minutes of inactivity. If you close the CSC SSM browser and access it again within ten minutes, you are not prompted for the CSC SSM password.
Fields

URL Blocking And Filtering areaContains information and links related to URL blocking and filtering.
URL Blocking fieldDisplay only. Shows whether the URL Blocking feature is enabled on the

CSC SSM.

ASDM User Guide

36-14

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security Mail

Configure URL Blocking linkOpens a window for configuring URL blocking on the CSC

SSM.
URL Filtering fieldDisplay only. Shows whether the URL Filtering feature is enabled on the

CSC SSM.
Configure URL Filtering Rules linkOpens a window for configuring URL filtering rules on

the CSC SSM.


Configure URL Filtering Settings linkOpens a window for configuring settings for URL

filtering on the CSC SSM.

File Blocking areaContains a field and a link about the HTTP file blocking feature on the CSC SSM.
File Blocking fieldDisplay only. Shows whether the file blocking feature is enabled on the

CSC SSM.
Configure File Blocking linkOpens a window for configuring HTTP file blocking settings on

the CSC SSM.

Scanning areaContains a field and a link about the HTTP scanning feature on the CSC SSM.
HTTP Scanning fieldDisplay only. Shows whether the HTTP scanning feature is enabled on

the CSC SSM.


Configure Web Scanning linkOpens a window for configuring HTTP scanning on the CSC

SSM.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Mail
Configuration > Trend Micro Content Security > Mail The Mail pane lets you see if email-related features are enabled and lets you access the CSC SSM for configuring these features. For more information about configuring these areas, see the following:

Mail > SMTP Tab Mail > POP3 Tab

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

36-15

Chapter 36 Mail

Configuring Trend Micro Content Security

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Mail > SMTP Tab


Configuration > Trend Micro Content Security > Mail > SMTP Tab The SMTP tab displays fields and links specific to SMTP email features on the CSC SSM.

Note

Accessing the CSC SSM requires the CSC SSM password, which the browser displaying the CSC SSM GUI prompts you for. Sessions in the CSC SSM browser window timeout after ten minutes of inactivity. If you close the CSC SSM browser and access it again within ten minutes, you are not prompted for the CSC SSM password.
Fields

Scanning areaContains fields and links about SMTP scanning.


Incoming Scan fieldDisplay only. Shows whether the incoming SMTP scanning feature is

enabled on the CSC SSM.


Configure Incoming Scan linkOpens a window for configuring incoming SMTP scan settings

on the CSC SSM.


Outgoing Scan fieldDisplay only. Shows whether the outgoing SMTP scanning feature is

enabled on the CSC SSM.


Configure Outgoing Scan linkOpens a window for configuring outgoing SMTP scan settings

on the CSC SSM.

Content Filtering areaContains fields and links about SMTP content filtering.
Incoming Filtering fieldDisplay only. Shows whether content filtering for incoming SMTP

email is enabled on the CSC SSM.


Configure Incoming Filtering linkOpens a window for configuring incoming SMTP content

filtering settings on the CSC SSM.


Outgoing Filtering fieldDisplay only. Shows whether content filtering for outgoing SMTP

email is enabled on the CSC SSM.


Configure Outgoing Filtering linkOpens a window for configuring outgoing SMTP content

filtering settings on the CSC SSM.

Anti-spam areaContains fields and links about the SMTP anti-spam feature.
Spam Prevention fieldDisplay only. Shows whether the SMTP anti-spam feature is enabled

on the CSC SSM.


Configure Anti-spam linkOpens a window for configuring SMTP anti-spam settings on the

CSC SSM.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

36-16

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security Mail

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Mail > POP3 Tab


Configuration > Trend Micro Content Security > Mail > POP3 Tab The POP3 tab displays fields and links specific to POP3 email features on the CSC SSM.

Note

Accessing the CSC SSM requires the CSC SSM password, which the browser displaying the CSC SSM GUI prompts you for. Sessions in the CSC SSM browser window timeout after ten minutes of inactivity. If you close the CSC SSM browser and access it again within ten minutes, you are not prompted for the CSC SSM password.
Fields

Scanning fieldDisplay only. Shows whether the POP3 email scanning feature is enabled on the CSC SSM. Configure Scanning linkOpens a window for configuring POP3 email scanning on the CSC SSM. Anti-spam fieldDisplay only. Shows whether the POP3 anti-spam feature is enabled on the CSC SSM. Configure Anti-spam linkOpens a window for configuring the POP3 anti-spam feature on the CSC SSM. Content Filtering fieldDisplay only. Shows whether POP3 email content filtering is enabled on the CSC SSM. Configure Content Filtering linkOpens a window for configuring POP3 email content filtering on the CSC SSM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

ASDM User Guide OL-10106-01

36-17

Chapter 36 File Transfer

Configuring Trend Micro Content Security

File Transfer
Configuration > Trend Micro Content Security > File Transfer The File Transfer pane lets you view whether FTP-related features are enabled and lets you access the CSC SSM for configuring FTP-related features.

Note

Accessing the CSC SSM requires the CSC SSM password, which the browser displaying the CSC SSM GUI prompts you for. Sessions in the CSC SSM browser window timeout after ten minutes of inactivity. If you close the CSC SSM browser and access it again within ten minutes, you are not prompted for the CSC SSM password.
Fields

File Scanning fieldDisplay only. Shows whether the FTP file scanning feature is enabled on the CSC SSM. Configure File Scanning linkOpens a window for configuring FTP file scanning settings on the CSC SSM. File Blocking fieldDisplay only. Shows whether the FTP file blocking feature is enabled on the CSC SSM. Configure File Blocking linkOpens a window for configuring FTP file blocking settings on the CSC SSM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Updates
Configuration > Trend Micro Content Security > Updates The Updates pane lets you view whether scheduled updates are enabled and lets you access the CSC SSM for configuring scheduled updates.

Note

Accessing the CSC SSM requires the CSC SSM password, which the browser displaying the CSC SSM GUI prompts you for. Sessions in the CSC SSM browser window timeout after ten minutes of inactivity. If you close the CSC SSM browser and access it again within ten minutes, you are not prompted for the CSC SSM password.

ASDM User Guide

36-18

OL-10106-01

Chapter 36

Configuring Trend Micro Content Security Connecting to CSC/Content Security and Control Password

Fields

Scheduled Updates fieldDisplay only. Shows whether scheduled updates are enabled on the CSC SSM. Scheduled Update Frequency fieldDisplays information about when updates are scheduled to occur, such as Hourly at 10 minutes past the hour. Component columnDisplays names of parts of the CSC SSM software that can be updated. Scheduled Updates columnDisplay only. Shows whether scheduled updates are enabled for the corresponding components. Configure Updates linkOpens a window for configuring scheduled updates settings on the CSC SSM.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Connecting to CSC/Content Security and Control Password


Home > Content Security Configuration > Trend Micro Content Security Monitoring > Trend Micro Content Security With each session you start in ASDM, the first time you access features related to the CSC SSM, you must specify the management IP address and provide the password for the CSC SSM. After you successfully connect to the CSC SSM, you are not prompted again for the management IP address and password. If you start a new ASDM session, the connection to the CSC SSM is reset and you must specify the IP address and the CSC SSM password again. The connection to the CSC SSM is also reset if you change the time zone on the adaptive security appliance.

Note

The CSC SSM has a password that is maintained separately from the ASDM password. You can configure them to be identical but changing the CSC SSM password does not affect the ASDM password.
Fields

Connecting to CSC dialog boxLets you specify the IP address for the management port on the CSC SSM. ASDM automatically detects the IP address for the SSM in the adaptive security appliance. If this detection fails, you can specify the management IP address manually.
Management IP Address radio buttonSets the management IP address for the connection to

the CSC SSM to an IP address detected by ASDM. This is the default selection.

ASDM User Guide OL-10106-01

36-19

Chapter 36 Connecting to CSC/Content Security and Control Password

Configuring Trend Micro Content Security

Other IP Address or Hostname radio button and fieldSets the management IP address to the

value you enter in the field.

CSC Password dialog boxLets you specify the password for accessing the CSC SSM. Providing the password enables ASDM to establish a connection to the CSC SSM. It uses the connection to retrieve monitoring and status information, including information about the features enabled on the CSC SSM. For ten minutes after you enter the password, clicking links that open the CSC SSM GUI does not require that you re-enter the CSC SSM password in the browser that displays the CSC SSM GUI.
Password fieldRequires the CSC SSM password. If you have not completed the Setup Wizard

at Configuration > Trend Micro Content Security > CSC Setup, use the default CSC password and then complete the configuration in the Setup Wizard, which includes changing the default password.

Note

The default CSC SSM password is cisco.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

ASDM User Guide

36-20

OL-10106-01

C H A P T E R

37

Monitoring System Log Messages


The Log view panels let you view the Real-Time Log and a list of the system log messages currently in the Log Buffer.

Log Buffer
Monitoring > Logging > Log Buffer Use this panel to view log messages saved in the buffer in a separate window. From here you can clear the message window, save the contents of the log, search the messages for specific text, and specify color settings for different severity levels.
Fields

The Log Buffer contains the following fields:


Logging LevelChoose the level of logging messages to view, ranging from emergency to debugging. ViewOpens a separate window that displays the log messages currently in the log buffer. From here you can clear the message window or save the contents of the log. You can also search messages for specific text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Log Buffer Viewer


Monitoring > Logging > Log Buffer > Log Buffer Viewer The Log Buffer Viewer lets you view messages currently in the log buffer. From here you can refresh the message window, save the contents of the log, clear the contents of the log, specify color settings for different severity levels, or search the messages for specific text.

ASDM User Guide OL-10106-01

37-1

Chapter 37 Log Buffer Viewer

Monitoring System Log Messages

Messages with the ID numbers of 106023 and 106100 indicate that traffic has been blocked or explicitly permitted by an access rule. Use the Show Rule and Create Rule buttons to show the access rule that applies to the traffic triggering the message or to create a new access rule to permit or deny the traffic triggering the message. Right-click any message in the viewer to bring up a menu from which you can select options equivalent to all buttons currently enabled, which may include the Pause/Resume, Save, Clear, Color Settings, Create Rule and Show Rule options.
Fields

RefreshRefreshes the display. SaveSaves the log to your PC. ClearClears the list of messages. Color SettingsEnables you to specify that messages of different severity levels display in different colors. Create RuleChoose a message with either the ID number 106100 or 106023 to use this button. Click the Create Rule button to bring up the screen allowing you to create a new access rule for the traffic generating the message. Show RuleChoose a message with either the ID number 106100 or 106023 to use this button. Click the Show Rule button to highlight the access control entry that matches the traffic that generated the message. You can then disable the rule to permit or deny the traffic. FindEnter the text you want to find in the system log messages. HelpDisplays the online help for the Log Buffer Viewer. Log TableDisplays the system log messages in the message buffer. The table displays the severity, date, time, syslog ID, source IP, destination IP, and description of each system log message. Show DetailsClick this button to display detail log information about the selected system log message at the bottom of the Log Table. The details area contains the following information:
ExplanationProvides documentation for the selected system log message. Recommended ActionProvides a recommended action to take in response to receiving the

selected system log message.


DetailsDisplays the same information as the Log Table in an easy-to-read format.

Filter byEnter text to filter the messages by.


Show AllDisplays all messages. FilterLets you filter the messages based on text you enter.

For more information

Access Rules
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

37-2

OL-10106-01

Chapter 37

Monitoring System Log Messages Real-time Log Viewer

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Real-time Log Viewer


Monitoring > Logging > Real-time Log Viewer The Real-time Log Viewer enables you to view in a separate window the system log messages as they occur. From here you can pause incoming messages, clear the message window, save the contents of the log, search the messages for specific text, and set color settings for different severity levels.
Fields

Logging LevelChoose the level of logging messages to view, ranging from emergency to debugging. Buffer LimitSpecifies the maximum number of log messages to view. The default is 1000. ViewOpens a separate window that displays the log messages.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Real-time Log Viewer


Monitoring > Logging > Real-time Log Viewer > View The Real-time Log Viewer lets you view incoming messages in real time and filter them based on text you specify. From here you can pause incoming messages, clear the message window, save the contents of the log, search the messages for specific text, and specify color settings for different severity levels. Messages with the ID numbers of 106023 and 106100 indicate that traffic has been blocked or explicitly permitted by an access rule. When you choose one of these messages, the Create Rule and Show Rule buttons at the top of the page are enabled. Use these buttons to show the access rule that applies to the traffic triggering the message or to create a new access rule to permit or deny the traffic triggering the message. Right-click any message in the viewer to bring up a menu from which you can select options equivalent to all buttons currently enabled, which may include the Pause/Resume, Save, Clear, Color Settings, Create Rule and Show Rule options.

ASDM User Guide OL-10106-01

37-3

Chapter 37 Real-time Log Viewer

Monitoring System Log Messages

Fields

Pause/ResumePauses and resumes message scrolling in the Real-time Log Viewer. SaveSaves the log to your PC. ClearClears the list of messages. Color SettingsEnables you to assign a display color to a specific system log message severity level. Create RuleChoose a message with either the message ID number 106100 or 106023 to use this button. Click the Create Rule button to bring up the screen allowing you to create a new access rule for the traffic generating the message. Show RuleChoose a message with either the ID number 106100 or 106023 to use this button. Click the Show Rule button to highlight the access control entry that matches the traffic that generated the message. You can then disable the rule to permit or deny the traffic. FindEnter the text you want to find in the message log. Click the magnifying glass icon to perform the search. HelpClick to display the online help for the Real-Time Log Viewer. Log TableDisplays the system log messages in real time. The table displays the severity, date, time, syslog ID, source IP, destination IP, and description of each system log message. Show DetailsClick this button to display detail log information about the selected system log message at the bottom of the Log Table. The details area contains the following information:
ExplanationProvides documentation for the selected system log message. Recommended ActionProvides a recommended action to take in response to receiving the

selected system log message.


DetailsDisplays the same information as the Log Table in an easy-to-read format.

Filter byEnter text to filter the messages by.


Show AllDisplays all messages. FilterLets you filter the messages based on text you enter.

For more information

Access Rules
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

37-4

OL-10106-01

C H A P T E R

38

Monitoring Trend Micro Content Security


ASDM lets you monitor the Content Security and Control (CSC) SSM statistics as well as CSC SSM-related features. For an introduction to CSC SSM, see About the CSC SSM.

Note

If you have not completed the Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panes under Monitoring > Trend Micro Content Security. Instead, a dialog box appears and lets you access the Setup Wizard directly from Monitoring > Trend Micro Content Security.

Threats
Monitoring > Trend Micro Content Security > Threats Threats lets you view in a graph format information about various types of threats detected by the CSC SSM. You can graph a maximum of four graphs in one frame.
Fields

Available Graphs forLists the components you can graph. The graphs display data in ten-second intervals.
Viruses detectedDisplays statistics about viruses detected. URL Filtered, URL BlockedDisplays statistics about URLs filtered and blocked. Spam detectedDisplays statistics about spam email detected. Spyware blockedDisplays the statistics about spyware blocked.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, choose the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs list, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For list to the Selected Graphs list. RemoveRemoves the selected statistic type from the Selected Graphs list. Show GraphsClick to display a new or updated graph window with the selected statistics.

ASDM User Guide OL-10106-01

38-1

Chapter 38 Live Security Events

Monitoring Trend Micro Content Security

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Live Security Events


Monitoring > Trend Micro Content Security > Live Security Events Use the Live Security Events pane to view live, real time security events in a separate window.
Fields

Buffer LimitThe maximum number of log messages to view. The default is 1000. ViewOpens a separate window that displays the event messages. From here you can pause incoming messages, clear the message window, and save event messages. You can also search messages for specific text.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Live Security Events Viewer


Monitoring > Trend Micro Content Security > Live Security Events > Live Security Events Viewer The Live Security Events Viewer lets you view in real time security event messages received from the CSC SSM. You can filter security event messages based on text you specify.
Fields

Filter Incoming Messages area

ASDM User Guide

38-2

OL-10106-01

Chapter 38

Monitoring Trend Micro Content Security Software Updates

Show AllDisplays all messages. Filter by TextLets you filter the messages based on text you enter.

FilterUse to filter the messages. Find MessagesSearches the messages based on the text you enter.
TextEnter the text to search for in the messages log. Find NextUse to find the next entry that matches the text you typed in Text.

ColumnsThe Live Security Events Viewer displays the following, read-only columns:
TimeDisplays the time an event occurred. SourceDisplays the IP address or hostname from which the threat came. Threat/FilterDisplays the type of threat or, in the case of a URL filter event, the filter that

triggered the event.


Subject/File/URLDisplays the subject of emails containing a threat, the names of FTP file

containing a threat, or URLs blocked or filtered.


Receiver/HostDisplays the recipient of emails containing a threat or the IP address or

hostname of a node threatened.


SenderDisplays the sender of emails containing a threat. Content ActionDisplays the action taken upon the content of a message, such as cleaning

attachments or deleting attachments.


Msg ActionDisplays the action taken upon a message, such as delivering the message

unchanged, delivering the message after deleting the attachments, or delivering the message after cleaning the attachments.

PauseUse to pause the scrolling of the Live Security Events log. Save Events AsClick to save the log to your PC. Clear DisplayClears the list of messages. CloseCloses the pane and returns to the previous screen.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Software Updates
Monitoring > Trend Micro Content Security > Software Updates

ASDM User Guide OL-10106-01

38-3

Chapter 38 Resource Graphs

Monitoring Trend Micro Content Security

The Software Updates pane displays information about updates to software on the CSC SSM.
Fields

ComponentDisplays names of parts of the CSC SSM software that can be updated. VersionDisplays the current version of the corresponding component. Last UpdateDisplays the date and time that the corresponding component was updated. If the component has never been updated since the CSC SSM software was installed, None appears in this column. Last RefreshDisplays the date and time when ASDM last received information from CSC SSM regarding software updates.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

Resource Graphs
The security appliance lets you monitor CSC SSM status, including CPU and memory usage.

CSC CPU CSC Memory

CSC CPU
Monitoring > Trend Micro Content Security > Resource Graphs > CSC CPU The CSC CPU pane lets you view in a graph format information about CPU utilization by the CSC SSM.
Fields

Available Graphs forLists the components you can graph.


CPU UtilizationDisplays statistics CPU use on the CSC SSM.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, choose the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs list, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For list to the Selected Graphs list.

ASDM User Guide

38-4

OL-10106-01

Chapter 38

Monitoring Trend Micro Content Security Resource Graphs

RemoveRemoves the selected statistic type from the Selected Graphs list. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

Managing the CSC SSM

CSC Memory
Monitoring > Trend Micro Content Security > Resource Graphs > CSC Memory CSC Memory lets you view in a graph format information about memory usage on the CSC SSM.
Fields

Available Graphs ForLists the components you can graph.


Free MemoryDisplays statistics about the amount of memory not in use. Used MemoryDisplays statistics about the amount of memory in use.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, choose the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs list, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For list to the Selected Graphs list. RemoveRemoves the selected statistic type from the Selected Graphs list. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

38-5

Chapter 38 Resource Graphs

Monitoring Trend Micro Content Security

For More Information

Managing the CSC SSM

ASDM User Guide

38-6

OL-10106-01

C H A P T E R

39

Monitoring Failover
Single Context Mode
Failover
You can monitor the status of the active and standby devices in a failover pair and failover related statistics. See the following screens for more information:

StatusDisplays the failover status of the device. GraphsDisplays graphs of various failover communication statistics.

For More Information

For more information about failover in general, see Understanding Failover.

Status
Monitoring > Properties > Failover > Status The Status pane displays the failover state of the system. In single context mode, you can also control the failover state of the system by:

Toggling the active/standby state of the device. Resetting a failed device. Reloading the standby unit.

Fields

Failover state of the systemDisplay only. Displays the failover state of the security appliance. The information in this field is the same output you would receive from the show failover command. The following information is included in the display:

Note

Only a subset of the fields below appear when viewing the failover status within a security context. Those fields are indicated by an asterisk (*) before the field name.

*FailoverDisplays On when failover is enabled, Off when failover is not enabled. Cable Status(PIX security appliance platform only) Displays the status of the serial failover cable. The following shows possible cable states:

ASDM User Guide OL-10106-01

39-1

Chapter 39 Single Context Mode

Monitoring Failover

NormalThe cable is connected to both units, and they both have power. My side not connectedThe serial cable is not connected to this unit. It is unknown if the cable

is connected to the other unit.


Other side is not connectedThe serial cable is connected to this unit, but not to the other unit. Other side powered offThe other unit is turned off. N/ALAN-based failover is enabled.

Failover unitDisplays the role of the system in the failover pair, either Primary or Secondary. Failover LAN InterfaceDisplays the logical and physical name of the LAN failover interface. If you are using the dedicated failover cable on the PIX platform, this field displays N/A Serial-based failover enabled. If you have not yet configured the failover interface, this field displays Not configured. Unit Poll frequency/holdtimeDisplays how often hello messages are sent on the failover link and how long to wait before testing the peer for failure if no hello messages are received. Interface Poll frequencyDisplays the interval, in seconds, between hello messages on monitored interfaces. Interface PolicyDisplays the number of interfaces that must fail before triggering failover. Monitored InterfacesDisplays the number of interfaces whose health you are monitoring for failover. failover replication httpDisplayed if HTTP replication is enabled. *Last FailoverDisplays the time and date the last failover occurred. *This Host(Context)/Other Host(Context)For each host (or for the selected context in multiple context mode) in the failover pair, the following information is shown:
Primary or SecondaryDisplays whether the unit is the primary or secondary unit. Also

displays the following status: *ActiveThe unit is the active unit. *StandbyThe unit is the standby unit. *DisabledThe unit has failover disabled or the failover link is not configured. *ListenThe unit is attempting to discover an active unit by listening for polling messages. *LearnThe unit detected an active unit, and is not synchronizing the configuration before going to standby mode. *FailedThe unit is failed.
*Active TimeThe amount of time, in seconds, that the unit has been in the active state. *[context_name] Interface name (n.n.n.n)For each interface, the display shows the IP address

currently being used on each unit, as well as one of the following conditions. In multiple context mode, the context name appears before each interface. FailedThe interface has failed. Link DownThe interface line protocol is down. NormalThe interface is working correctly. No LinkThe interface has been administratively shut down. UnknownThe security appliance cannot determine the status of the interface. (Waiting)The interface has not yet received any polling messages from the other unit.

ASDM User Guide

39-2

OL-10106-01

Chapter 39

Monitoring Failover Single Context Mode

TestingThe interface is being tested. *Stateful Failover Logical Updates StatisticsThe following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown.

Note

Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. These statistics do not appear in ASDM running on an ASA 5505 security appliance.

LinkDisplays one of the following:


interface_nameThe interface used for the Stateful Failover link. UnconfiguredYou are not using Stateful Failover.

Stateful ObjFor each field type, the following statistics are displayed: xmitNumber of transmitted packets to the other unit xerrNumber of errors that occurred while transmitting packets to the other unit rcvNumber of received packets rerrNumber of errors that occurred while receiving packets from the other unit The following are the stateful object field types:
GeneralSum of all stateful objects. sys cmdLogical update system commands; for example, LOGIN and Stay Alive. up timeUp time, which the active unit passes to the standby unit. RPC servicesRemote Procedure Call connection information. TCP connTCP connection information. UDP connDynamic UDP connection information. ARP tblDynamic ARP table information. L2BRIDGE tblLayer 2 bridge table information (transparent firewall mode only). Xlate_TimeoutIndicates connection translation timeout information. VPN IKE updIKE connection information. VPN IPSEC updIPSec connection information. VPN CTCP updcTCP tunnel connection information. VPN SDI updSDI AAA connection information. VPN DHCP updTunneled DHCP connection information.

*Logical Update Queue InformationDisplays the following statistics:


Recv QThe status of the receive queue. Xmit QThe status of the transmit queue.

The following information is displayed for each queue:


CurThe current number of packets in the queue. MaxThe maximum number of packets. TotalThe total number of packets.

*Lan-based Failover is activeThis field appears only when LAN-based failover is enabled.

ASDM User Guide OL-10106-01

39-3

Chapter 39 Single Context Mode

Monitoring Failover

interface name (n.n.n.n) and peer (n.n.n.n)The name and IP address of the failover link currently being used on each unit.

The following actions are available on the Status pane:


Make Active(Only available in Single mode) Click this button to make the security appliance the active unit in an active/standby configuration. Make Standby(Only available in Single mode) Click this button to make the security appliance the standby unit in an active/standby pair. Reset Failover(Only available in Single mode) Click this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit. Reload Standby(Only available in Single mode) Click this button to force the standby unit to reload. RefreshClick this button to refresh the status information in the Failover state of the system field.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Graphs
Monitoring > Properties > Failover > Graphs The Graphs pane lets you view failover statistics in graph and table form. In multiple context mode, the Graphs pane is only available in the admin context. The information in the graphs relate to Stateful Failover only.
Fields

Available Graphs forLists the types of statistical information available for monitoring. You can choose up to four statistic types to display in one graph window. Double-clicking a statistic type in this field moves it to the Selected Graphs field. Single-clicking a statistic type in this field selects the entry. You can select multiple entries. The following types of statistics are available in graph or table format in the graph window. They show the number of packets sent to and received from the other unit in the failover pair.
RPC services informationDisplays the security appliance RPC service information. TCP Connection InformationDisplays the security appliance TCP connection information. UDP Connection InformationDisplays the security appliance UDP connection information. ARP Table InformationDisplays the security appliance ARP table information.

ASDM User Guide

39-4

OL-10106-01

Chapter 39

Monitoring Failover Multiple Context Mode

L2Bridge Table Information(Transparent Firewall Mode Only) Displays the layer 2 bridge

table packet counts.


Xmit Queue(Single Mode Only) Displays the current, maximum, and total number of packets

transmitted.
Receive Queue(Single Mode Only) Displays the current, maximum, and total number of

packets received.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs for field to the Selected Graphs field. RemoveRemoves the selected statistic type from the Selected Graphs field. Selected GraphsShows the statistic types you want to show in the selected graph window. You can include up to four types. Double-clicking a statistic type in this field removes the selected statistic type from the field. Single-clicking a statistic type in this field selects the statistic type. You can select multiple statistic types. Show GraphsClick this button to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

For More Information

For more information about failover in general, see Understanding Failover.

Multiple Context Mode


You can monitor the failover status of the system and of the individual failover groups in the system context. See the following topics for monitoring failover status from the system context:

System Failover Group 1 and Failover Group 2

For More Information

For more information about failover in general, see Understanding Failover.

ASDM User Guide OL-10106-01

39-5

Chapter 39 Multiple Context Mode

Monitoring Failover

System
System > Monitoring > Failover > System The System pane displays the failover state of the system.You can also control the failover state of the system by:

Toggling the active/standby state of the device. Resetting a failed device. Reloading the standby unit.

Fields

Failover state of the systemDisplay only. Displays the failover state of the security appliance. The information shown is the same output you would receive from the show failover command. The following information is included in the display:

FailoverDisplays On when failover is enabled, Off when failover is not enabled. Cable Status(PIX security appliance platform only) Displays the status of the serial failover cable. The following shows possible cable states:
NormalThe cable is connected to both units, and they both have power. My side not connectedThe serial cable is not connected to this unit. It is unknown if the cable

is connected to the other unit.


Other side is not connectedThe serial cable is connected to this unit, but not to the other unit. Other side powered offThe other unit is turned off. N/ALAN-based failover is enabled.

Failover unitDisplays the role of the system in the failover pair, either Primary or Secondary. Failover LAN InterfaceDisplays the logical and physical name of the LAN failover interface. If you are using the dedicated failover cable on the PIX platform, this field displays N/A Serial-based failover enabled. If you have not yet configured the failover interface, this field displays Not configured. Unit Poll frequency/holdtimeDisplays how often hello messages are sent on the failover link and how long to wait before testing the peer for failure if no hello messages are received. Interface Poll frequencyDisplays the interval, in seconds, between hello messages on monitored interfaces. Interface PolicyDisplays the number of interfaces that must fail before triggering failover. Monitored InterfacesDisplays the number of interfaces whose health you are monitoring for failover. failover replication httpSpecifies that HTTP replication is enabled. Group x Last FailoverDisplays the time and date the last failover occurred for each failover group. This Host/Other Host For each host in the failover pair, the following information is shown:
Primary or SecondaryDisplays whether the unit is the primary or secondary unit. Group xFor each failover group, the following information is shown:

StateActive or Standby Ready.

ASDM User Guide

39-6

OL-10106-01

Chapter 39

Monitoring Failover Multiple Context Mode

Active TimeThe amount of time, in seconds, that the failover group has been in the active state.
context_name Interface name (n.n.n.n)For each interface, the display shows the IP address

currently being used on each unit, as well as one of the following conditions. FailedThe interface has failed. Link DownThe interface line protocol is down. NormalThe interface is working correctly. No LinkThe interface has been administratively shut down. UnknownThe security appliance cannot determine the status of the interface. (Waiting)The interface has not yet received any polling messages from the other unit. TestingThe interface is being tested. Stateful Failover Logical Updates StatisticsThe following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown.

Note

Stateful Failover is not supported on the ASA 5505 series adaptive security appliance. These statistics do not appear in ASDM running on an ASA 5505 security appliance.

LinkDisplays one of the following:


interface_nameThe interface used for the Stateful Failover link. UnconfiguredYou are not using Stateful Failover.

Stateful ObjFor each field type, the following statistics are displayed: xmitNumber of transmitted packets to the other unit xerrNumber of errors that occurred while transmitting packets to the other unit rcvNumber of received packets rerrNumber of errors that occurred while receiving packets from the other unit The following are the stateful object field types:
GeneralSum of all stateful objects. sys cmdLogical update system commands; for example, LOGIN and Stay Alive. up timeUp time, which the active unit passes to the standby unit. RPC servicesRemote Procedure Call connection information. TCP connTCP connection information. UDP connDynamic UDP connection information. ARP tblDynamic ARP table information. L2BRIDGE tblLayer 2 bridge table information (transparent firewall mode only). Xlate_TimeoutIndicates connection translation timeout information. VPN IKE updIKE connection information. VPN IPSEC updIPSec connection information. VPN CTCP updcTCP tunnel connection information. VPN SDI updSDI AAA connection information.

ASDM User Guide OL-10106-01

39-7

Chapter 39 Multiple Context Mode

Monitoring Failover

VPN DHCP updTunneled DHCP connection information.

Logical Update Queue InformationDisplays the following statistics:


Recv QThe status of the receive queue. Xmit QThe status of the transmit queue.

The following information is displayed for each queue:


CurThe current number of packets in the queue. MaxThe maximum number of packets. TotalThe total number of packets.

Lan-based Failover is activeThis field appears only when LAN-based failover is enabled.

interface name (n.n.n.n) and peer (n.n.n.n)The name and IP address of the failover link currently being used on each unit. Make ActiveClick this button to make the security appliance the active unit in an active/standby configuration. In an active/active configuration, clicking this button causes both failover groups to become active on the security appliance. Make StandbyClick this button to make the security appliance the standby unit in an active/standby pair. In an active/active configuration, clicking this button causes both failover groups to go to the standby state on the security appliance. Reset FailoverClick this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit. Reload StandbyClick this button to force the standby unit to reload. RefreshClick this button to refresh the status information in the Failover state of the system field.

The following actions are available on the System pane:

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

Failover Group 1 and Failover Group 2


System > Monitoring > Failover > Failover Group 1 and Failover Group 2 The Failover Group 1 and Failover Group 2 panes display the failover state of the selected group.You can also control the failover state of the group by toggling the active/standby state of the group or by resetting a failed group.

ASDM User Guide

39-8

OL-10106-01

Chapter 39

Monitoring Failover Multiple Context Mode

Fields

Failover state of Group[x]Display only. Displays the failover state of the selected failover group. The information shown is the same as the output you would receive from the show failover group command and contains the following information:

Last FailoverThe time and date of the last failover. This Host/Other HostFor each host in the failover pair, the following information is shown:
Primary or SecondaryDisplays whether the unit is the primary or secondary unit. The

following information is also shown for the failover group: ActiveThe failover group is active on the specified unit. StandbyThe failover group is in the standby state on the specified unit. DisabledThe unit has failover disabled or the failover link is not configured. ListenThe unit is attempting to discover an active unit by listening for polling messages. LearnThe unit detected an active unit, and is not synchronizing the configuration before going to standby mode. FailedThe failover group is in the failed state on the specified unit.
Active TimeThe amount of time, in seconds, that the failover group has been in the active

state on the specified unit.


context_name Interface name (n.n.n.n)For each interface in the selected failover group, the

display shows the context to which it belongs and the IP address currently being used on each unit, as well as one of the following conditions. FailedThe interface has failed. Link DownThe interface line protocol is down. NormalThe interface is working correctly. No LinkThe interface has been administratively shut down. UnknownThe security appliance cannot determine the status of the interface. (Waiting)The interface has not yet received any polling messages from the other unit. TestingThe interface is being tested.

Stateful Failover Logical Updates StatisticsThe following fields relate to the Stateful Failover feature. If the Link field shows an interface name, then the Stateful Failover statistics are shown. LinkDisplays one of the following:
interface_nameThe interface used for the Stateful Failover link. UnconfiguredYou are not using Stateful Failover.

Stateful ObjFor each field type, the following statistics are displayed:
xmitNumber of transmitted packets to the other unit xerrNumber of errors that occurred while transmitting packets to the other unit rcvNumber of received packets rerrNumber of errors that occurred while receiving packets from the other unit

The following are the stateful object field types:


GeneralSum of all stateful objects. sys cmdLogical update system commands; for example, LOGIN and Stay Alive.

ASDM User Guide OL-10106-01

39-9

Chapter 39 Multiple Context Mode

Monitoring Failover

up timeUp time, which the active unit passes to the standby unit. RPC servicesRemote Procedure Call connection information. TCP connTCP connection information. UDP connDynamic UDP connection information. ARP tblDynamic ARP table information. L2BRIDGE tblLayer 2 bridge table information (transparent firewall mode only). Xlate_TimeoutIndicates connection translation timeout information. IKE updIKE connection information. VPN IPSEC updIPSec connection information. VPN CTCP updcTCP tunnel connection information. VPN SDI updSDI AAA connection information. VPN DHCP updTunneled DHCP connection information.

Logical Update Queue InformationDisplays the following statistics:


Recv QThe status of the receive queue. Xmit QThe status of the transmit queue.

The following information is displayed for each queue:


CurThe current number of packets in the queue. MaxThe maximum number of packets. TotalThe total number of packets.

You can performthe following actions from this pane:


Make ActiveClick this button to make the failover group active unit on the security appliance. Make StandbyClick this button to force the failover group into the standby state on the security appliance. Reset FailoverClick this button to reset a system from the failed state to the standby state. You cannot reset a system to the active state. Clicking this button on the active unit resets the standby unit. RefreshClick this button to refresh the status information in the Failover state of the system field.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

For More Information

For more information about failover in general, see Understanding Failover.

ASDM User Guide

39-10

OL-10106-01

C H A P T E R

40

Monitoring Interfaces
ASDM lets you monitor interface statistics as well as interface-related features.

ARP Table
Monitoring > Interfaces > ARP Table The ARP Table pane displays the ARP table, including static and dynamic entries. The ARP table includes entries that map a MAC address to an IP address for a given interface. See Configuration > Properties > ARP Static Table for more information about the ARP table.
Fields

InterfaceLists the interface name associated with the mapping. IP AddressShows the IP address. MAC AddressShows the MAC address. Proxy ARPDisplays Yes if proxy ARP is enabled on the interface. Displays No if proxy ARP is not enabled on the interface. ClearClears the dynamic ARP table entries. Static entries are not cleared. RefreshRefreshes the table with current information from the security appliance and updates Last Updated date and time. Last UpdatedDisplay only. Shows the date and time the display was updated.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

40-1

Chapter 40 DHCP

Monitoring Interfaces

DHCP
The security appliance lets you monitor DHCP status, including the addresses assigned to clients, the lease information for a security appliance interface, and DHCP statistics.

DHCP Server Table


Monitoring > Interfaces > DHCP > DHCP Server Table The DHCP Server Table lists the IP addresses assigned to DHCP clients.
Fields

IP AddressShows the IP address assigned to the client. Client-IDShows the client MAC address or ID. Lease ExpirationShows the date that the DHCP lease expires. The lease indicates how long the client can use the assigned IP address. Remaining time is also specified in the number of seconds and is based on the timestamp in the Last Updated display-only field. Number of Active LeasesShows the total number of DHCP leases. RefreshRefreshes the information from the security appliance. Last UpdatedShows when the data in the table was last updated.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DHCP Client Lease Information


Monitoring > Interfaces > DHCP > DHCP Server Table If you obtain the security appliance interface IP address from a DHCP server, the DHCP Client Lease Information panel shows information about the DHCP lease.
Fields

Select an interfaceLists the security appliance interfaces. Choose the interface for which you want to view the DHCP lease. If an interface has multiple DHCP leases, then choose the interface and IP address pair you want to view. Attribute and ValueLists the attributes and values of the interface DHCP lease.
Temp IP addrDisplay only. The IP address assigned to the interface. Temp sub net maskDisplay only. The subnet mask assigned to the interface. DHCP lease serverDisplay only. The DHCP server address.

ASDM User Guide

40-2

OL-10106-01

Chapter 40

Monitoring Interfaces DHCP

stateDisplay only. The state of the DHCP lease, as follows:

InitialThe initialization state, where the security appliance begins the process of acquiring a lease. This state is also shown when a lease ends or when a lease negotiation fails. SelectingThe security appliance is waiting to receive DHCPOFFER messages from one or more DHCP servers, so it can choose one. RequestingThe security appliance is waiting to hear back from the server to which it sent its request. PurgingThe security appliance is removing the lease because of an error. BoundThe security appliance has a valid lease and is operating normally. RenewingThe security appliance is trying to renew the lease. It regularly sends DHCPREQUEST messages to the current DHCP server, and waits for a reply. RebindingThe security appliance failed to renew the lease with the original server, and now sends DHCPREQUEST messages until it gets a reply from any server or the lease ends. HolddownThe security appliance started the process to remove the lease. ReleasingThe security appliance sends release messages to the server indicating that the IP address is no longer needed.
LeaseDisplay only. The length of time, specified by the DHCP server, that the interface can

use this IP address.


RenewalDisplay only. The length of time until the interface automatically attempts to renew

this lease.
RebindDisplay only. The length of time until the security appliance attempts to rebind to a

DHCP server. Rebinding occurs if the security appliance cannot communicate with the original DHCP server, and 87.5 percent of the lease time has expired. The security appliance then attempts to contact any available DHCP server by broadcasting DHCP requests.
Next timer fires afterDisplay only. The number of seconds until the internal timer triggers. Retry countDisplay only. If the security appliance is attempting to establish a lease, this field

shows the number of times the security appliance tried sending a DHCP message. For example, if the security appliance is in the Selecting state, this value shows the number of times the security appliance sent discover messages. If the security appliance is in the Requesting state, this value shows the number of times the security appliance sent request messages.
Client-IDDisplay only. The client ID used in all communication with the server. ProxyDisplay only. Specifies if this interface is a proxy DHCP client for VPN clients, True

or False.
HostnameDisplay only. The client hostname.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

40-3

Chapter 40 DHCP

Monitoring Interfaces

DHCP Statistics
Monitoring > Interfaces > DHCP > DHCP Statistics The DHCP Statistics pane shows statistics for the DHCP server feature.
Fields

Message TypeLists the DHCP message types sent or received:


BOOTREQUEST DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM BOOTREPLY DHCPOFFER DHCPACK DHCPNAK

CountShows the number of times a specific message was processed. DirectionShows if the message type is Sent or Received. Total Messages ReceivedShows the total number of messages received by the security appliance. Total Messages SentShows the total number of messages sent by the security appliance. CounterShows general statistical DHCP data, including the following:
DHCP UDP Unreachable Errors DHCP Other UDP Errors Address Pools Automatic Bindings Expired Bindings Malformed Messages

ValueShows the number of each counter item. RefreshUpdates the DHCP table listings. Last UpdatedShows when the data in the tables was last updated.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

40-4

OL-10106-01

Chapter 40

Monitoring Interfaces MAC Address Table

MAC Address Table


Monitoring > Interfaces > MAC Address Table The MAC Address Table pane shows the static and dynamic MAC address entries. See Configuration > Properties > Bridging > MAC Address Table for more information about the MAC address table and adding static entries.
Fields

InterfaceShows the interface name associated with the entry. MAC AddressShows the MAC address. TypeShows if the entry is static or dynamic. AgeShows the age of the entry, in minutes. To set the timeout, see MAC Address Table. RefreshRefreshes the table with current information from the security appliance.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed Security Context Multiple Transparent Single

Context

System

Dynamic ACLs
Monitoring > Interfaces > Dynamic ACLs The Dynamic ACLs pane shows a table of the Dynamic ACLs, which are functionally identical to the user-configured ACLs except that they are created, activated and deleted automatically by the security appliance. These ACLs do not show up in the configuration and are only visible in this table. They are identified by the (dynamic) keyword in the ACL header. When you choose an ACL in this table, the contents of the ACL is shown in the bottom text field.
Fields

ACLShows the name of the dynamic ACL. Element CountShows the number of elements in the ACL Hit CountShows the total hit count for all of the elements in the ACL.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

40-5

Chapter 40 Interface Graphs

Monitoring Interfaces

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Interface Graphs
Monitoring > Interfaces > Interface Graphs The Interface Graphs pane lets you view interface statistics in graph or table form. If an interface is shared among contexts, the security appliance shows only statistics for the current context. The number of statistics shown for a subinterface is a subset of the number of statistics shown for a physical interface.
Fields

Available Graphs forLists the types of statistics available for monitoring. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.
Byte CountsShows the number of bytes input and output on the interface. Packet CountsShows the number of packets input and output on the interface. Packet RatesShows the rate of packets input and output on the interface. Bit RatesShows the bit rate for the input and output of the interface. Drop Packet CountShows the number of packets dropped on the interface.

These additional statistics display for physical interfaces:


Buffer ResourcesShows the following statistics:

OverrunsThe number of times that the security appliance was incapable of handing received data to a hardware buffer because the input rate exceeded the security appliance capability to handle the data. UnderrunsThe number of times that the transmitter ran faster than the security appliance could handle. No BufferThe number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks are often responsible for no input buffer events.
Packet ErrorsShows the following statistics:

CRCThe number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the security appliance notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data. FrameThe number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device.

ASDM User Guide

40-6

OL-10106-01

Chapter 40

Monitoring Interfaces Interface Graphs

Input ErrorsThe number of total input errors, including the other types listed here. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the other types. RuntsThe number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference. GiantsThe number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant. DeferredFor FastEthernet interfaces only. The number of frames that were deferred before transmission due to activity on the link.
MiscellaneousShows statistics for received broadcasts. Collision CountsFor FastEthernet interfaces only. Shows the following statistics:

Output ErrorsThe number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic. CollisionsThe number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets. Late CollisionsThe number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the security appliance is partly finished sending the packet. The security appliance does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
Input QueueShows the number of packets in the input queue, the current and the maximum,

including the following statistics: Hardware Input QueueThe number of packets in the hardware queue. Software Input QueueThe number of packets in the software queue.
Output QueueShows the number of packets in the output queue, the current and the

maximum, including the following statistics: Hardware Output QueueThe number of packets in the hardware queue. Software Output QueueThe number of packets in the software queue.
Drop Packet QueueShows the number of packets dropped.

AddAdds the selected statistic type to the selected graph window. RemoveRemoves the selected statistic type from the selected graph window. This button name changes to Delete if the item you are removing was added from another panel, and is not being returned to the Available Graphs pane.

ASDM User Guide OL-10106-01

40-7

Chapter 40 Interface Graphs

Monitoring Interfaces

Show GraphsShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, choose the open graph window name. The statistics already included on the graph are shown in the Selected Graphs pane, to which you can add additional types. Graph windows are named for ASDM followed by the interface IP address and the name Graph. Subsequent graphs are named Graph (2) and so on. Selected GraphsShows the statistic types you want to show in the selected graph window. You an include up to four types.
Show GraphsShows the graph window or updates the graph with additional statistic types if

added.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Graph/Table
Monitoring > Interfaces > Interface Graphs > Graph/Table The Graph window shows a graph for the selected statistics. The Graph window can show up to four graphs and tables at a time. By default, the graph or table displays the real-time statistics. If you enable History Metrics, you can view statistics for past time periods.
Fields

ViewSets the time period for the graph or table. To view any time period other than real-time, enable History Metrics. The data is updated according to the specification of the following options:
Real-time, data every 10 sec Last 10 minutes, data every 10 sec Last 60 minutes, data every 1 min Last 12 hours, data every 12 min Last 5 days, data every 2 hours

ExportExports the graph in comma-separated value format. If there is more than one graph or table on the Graph window, the Export Graph Data dialog box appears. Choose one or more of the graphs and tables listed by checking the box next to the name. PrintPrints the graph or table. If there is more than one graph or table on the Graph window, the Print Graph dialog box appears. Choose the graph or table you want to print from the Graph/Table Name list. BookmarkOpens a browser window with a single link for all graphs and tables on the Graphs window, as well as individual links for each graph or table. You can then copy these URLs as bookmarks in your browser. ASDM does not have to be running when you open the URL for a graph; the browser launches ASDM and then displays the graph.

ASDM User Guide

40-8

OL-10106-01

Chapter 40

Monitoring Interfaces PPPoE Client

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

PPPoE Client
Monitoring > Interfaces > PPPoE Client The PPPoE Client Lease Information pane displays information about current PPPoE connections.
Fields

Select a PPPoE interfaceSelect an interface that you want to view PPPoE client lease information. Refreshloads the latest PPPoE connection information from the security appliance for display.

interface connection
Monitoring > Interfaces > interface connection The interface connection node in the Monitoring > Interfaces tree only appears if static route tracking is configured. If you have several routes tracked, there will be a node for each interface that contains a tracked route. See the following for more information about the route tracking information available:

Track Status for, page 40-9 Monitoring Statistics for, page 40-10

Track Status for


Monitoring > Interfaces > interface connection > Track Status for The Track Status for pane displays information about the the tracked object.
Fields

Tracked RouteDisplay only. Displays the route associated with the tracking process. Route StatisticsDisplay only. Displays the reachability of the object, when the last change in reachability occurred, the operation return code, and the process that is performing the tracking.

ASDM User Guide OL-10106-01

40-9

Chapter 40 interface connection

Monitoring Interfaces

Modes

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Monitoring Statistics for


Monitoring > Interfaces > interface connection > Monitoring Statistics for The Monitoring Statics for pane displays statistics for the SLA monitoring process.
Fields

SLA Monitor IDDisplay only. Displays the ID of the SLA monitoring process. SLA statisticsDisplay only. Displays SLA monitoring statistics, such as the last time the process was modified, the number of operations attempted, the number of operations skipped, and so on.

Modes

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide

40-10

OL-10106-01

C H A P T E R

41

Monitoring Routing
You can monitor the following routing information on the security appliance:

OSPF LSAs OSPF Neighbors Routes

OSPF LSAs
You can view the LSAs stored in the security appliance OSPF database. There are 4 types of LSAs stored in the database, each with its own particular format. The following briefly describes the LSA types:

Router LSAs (Type 1 LSAs) describe the routers attached to a network. Network LSAs (Type 2 LSAs) describe the networks attached to an OSPF router. Summary LSAs (Type 3 and Type 4 LSAs) condense routing information at area borders. External LSAs (Type 5 and Type 7 LSAs) describe routes to external networks.

To learn more about the information displayed for each LSAs type, see the following:

Type 1 Type 2 Type 3 Type 4 Type 5 Type 7

Type 1
Monitoring > Routing > Routing > OSPF LSAs > Type 1 Type 1 LSAs are router link advertisements that are passed within an area by all OSPF routers. They describe the router links to the network. Type 1 LSAs are only flooded within a particular area. The Type 1 pane displays all Type 1 LSAs received by the security appliance. Each row in the table represents a single LSA.

ASDM User Guide OL-10106-01

41-1

Chapter 41 OSPF LSAs

Monitoring Routing

Fields

ProcessDisplay only. Displays the OSPF process for the LSA. AreaDisplay only. Displays the OSPF area for the LSA. Router IDDisplay only. Displays the OSPF router ID of the router originating the LSA. AdvertiserDisplay only. Displays the ID of the router originating the LSA. For router LSAs, this is identical to the Router ID. AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA. Link CountDisplay only. Displays the number of interfaces detected for the router.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Type 2
Monitoring > Routing > Routing > OSPF LSAs > Type 2 Type 2 LSAs are network link advertisements that are flooded within an area by the Designated Router. They describe the routers attached to specific networks. The Type 2 pane displays the IP address of the Designated Router that advertises the routes.
Fields

ProcessDisplay only. Displays the OSPF process for the LSA. AreaDisplay only. Displays the OSPF area for the LSA. Designated RouterDisplay only. Displays the IP address of the Designated Router interface that sent the LSA. AdvertiserDisplay only. Displays the OSPF router ID of the Designated Router that sent the LSA. AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

41-2

OL-10106-01

Chapter 41

Monitoring Routing OSPF LSAs

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Type 3
Monitoring > Routing > Routing > OSPF LSAs > Type 3 Type 3 LSA are summary link advertisements that are passed between areas. They describe the networks within an area.
Fields

ProcessDisplay only. Displays the OSPF process for the LSA. AreaDisplay only. Displays the OSPF area for the LSA. DestinationDisplay only. Displays the address of the destination network being advertised. AdvertiserDisplay only. Displays the ID of the ABR that sent the LSA. AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Type 4
Monitoring > Routing > Routing > OSPF LSAs > Type 3 Type 4 LSAs are summary link advertisements that are passed between areas. They describe the path to the ASBR. Type 4 LSAs do not get flooded into stub areas.
Fields

ProcessDisplay only. Displays the OSPF process for the LSA. AreaDisplay only. Displays the OSPF area for the LSA. Router IDDisplay only. Displays the router ID of the ASBR. AdvertiserDisplay only. Displays the ID of the ABR that sent the LSA.

ASDM User Guide OL-10106-01

41-3

Chapter 41 OSPF LSAs

Monitoring Routing

AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Type 5
Monitoring > Routing > Routing > OSP LSAs > Type 3 Type 5 LSAs are passed between and flooded into areas by ABSRs. They describe routes external to the AS. Stub areas and NSSAs do not receive these LSAs.
Fields

ProcessDisplay only. Displays the OSPF process for the LSA. NetworkDisplay only. Displays the address of the AS external network. AdvertiserDisplay only. Displays the router ID of the ASBR. AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA. TagDisplay only. Displays the external route tag, a 32-bit field attached to each external route. This is not used by the OSPF protocol itself.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Type 7
Monitoring > Routing > Routing > OSPF LSAs > Type 7

ASDM User Guide

41-4

OL-10106-01

Chapter 41

Monitoring Routing OSPF Neighbors

Type 7 LSAs are NSSA AS-external routes that are flooded by the ASBR. They are similar to Type 5 LSAs, but unlike Type 5 LSAs, which are flooded into multiple areas, Type 7 LSAs are only flooded into NSSAs. Type 7 LSAs are converted to Type 5 LSAs by ABRs before being flooded into the area backbone.
Fields

ProcessDisplay only. Displays the OSPF process for the LSA. AreaDisplay only. Displays the OSPF area for the LSA. NetworkDisplay only. Displays the address of the external network. AdvertiserDisplay only. Displays the router ID of the ASBR that sent the LSA. AgeDisplay only. Displays the age of the link state. Sequence #Display only. Displays the link state sequence number. The link state sequence number is used to detect old or duplicate LSAs. ChecksumDisplay only. Displays the checksum of the contents of the LSA. TagDisplay only. Displays the external route tag, a 32-bit field attached to each external route. This is not used by the OSPF protocol itself.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

OSPF Neighbors
Monitoring > Routing > Routing > OSPF Neighbors The OSPF Neighbor pane displays the OSPF neighbors dynamically discovered and statically configured OSPF neighbors on the security appliance.
Fields

NeighborDisplay only. Displays the neighbor router ID. PriorityDisplay only. Displays the router priority. StateDisplay only. Displays the OSPF state for the neighbor:
DownThis is the first OSPF neighbor state. It means that no hello packets have been received

from this neighbor, but hello packets can still be sent to the neighbor in this state. During the fully adjacent neighbor state, if the security appliance does not receive hello packet from a neighbor within the dead interval time, or if the manually configured neighbor is being removed from the configuration, then the neighbor state changes from Full to Down.
AttemptThis state is only valid for manually configured neighbors in an NBMA environment.

In Attempt state, the security appliance sends unicast hello packets every poll interval to the neighbor from which hellos have not been received within the dead interval.

ASDM User Guide OL-10106-01

41-5

Chapter 41 OSPF Neighbors

Monitoring Routing

InitThis state specifies that the security appliance has received a hello packet from its

neighbor, but the ID of the receiving router was not included in the hello packet. When a router receives a hello packet from a neighbor, it should list the router ID of the sender in its hello packet as an acknowledgment that it received a valid hello packet.
2-WayThis state designates that bi-directional communication has been established between

the security appliance and the neighbor. Bi-directional means that each device has seen the hello packet from the other device. This state is attained when the router receiving the hello packet sees its own Router ID within the neighbor field of the received hello packet. At this state, the security appliance decides whether to become adjacent with this neighbor. On broadcast media and non-broadcast multiaccess networks, a the security appliance becomes full only with the designated router and the backup designated router; it stays in the 2-way state with all other neighbors. On point-to-point and point-to-multipoint networks, the security appliance becomes full with all connected neighbors. At the end of this stage, the DR and BDR for broadcast and non-broadcast multiaccess networks are elected.

Note

Receiving a Database Descriptor packet from a neighbor in the Init state will also a cause a transition to 2-way state.
ExstartOnce the DR and BDR are elected, the actual process of exchanging link state

information begins between the security appliance and the DR and BDR. In this state, the security appliance and the DR and BDR establish a master-slave relationship and choose the initial sequence number for adjacency formation. The device with the higher router ID becomes the master and starts the exchange and is therefore the only device that can increment the sequence number.

Note

DR/BDR election occurs by virtue of a higher priority configured on the device instead of highest router ID. Therefore, it is possible that a DR plays the role of slave in this state. Master/slave election is on a per-neighbor basis. If multiple devices have the same DR priority, then the device with the highest IP address becomes the DR.
ExchangeIn the exchange state, OSPF neighbors exchange DBD packets. Database

descriptors contain LSA headers only and describe the contents of the entire link state database. Each DBD packet has a sequence number which can be incremented only by master which is explicitly acknowledged by slave. Routers also send link state request packets and link state update packets (which contain the entire LSA) in this state. The contents of the DBD received are compared to the information contained in the routers link state database to check if new or more current link state information is available with the neighbor.
LoadingIn this state, the actual exchange of link state information occurs. Based on the

information provided by the DBDs, routers send link state request packets. The neighbor then provides the requested link state information in link state update packets. During the adjacency, if a the security appliance receives an outdated or missing LSA, it requests that LSA by sending a link state request packet. All link state update packets are acknowledged.
FullIn this state, the neighbors are fully adjacent with each other. All the router and network

LSAs are exchanged and the router databases are fully synchronized. Full is the normal state for an OSPF router. The only exception to this is the 2-way state, which is normal in a broadcast network. Routers achieve the full state with their DR and BDR only. Neighbors always see each other as 2-way.

ASDM User Guide

41-6

OL-10106-01

Chapter 41

Monitoring Routing Routes

Dead TimeDisplay only. Displays the amount of time remaining that the router waits to receive an OSPF hello packet from the neighbor before declaring the neighbor down. AddressDisplay only. Displays the IP address of the interface to which this neighbor is directly connected. InterfaceDisplay only. Displays the interface on which the OSPF neighbor has formed adjacency.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Routes
Monitoring > Routing > Routing > Routes The Routes pane displays the statically configured, connected, and discovered routes in the security appliance routing table.
Fields

ProtocolDisplay only. Displays the origin of the route information.


RIPThe route was derived using RIP. OSPFThe route was derived using OSPF. CONNECTEDThe route is a network directly connected to the interface. STATICThe route is statically defined.

TypeDisplay only. Displays the type of route. It can be one of the following values:
- (dash)Indicates that the type column does not apply to the specified route. IAThe route is an OSPF interarea route. E1The route is an OSPF external type 1 route. E2The route is an OSPF external type 2 route. N1The route is an OSPF not so stubby area (NSSA) external type 1 route. N2The route is an OSPF NSSA external type 2 route.

DestinationDisplay only. Displays the IP address/netmask of the destination network. GatewayDisplay only. Displays the IP address of the next router to the remote network. InterfaceDisplay only. Displays the interface through which the specified network can be reached. [AD/Metric]Display only. Displays the administrative distance/metric for the route.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

41-7

Chapter 41 Routes

Monitoring Routing

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

41-8

OL-10106-01

C H A P T E R

42

Monitoring VPN
The VPN Monitoring sections show parameters and statistics for the following:

VPN statistics for specific Remote Access, LAN-to-LAN, WebVPN, and E-mail Proxy sessions Encryption statistics for tunnel groups Protocol statistics for tunnel groups Global IPSec and IKE statistics Crypto statistics for IPSec, IKE, SSL, and other protocols Statistics for cluster VPN server loads

VPN Connection Graphs


Displays VPN connection data in graphical or tabular form for the security appliance.

IPSec Tunnels
Monitoring > VPN > VPN Connection Graphs > IPSec Tunnels Use this window to specify graphs and tables of the IPSec tunnel types you want to view, or prepare to export or print.
Fields

Graph Window TitleDisplays the default title that appears in the window when you click Show Graphs. This attribute is particularly useful when you want to clarify data in that window before printing or exporting it. To change the title, select an alternative from the drop-down list or type the title. Available GraphsShows the types of active tunnels you can view. For each type you want to view collectively in a single window, click the entry in this box and click Add. Selected GraphsShows the types of tunnels selected. If you click Show Graphs, ASDM shows the active tunnels types listed in this box in a single window. A highlighted entry indicates the type of tunnel to be removed from the list if you click Remove.

AddMoves the selected tunnel type from the Available Graphs box to the Selected Graphs box.

ASDM User Guide OL-10106-01

42-1

Chapter 42 VPN Connection Graphs

Monitoring VPN

RemoveMoves the selected tunnel type from the Selected Graphs box to the Available Graphs box. Show GraphsDisplays a window consisting of graphs of the tunnel types displayed in the Selected Graphs box. Each type in the window displayed has a Graph tab and a Table tab you can click to alternate the representation of active tunnel data.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Sessions
Monitoring > VPN > VPN Connection Graphs > Sessions Use this panel to specify graphs and tables of the VPN session types you want to view, or prepare to export or print.
Fields

Graph Window TitleDisplays the default title that appears in the window when you click Show Graphs. This attribute is particularly useful when you want to clarify data in that window before printing or exporting it. To change the title, select an alternative from the drop-down list or type the title. Available GraphsShows the types of active sessions you can view. For each type you want to view collectively in a single window, click the entry in this box and click Add. Selected GraphsShows the types of active sessions selected. If you click Show Graphs, ASDM shows all of the active session types listed in this box in a single window. A highlighted entry indicates the type of session to be removed from the list if you click Remove. AddMoves the selected session type from the Available Graphs box to the Selected Graphs box. RemoveMoves the selected session type from the Selected Graphs box to the Available Graphs box. Show GraphsDisplays a window consisting of graphs of the session types displayed in the Selected Graphs box. Each type in the window displayed has a Graph tab and a Table tab you can click to alternate the representation of active session data.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

42-2

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

VPN Statistics
These panels show detailed parameters and statistics for a specific remote-access, LAN-to-LAN, WebVPN, or E-mail Proxy session. The parameters and statistics differ depending on the session protocol. The contents of the statistical tables depend on the type of connection you select. The detail tables show all the relevant parameters for each session.

Sessions
Monitoring > VPN > VPN Statistics > Sessions Use this panel to view session statistics for this server.
Fields

Session types (unlabeled)Lists the number of currently active sessions of each type, the total limit, and the total cumulative session count.
Remote AccessShows the number of remote access sessions. LAN-to-LANShows the number of LAN-to-LAN sessions. WebVPNShows the number of WebVPN sessions. SSL VPN ClientShows the number of SSL VPN Client (SVC) sessions. E-mail ProxyShows the number of E-mail proxy sessions. TotalShows the total number of active concurrent sessions. Total CumulativeShows the cumulative number of sessions since the last time the security

appliance was rebooted or reset.

Filter BySpecifies the type of sessions that the statistics in the following table represent.
Session type (unlabeled)Designates the session type that you want to monitor. The default is

Remote Access.
Session filter (unlabeled)Designates which of the column heads in the following table to filter

on. The default is --All Sessions--.


Filter name (unlabeled)Specifies the name of the filter to apply. If you specify --All

Sessions-- as the session filter list, this field is not available. For all other session filter selections, this field cannot be blank.
FilterExecutes the filtering operation.

ASDM User Guide OL-10106-01

42-3

Chapter 42 VPN Statistics

Monitoring VPN

The contents of the second table, also unlabeled, on this panel depend on the selection in the Filter By list. In the following list, the first-level bullets show the Filter By selection, and the second-level bullets show the column headings for this table.

Remote AccessIndicates that the values in this table relate to remote access traffic.
Username/Tunnel GroupShows the username or login name and the tunnel group for the

session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate.
Assigned IP Address/Public IP AddressShows the private (assigned) IP address assigned to

the remote client for this session. This is also known as the inner or virtual IP address, and it lets the client appear to be a host on the private network. Also shows the Public IP address of the client for this remote-access session. This is also known as the outer IP address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the public network.
Protocol/EncryptionShows the protocol and the data encryption algorithm this session is using,

if any.
Login Time/DurationShows the date and time (MMM DD HH:MM:SS) that the session

logged in. and the length of the session. Time is displayed in 24-hour notation.
Client Type/VersionShows the type and software version number (for example, rel. 7.0_int 50)

for connected clients, sorted by username.


Bytes Tx/Bytes RxShows the total number of bytes transmitted to/received from the remote

peer or client by the security appliance.


NAC Result and Posture TokenDisplays values in this column only if you configured Network

Admission Control on the security appliance. The NAC Result shows one of the following values: AcceptedACS successfully validated the posture of the remote host. RejectedACS could not successfully validate the posture of the remote host. ExemptedThe remote host is exempt from posture validation according to the Posture Validation Exception list configured on the security appliance. Non-ResponsiveThe remote host did not respond to the EAPoUDP Hello message. Hold-offThe security appliance lost EAPoUDP communication with the remote host after successful posture validation. N/ANAC is disabled for the remote host according to the VPN NAC group policy. UnknownPosture validation is in progress. The posture token is an informational text string that is configurable on the Access Control Server. ACS downloads the posture token to the security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. The typical value of the Posture Token field that follows the NAC Result field is as follows: Healthy, Checkup, Quarantine, Infected, or Unknown.

LAN-to-LANIndicates that the values in this table relate to LAN-to-LAN traffic.


Tunnel Group/IP AddressShows the name of the tunnel group and the IP address of the peer. Protocol/EncryptionShows the protocol and the data encryption algorithm this session is using,

if any.
Login Time/DurationShows the date and time (MMM DD HH:MM:SS) that the session

logged in. and the length of the session. Time is displayed in 24-hour notation.

ASDM User Guide

42-4

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

Bytes Tx/Bytes RxShows the total number of bytes transmitted to/received from the remote

peer or client by the security appliance.

WebVPNIndicates that the values in this table relate to WebVPN traffic.


Username/IP AddressShows the username or login name for the session and the IP address of

the client.
Protocol/EncryptionShows the protocol and the data encryption algorithm this session is using,

if any.
Login Time/DurationShows the date and time (MMM DD HH:MM:SS) that the session

logged in. and the length of the session. Time is displayed in 24-hour notation.
Client Type/VersionShows the type and software version number (for example, rel. 7.0_int

50) for connected clients, sorted by username.


Bytes Tx/Bytes RxShows the total number of bytes transmitted to/received from the remote

peer or client by the security appliance.

E-Mail ProxyIndicates that the values in this table relate to WebVPN traffic.
Username/IP AddressShows the username or login name for the session and the IP address of

the client.
Protocol/EncryptionShows the protocol and the data encryption algorithm this session is using,

if any.
Login Time/DurationShows the date and time (MMM DD HH:MM:SS) that the session

logged in. and the length of the session. Time is displayed in 24-hour notation.
Client Type/VersionShows the type and software version number (for example, rel. 7.0_int 50)

for connected clients, sorted by username.


Bytes Tx/Bytes RxShows the total number of bytes transmitted to/received from the remote

peer or client by the security appliance. The remainder of this section describes the buttons and fields beside and below the table.

DetailsDisplays the details for the selected session. The parameters and values differ, depending on the type of session. LogoutEnds the selected session. PingSends an ICMP ping (Packet Internet Groper) packet to test network connectivity. Specifically, the security appliance sends an ICMP Echo Request message to a selected host. If the host is reachable, it returns an Echo Reply message, and the security appliance displays a Success message with the name of the tested host, as well as the elapsed time between when the request was sent and the response received. If the system is unreachable for any reason, (for example: host down, ICMP not running on host, route not configured, intermediate router down, or network down or congested), the security appliance displays an Error screen with the name of the tested host. Logout BySelects a criterion to use to filter the sessions to be logged out. If you select any but --All Sessions--, the box to the right of the Logout By list becomes active. If you selected the value Protocol for Logout By, the box becomes a list, from which you can select a protocol type to use as the logout filter. The default value of this list is IPSec. For all choices other than Protocol, you must supply an appropriate value in this box. Logout SessionsEnds all sessions that meet the specified Logout By criteria. RefreshUpdates the screen and its data. The date and time indicate when the screen was last updated.

ASDM User Guide OL-10106-01

42-5

Chapter 42 VPN Statistics

Monitoring VPN

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Sessions Details
Monitoring > VPN > VPN Statistics > Sessions >Details The Session Details window displays configuration settings, statistics, and state information about the selected session. The Remote Detailed table at the top of the Session Details window displays the following columns:

UsernameShows the username or login name associated with the session. If the remote peer is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate. Group Policy and Tunnel GroupGroup policy assigned to the session and the name of the tunnel group upon which the session is established. Assigned IP Address and Public IP AddressPrivate IP address assigned to the remote peer for this session. Also called the inner or virtual IP address, the assigned IP address lets the remote peer appear to be on the private network. The second field shows the public IP address of the remote computer for this session. Also called the outer IP address, the public IP address is typically assigned to the remote computer by the ISP. It lets the remote computer function as a host on the public network. Protocol/EncryptionProtocol and the data encryption algorithm this session is using, if any. Login Time and DurationTime and date of the session initialization, and the length of the session. The session initialization time is in 24-hour notation. Client Type and VersionType and software version number (for example, rel. 7.0_int 50) of the client on the remote computer. Bytes Tx and Bytes RxShows the total number of bytes transmitted to and received from the remote peer by the security appliance. NAC Result and Posture TokenThe ASDM displays values in this column only if you configured Network Admission Control on the security appliance. The NAC Result shows one of the following values:
AcceptedThe ACS successfully validated the posture of the remote host. RejectedThe ACS could not successfully validate the posture of the remote host. ExemptedThe remote host is exempt from posture validation according to the Posture

Validation Exception list configured on the security appliance.


Non-ResponsiveThe remote host did not respond to the EAPoUDP Hello message. Hold-offThe security appliance lost EAPoUDP communication with the remote host after

successful posture validation.

ASDM User Guide

42-6

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

N/ANAC is disabled for the remote host according to the VPN NAC group policy. UnknownPosture validation is in progress.

The posture token is an informational text string which is configurable on the Access Control Server. The ACS downloads the posture token to the security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. The typical posture token that follows the NAC result is as follows: Healthy, Checkup, Quarantine, Infected, or Unknown. The Details tab in the Session Details window displays the following columns:

IDUnique ID dynamically assigned to the session. The ID serves as the security appliance index to the session. It uses this index to maintain and display information about the session. TypeType of session: IKE, IPSec, or NAC. Local Addr., Subnet Mask, Protocol, Port, Remote Addr., Subnet Mask, Protocol, and PortAddresses and ports assigned to both the actual (Local) peer and those assigned to this peer for the purpose of external routing. EncryptionData encryption algorithm this session is using, if any. Assigned IP Address and Public IP AddressShows the private IP address assigned to the remote peer for this session. Also called the inner or virtual IP address, the assigned IP address lets the remote peer appear to be on the private network. The second field shows the public IP address of the remote computer for this session. Also called the outer IP address, the public IP address is typically assigned to the remote computer by the ISP. It lets the remote computer function as a host on the public network. OtherMiscellaneous attributes associated with the session. The following attributes apply to an IKE session: The following attributes apply to an IPSec session: The following attributes apply to a NAC session:
Revalidation Time Interval Interval in seconds required between each successful posture

validation.
Time Until Next Revalidation0 if the last posture validation attempt was unsuccessful.

Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation.
Status Query Time IntervalTime in seconds allowed between each successful posture

validation or status query response and the next status query response. A status query is a request made by the security appliance to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation.
EAPoUDP Session AgeNumber of seconds since the last successful posture validation. Hold-Off Time Remaining0 seconds if the last posture validation was successful. Otherwise,

the number of seconds remaining before the next posture validation attempt.
Posture TokenInformational text string configurable on the Access Control Server. The ACS

downloads the posture token to the security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown.
Redirect URLFollowing posture validation or clientless authentication, the ACS downloads

the access policy for the session to the security appliance. The Redirect URL is an optional part of the access policy payload. The security appliance redirects all HTTP (port 80) and HTTPS

ASDM User Guide OL-10106-01

42-7

Chapter 42 VPN Statistics

Monitoring VPN

(port 443) requests for the remote host to the Redirect URL if it is present. If the access policy does not contain a Redirect URL, the security appliance does not redirect HTTP and HTTPS requests from the remote host. Redirect URLs remain in force until either the IPSec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL. MorePress this button to revalidate or initialize the session or tunnel group. The ACL tab displays the ACL containing the ACEs that matched the session.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Sub-session Details NAC Details


Monitoring > VPN > VPN Statistics > Sessions >Details >More The NAC Details window lets you view the statistics and state of a NAC session, and revalidate and initialize the session or tunnel group. The statistics and state attributes in this window are as follows:

Reval Int (T)Revalidation Time Interval. Interval in seconds required between each successful posture validation. Reval Left (T)Time Until Next Revalidation. 0 if the last posture validation attempt was unsuccessful. Otherwise, the difference between the Revalidation Time Interval and the number of seconds since the last successful posture validation. SQ Int (T)Status Query Time Interval. Time in seconds allowed between each successful posture validation or status query response and the next status query response. A status query is a request made by the security appliance to the remote host to indicate whether the host has experienced any changes in posture since the last posture validation. EoU Age (T)EAPoUDP Session Age. Number of seconds since the last successful posture validation. Hold Left (T)Hold-Off Time Remaining. 0 seconds if the last posture validation was successful. Otherwise, the number of seconds remaining before the next posture validation attempt. Posture TokenInformational text string configurable on the Access Control Server. The ACS downloads the posture token to the security appliance for informational purposes to aid in system monitoring, reporting, debugging, and logging. A typical posture token is Healthy, Checkup, Quarantine, Infected, or Unknown. Redirect URLFollowing posture validation or clientless authentication, the ACS downloads the access policy for the session to the security appliance. The Redirect URL is an optional part of the access policy payload. The security appliance redirects all HTTP (port 80) and HTTPS (port 443)

ASDM User Guide

42-8

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

requests for the remote host to the Redirect URL if it is present. If the access policy does not contain a Redirect URL, the security appliance does not redirect HTTP and HTTPS requests from the remote host. Redirect URLs remain in force until either the IPSec session ends or until posture revalidation, for which the ACS downloads a new access policy that can contain a different redirect URL or no redirect URL. The buttons in this window are as follows:

Note

Choose Monitoring > VPN > VPN Statistics > NAC Session Summary if you want to revalidate or initialize all sessions that are subject to posture validation.

Revalidate SessionClick if the posture of the peer or the assigned access policy (that is, the downloaded ACL, if any) has changed. Clicking this button initiates a new, unconditional posture validation. The posture validation and assigned access policy that were in effect before you clicked this button remain in effect until the new posture validation succeeds or fails. Clicking this button does not affect the session if it is exempt from posture validation. Initialize SessionClick if the posture of the peer or the assigned access policy (that is, the downloaded ACL, if any) has changed, and you want to clear the resources assigned to the session. Clicking the button purges the EAPoUDP association and access policy, and initiates a new, unconditional posture validation. The NAC default ACL is effective during the revalidation, so the session initialization can disrupt user traffic. Clicking this button does not affect the session if it is exempt from posture validation. Revalidate Tunnel GroupClick if the posture of the peers in the tunnel group occupied by the selected session or the assigned access policies (that is, the downloaded ACLs), have changed. Clicking this button initiates new, unconditional posture validations. The posture validation and assigned access policy that were in effect for each session in the tunnel group before you clicked this button remain in effect until the new posture validation succeeds or fails. Clicking this button does not affect sessions that are exempt from posture validation. Initialize Tunnel GroupClick if the posture of the peers in the tunnel group occupied by the selected session, or the assigned access policies (that is, the downloaded ACLs), have changed, and you want to clear the resources assigned to the sessions. Clicking this button purges the EAPoUDP associations and access policies (that is, the downloaded ACLs, if any) used for posture validation in the tunnel group occupied by the selected session, and initiates new, unconditional posture validations for the effected peers. The NAC default ACL is effective during the revalidations, so the session initializations can disrupt user traffic. Clicking this button does not affect sessions that are exempt from posture validation.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

42-9

Chapter 42 VPN Statistics

Monitoring VPN

Encryption Statistics
Monitoring > VPN > VPN Statistics > Encryption Statistics This panel shows the data encryption algorithms used by currently active user and administrator sessions on the security appliance. Each row in the table represents one encryption algorithm type.
Fields

Show Statistics ForSelects a specific server or group or all tunnel groups. Encryption StatisticsShows the statistics for all the data encryption algorithms in use by currently active sessions.
Encryption AlgorithmLists the encryption algorithm to which the statistics in this row apply. SessionsLists the number of sessions using this algorithm. PercentageIndicates the percentage of sessions using this algorithm relative to the total active

sessions, as a number. The sum of this column equals 100 percent (rounded).

Total Active SessionsShows the number of currently active sessions. Cumulative SessionsShows the total number of sessions since the security appliance was last booted or reset. RefreshUpdates the statistics shown in the Encryption Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

NAC Session Summary


Monitoring > VPN > VPN Statistics > NAC Session Summary The NAC Session Summary window lets you view the active and cumulative Network Admission Control sessions.
Fields

Active NAC SessionsGeneral statistics about remote peers that are subject to posture validation. Cumulative NAC SessionsGeneral statistics about remote peers that are or have been subject to posture validation. AcceptedNumber of peers that passed posture validation and have been granted an access policy by an Access Control Server. RejectedNumber of peers that failed posture validation or were not granted an access policy by an Access Control Server. ExemptedNumber of peers that are not subject to posture validation because they match an entry in the Posture Validation Exception list configured on the security appliance.

ASDM User Guide

42-10

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

Non-responsiveNumber of peers not responsive to Extensible Authentication Protocol (EAP) over UDP requests for posture validation. Peers on which no CTA is running do not respond to these requests. If the security appliance configuration supports clientless hosts, the Access Control Server downloads the access policy associated with clientless hosts to the security appliance for these peers. Otherwise, the security appliance assigns the NAC default policy. Hold-offNumber of peers for which the security appliance lost EAPoUDP communications after a successful posture validation. The NAC Hold Timer attribute (Configuration > VPN > NAC) determines the delay between this type of event and the next posture validation attempt. N/ANumber of peers for which NAC is disabled according to the VPN NAC group policy. Revalidate AllClick if the posture of the peers or the assigned access policies (that is, the downloaded ACLs), have changed. Clicking this button initiates new, unconditional posture validations of all NAC sessions managed by the security appliance. The posture validation and assigned access policy that were in effect for each session before you clicked this button remain in effect until the new posture validation succeeds or fails. Clicking this button does not affect sessions that are exempt from posture validation. Initialize AllClick if the posture of the peers or the assigned access policies (that is, the downloaded ACLs) have changed, and you want to clear the resources assigned to the sessions. Clicking this button purges the EAPoUDP associations and assigned access policies used for posture validations of all NAC sessions managed by the security appliance, and initiates new, unconditional posture validations. The NAC default ACL is effective during the revalidations, so the session initializations can disrupt user traffic. Clicking this button does not affect sessions that are exempt from posture validation.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Protocol Statistics
Monitoring > VPN > VPN Statistics > Protocol Statistics This panel displays the protocols used by currently active user and administrator sessions on the security appliance. Each row in the table represents one protocol type.
Fields

Show Statistics ForSelects a specific server or group or all tunnel groups. Protocol StatisticsShows the statistics for all the protocols in use by currently active sessions.
ProtocolLists the protocol to which the statistics in this row apply. SessionsLists the number of sessions using this protocol. PercentageIndicates the percentage of sessions using this protocol relative to the total active

sessions, as a number. The sum of this column equals 100 percent (rounded).

Total Active SessionsShows the number of currently active sessions.

ASDM User Guide OL-10106-01

42-11

Chapter 42 VPN Statistics

Monitoring VPN

Cumulative SessionsShows the total number of sessions since the security appliance was last booted or reset. RefreshUpdates the statistics shown in the Protocol Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Global IKE/IPSec Statistics


Monitoring > VPN > VPN Statistics > Global IKE/IPSec Statistics This panel displays the global IKE/IPSec statistics for currently active user and administrator sessions on the security appliance. Each row in the table represents one global statistic.
Fields

Show Statistics ForSelects a specific protocol, IKE Protocol (the default) or IPSec Protocol. Global IKE/IPSec StatisticsShows the statistics for all the protocols in use by currently active sessions.
StatisticLists the name of the statistical variable. The contents of this column vary, depending

upon the value you select for the Show Statistics For parameter.
ValueThe numerical value for the statistic in this row.

RefreshUpdates the statistics shown in the Global IKE/IPSec Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Crypto Statistics
Monitoring > VPN > VPN Statistics > Crypto Statistics This panel displays the crypto statistics for currently active user and administrator sessions on the security appliance. Each row in the table represents one crypto statistic.

ASDM User Guide

42-12

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

Fields

Show Statistics ForSelects a specific protocol, IKE Protocol (the default), IPSec Protocol, SSL Protocol, or other protocols. Crypto StatisticsShows the statistics for all the protocols in use by currently active sessions.
StatisticLists the name of the statistical variable. The contents of this column vary, depending

upon the value you select for the Show Statistics For parameter.
ValueThe numerical value for the statistic in this row.

RefreshUpdates the statistics shown in the Crypto Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

Compression Statistics
Monitoring > VPN > VPN Statistics > Compression Statistics This panel displays the compression statistics for currently active user and administrator sessions on the security appliance. Each row in the table represents one compression statistic.
Fields

Show Statistics ForLets you select compression statistics for all VPN types, or for a single VPN type including IPSec VPN, WebVPN, or SSL VPN Client. StatisticsShows all the statistics for the selected VPN type.
StatisticLists the name of the statistical variable. The contents of this column vary, depending

upon the value you select for the Show Statistics For parameter.
ValueThe numerical value for the statistic in this row.

RefreshUpdates the statistics shown in the Compression Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

42-13

Chapter 42 VPN Statistics

Monitoring VPN

Cluster Loads
Monitoring > VPN > VPN Statistics > Cluster Loads Use this panel to view the current traffic load distribution among the servers in a VPN load-balancing cluster. If the server is not part of a cluster, you receive an information message saying that this server does not participate in a VPN load-balancing cluster.
Fields

VPN Cluster LoadsDisplays the current load distribution in the VPN load-balancing cluster. Clicking a column heading sorts the table, using the selected column as the sort key.
Public IP AddressDisplays the externally visible IP address for the server. RoleIndicates whether this server is a master or backup device in the cluster. PriorityShows the priority assigned to this server in the cluster. The priority must be an

integer in the range of 1 (lowest) to 10 (highest). The priority is used in the master-election process as one way to determine which of the devices in a VPN load-balancing cluster becomes the master or primary device for the cluster.
ModelIndicates the security appliance model name and number for this server. Load %Indicates what percentage of a servers total capacity is in use, based upon the

capacity of that server.


SessionsShows the number of currently active sessions.

RefreshLoads the table with updated statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

WebVPN SSO Statistics


Monitoring > VPN > WebVPN > SSO Statistics This panel displays the single sign-on statistics for currently active SSO servers configured for the security appliance.

Note

These statistics are for SSO with SiteMinder servers only.


Fields

Show Statistics ForSelects an SSO server. SSO StatisticsShows the statistics for all the currently active sessions on the selected SSO server. SSO statistics that display include:

ASDM User Guide

42-14

OL-10106-01

Chapter 42

Monitoring VPN VPN Statistics

Name of SSO server Type of SSO server Authentication Scheme Version Web Agent URL Number of pending requests Number of authorization requests Number of retransmissions Number of accepts Number of rejects Number of timeouts Number of unrecognized responses

RefreshUpdates the statistics shown in the SSO Statistics table.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context System

Transparent Single

ASDM User Guide OL-10106-01

42-15

Chapter 42 VPN Statistics

Monitoring VPN

ASDM User Guide

42-16

OL-10106-01

C H A P T E R

43

Monitoring Properties
Properties contains the following topics:

AAA Servers CRL Connection Graphs DNS Cache Device Access IP Audit System Resources Graphs

AAA Servers
Monitoring > Properties > AAA Servers The AAA Server pane lets you view the AAA Server configuration.
Prerequisites

None.
Fields

The AAA Server pane displays the following fields:


Server GroupDisplays a configured server group, or LOCAL if none have been configured. ProtocolDisplays what protocol the server group uses for AAA. IP AddressDisplays the IP address of the configured AAA server.

Below the list of AAA servers are the statistics for each configured server. You can clear the statistics using the Clear Server Stats button.
Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

43-1

Chapter 43 CRL

Monitoring Properties

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

CRL
Monitoring > Properties > CRL This pane allows you to view or clear associated CRLs of selected Trustpoints. Trustpoints are configured in Configuration > Device Administration > Certificates > Trustpoints.
Fields

Trustpoint nameThe name of the selected Trustpoint. View CRLView the selected CRL. Clear CRLClear the selected CRL from the cache. CRL infoDisplay only. Displays detailed CRL information.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Connection Graphs
The Connection Graphs pane let you view connection information about the security appliance in graph format. You can view information about NAT and performance monitoring information, including UDP connections, AAA performance, and inspection information. Refer to the following topics for more information:

Xlates Perfmon

Xlates
Monitoring > Properties > Connection Graphs > Xlates Xlates lets you view the active Network Address Translations in a graph format. You can graph a maximum or four graphs in one frame.

ASDM User Guide

43-2

OL-10106-01

Chapter 43

Monitoring Properties Connection Graphs

Fields

Available Graphs For:Lists the components you can graph.


Xlate UtilizationDisplays the security appliance NAT utilization.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For field to the Selected Graphs field. RemoveRemoves the selected statistic type from the Selected Graphs field. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Perfmon
Monitoring > Properties > Connection Graphs > Perfmon The Perfmon pane lets you view the performance information in a graph format. You can graph a maximum or four graphs in one frame. This information includes the number of translations, connections, Websense requests, address translations, and AAA transactions that occur each second.
Fields

Available Graphs For:Lists the components you can graph.


AAA PerfmonDisplays the security appliance AAA performance information. Inspection PerfmonDisplays the security appliance inspection performance information. Web PerfmonDisplays the security appliance web performance information, including URL

access and URL server requests.


Connections PerfmonDisplays the security appliance connections performance information. Xlate PerfmonDisplays the security appliance NAT performance information.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window).

ASDM User Guide OL-10106-01

43-3

Chapter 43 DNS Cache

Monitoring Properties

AddClick this button to move the selected entries in the Available Graphs For field to the Selected Graphs field. RemoveRemoves the selected statistic type from the Selected Graphs field. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

DNS Cache
Monitoring > Properties > DNS Cache The security appliance provides a local cache of DNS information from external DNS queries sent out for certain WebVPN and Certificate commands. Each DNS translation request is first looked for in the local cache. If the local cache has the information, the resulting IP address is returned. If the local cache can not resolve the request, a DNS query is sent to the various DNS servers that have been configured. If an external DNS server resolves the request, the resulting IP address is stored in the local cache along with its corresponding hostname.
Important Notes

DNS cache entries are time stamped. The time stamp will be used to age out unused entries. When the entry is added to the cache the time stamp is initialized. Each time the entry is accessed the timestamp is updated. At a configured time interval, the DNS cache will check all entries and purge those entries whose time exceeds a configured age out timer. If new entries arrive but there is no room in the cache, since the size exceeded or there is no more memory allowed, the cache will be thinned by one third based on entries age. The oldest entries will be removed. The entire cache can be cleared by clicking the Clear Cache button.

Fields

HostThe DNS name of the host. IP AddressShows the address that resolves to the hostname. PermanentIndicates if the entry made though a name command. Idle TimeGives the time elapsed since the security appliance last referred to that entry. ActiveIndicates if the entry has aged out. If there is no sufficient space in cache, this entry may be deleted. Clear CacheClears the DNS cache.

Modes

The following table shows the modes in which this feature is available:

ASDM User Guide

43-4

OL-10106-01

Chapter 43

Monitoring Properties Device Access

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Device Access
Monitoring > Properties >Device Access Device Access lets you monitor management sessions, AAA locked out users, and authenticated users. Device Access contains the following topics:

AAA Local Locked Out Users Authenticated Users HTTPS/ASDM Sessions Secure Shell Sessions Telnet Sessions

AAA Local Locked Out Users


Monitoring > Properties > Device Access > AAA Local Locked Out Users The AAA Local Locked Out Users pane lets you view a list of users who have been locked out of ASDM for failed login attempts. You can also clear selected lockout conditions or all lockouts.
Fields

The AAA Local Lockouts area displays the following.


Currently locked out usersA list of the currently locked out users. Lock TimeThe amount of time the user has been locked out from accessing the system. Failed AttemptsThe number of failed login attempts. UserThe user name used with the failed login attempts. RefreshUpdates the display with the most current information. Clear lockoutClears the selected user lockout condition. Clear all lockoutsClears all user lockout conditions. It is good practice to refresh the list of lockout conditions before clearing all lockouts.

The following buttons are also available:


Modes

The following table shows the modes in which this feature is available:

ASDM User Guide OL-10106-01

43-5

Chapter 43 Device Access

Monitoring Properties

Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Authenticated Users
Monitoring > Properties > Device Access > Authenticated Users This pane lets you view what users are authenticated to the security appliance.
Fields

UserDisplays the user name of the person authenticated to the security appliance. IP AddressDisplays the IP address of the user authenticated to the security appliance. Dynamic ACLDisplays the dynamic access list of the user authenticated to the security appliance. Inactivity TimeoutDisplays the amount of time the selected user must remain inactive before the session times out and the user is disconnected. Absolute TimeoutDisplays the amount of time the selected user can remain connected before the session closes and the user is disconnected. RefreshSelect to refresh the list of currently authenticated users.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

HTTPS/ASDM Sessions
Monitoring > Properties > Device Access > HTTPS/ASDM The HTTPS/ASDM pane lets you view currently connected HTTPS/ASDM sessions. A secure connection is needed so that a PC or workstation client running ASDM in a network browser window can communicate with the security appliance.
Fields

The HTTPS/ASDM pane displays the following fields:


Session IDDisplays the name of a connected HTTPS/ASDM session. IP AddressDisplays the IP address of each host or network permitted to connect to this security appliance.

ASDM User Guide

43-6

OL-10106-01

Chapter 43

Monitoring Properties Device Access

RefreshSelect to refresh the list of currently connected HTTPS/ASDM sessions. DisconnectSelect to disconnect a connected HTTPS/ASDM session.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Secure Shell Sessions


Monitoring > Properties > Device Access > Secure Shell Sessions The Secure Shell Sessions pane lets you view hosts connected to the security appliance for administrative access using the SSH protocol.
Fields

The Currently Connected Secure Shell Sessions pane displays the following fields:

ClientDisplays the client type for the selected SSH session. UserDisplays the user name for the selected SSH session. StateDisplays the state of the selected SSH session. VersionDisplays the version of SSH used to connect to the security appliance. Encryption (in)Displays the inbound encryption method used for the selected session. Encryption (out)Displays the outbound encryption method used for the selected session. HMAC (in)Displays the configured HMAC for the selected inbound SSH session. HMAC (out)Displays the configured HMAC for the selected outbound SSH session. SIDDisplays the secure ID of the selected session. RefreshSelect to refresh the list of currently connected SSH sessions. DisconnectSelect to disconnect a connected SSH session.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

43-7

Chapter 43 IP Audit

Monitoring Properties

Telnet Sessions
Monitoring > Properties > Device Access > Telnet The Telnet Sessions pane lets you view currently connected Telnet sessions.
Fields

The Telnet Sessions pane displays the following fields:


Session IDDisplays the name of a connected Telnet sessions. IP AddressDisplays the IP address of each host permitted to connect to this security appliance over Telnet. RefreshSelect to refresh the list of currently connected Telnet sessions. DisconnectSelect to disconnect a connected Telnet session.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

IP Audit
Monitoring > Properties > IP Audit The IP Audit pane lets you view the number of packets that match informational and attack signatures in graph or table form. Each statistic type shows the combined packets for all interfaces that have IP audit enabled.
Fields

Available Graphs forLists the types of signatures available for monitoring. See IP Audit Signatures fro detailed information about each signature type. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.
IP OptionsShows the packet count for the following signatures:

Bad Options List (1000) Timestamp (1002) Provide s, c, h, tcc (1003) SATNET ID (1005)
IP Route OptionsShows the packet count for the following signatures:

Loose Source Route (1004) Record Packet Route (1001) Strict Source Route (1006)

ASDM User Guide

43-8

OL-10106-01

Chapter 43

Monitoring Properties IP Audit

IP AttacksShows the packet count for the following signatures:

IP Fragment Attack (1100) Impossible IP Packet (1102) IP Teardrop (1103)


ICMP RequestsShows the packet count for the following signatures:

Echo Request (2004) Time Request (2007) Info Request (2009) Address Mask Request (2011)
ICMP ResponsesShows the packet count for the following signatures:

Echo Reply (2000) Source Quench (2002) Redirect (2003) Time Exceeded (2005) Parameter Problem (2006)
ICMP RepliesShows the packet count for the following signatures:

Unreachable (2001) Time Reply (2008) Info Reply (2010) Address Mask reply (2012)
ICMP AttacksShows the packet count for the following signatures:

Fragmented ICMP (2150) Large ICMP (2151) Ping of Death (2154)


TCP AttacksShows the packet count for the following signatures:

No Flags (3040) SYN & FIN Flags Only (3041) FIN Flag Only (3042)
UDP AttacksShows the packet count for the following signatures:

Bomb (4050) Snork (4051) Chargen (4052)


DNS AttacksShows the packet count for the following signatures:

Host Info (6050) Zone Transfer (6051) Zone Transfer High Port (6052) All Records (6053)
FTP AttacksShows the packet count for the following signatures:

ASDM User Guide OL-10106-01

43-9

Chapter 43 IP Audit

Monitoring Properties

Improper Address (3153) Improper Port (3154)


RPC Requests to Target HostsShows the packet count for the following signatures:

Port Registration (6100) Port Unregistration (6101) Dump (6102)


YP Daemon Portmap RequestsShows the packet count for the following signatures:

ypserv Portmap Request (6150) ypbind Portmap Request (6151) yppasswdd Portmap Request (6152) ypupdated Portmap Request (6153) ypxfrd Portmap Request (6154)
Miscellaneous Portmap RequestsShows the packet count for the following signatures:

mountd Portmap Request (6155) rexd Portmap Request (6175)


Miscellaneous RPC CallsShows the packet count for the following signatures:

rexd Attempt (6180)


RPC AttacksShows the packet count for the following signatures:

statd Buffer Overflow (6190) Proxied RPC (6103)


AddAdds the selected statistic type to the selected graph window. RemoveRemoves the selected statistic type from the selected graph window. Show GraphsShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included on the graph are shown in the Selected Graphs pane, to which you can add additional types. Graph windows are named for ASDM followed by the interface IP address and the name Graph. Subsequent graphs are named Graph (2) and so on. Selected GraphsShows the statistic types you want to show in the selected graph window. You an include up to four types.
Show GraphsShows the graph window or updates the graph with additional statistic types if

added.
Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide

43-10

OL-10106-01

Chapter 43

Monitoring Properties System Resources Graphs

System Resources Graphs


Monitoring > Properties > System Resources Graphs System Resources Graphs lets you view the status of the security appliance memory, CPU, and block utilization. You can graph a maximum or four graphs in one frame. System Resources Graphs contains the following topics:

Blocks CPU Memory

Blocks
Monitoring > Properties > System Resources Graphs > Blocks Blocks lets you view the free and used memory blocks in a graph format. You can graph a maximum or four graphs in one frame.
Fields

Available Graphs For:Lists the components you can graph.


Blocks UsedDisplays the security appliance used memory blocks. Blocks FreeDisplays the security appliance free memory blocks.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For field to the Selected Graphs field. RemoveRemoves the selected statistic type from the Selected Graphs field. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

43-11

Chapter 43 System Resources Graphs

Monitoring Properties

CPU
Monitoring > Properties > System Resources Graphs > CPU CPU lets you view the CPU utilization in a graph format. You can graph a maximum or four graphs in one frame.
Fields

Available Graphs For:Lists the components you can graph.


CPU UtilizationDisplays the security appliance CPU utilization.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For field to the Selected Graphs field. RemoveRemoves the selected statistic type from the Selected Graphs field. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

Memory
Monitoring > Properties > System Resources Graphs > Memory Memory lets you view the memory utilization in a graph format. You can monitor free and used memory available in real time. You can graph a maximum or four graphs in one frame.
Fields

Available Graphs For:Lists the components you can graph.


Free MemoryDisplays the security appliance free memory. Used MemoryDisplays the security appliance used memory.

Graph WindowShows the graph window name to which you want to add a statistic type. If you have a graph window already open, a new graph window is listed by default. If you want to add a statistic type to an already open graph, select the open graph window name. The statistics already included in the graph window are shown in the Selected Graphs field, to which you can add additional types (up to a maximum of four types per window). AddClick this button to move the selected entries in the Available Graphs For field to the Selected Graphs field.

ASDM User Guide

43-12

OL-10106-01

Chapter 43

Monitoring Properties System Resources Graphs

RemoveRemoves the selected statistic type from the Selected Graphs field. Show GraphsClick to display a new or updated graph window with the selected statistics.

Modes

The following table shows the modes in which this feature is available: Firewall Mode Routed

Security Context Multiple Context

Transparent Single

System

ASDM User Guide OL-10106-01

43-13

Chapter 43 System Resources Graphs

Monitoring Properties

ASDM User Guide

43-14

OL-10106-01

I N D EX

A
AAA authorization downloadable access lists local fallback overview support ABR definition of description fields
15-2 14-1 15-2 10-1 19-1 10-3 19-13

about

12-2 12-2 12-2

command replication Active/Standby failover ActiveX filtering option


20-9

configuration synchronization
12-2

object filtering, benefits of description


28-6 15-2

20-5 15-2

performance
10-2

Add/Edit Access Group dialog box fields


15-3

AAA server group, add (group-policy)

Add/Edit Filtering Entry dialog box description fields


14-9 14-9

14-9

Access Group panel


15-2

Add/Edit IGMP Join Group dialog box description fields


15-4 15-4

15-4

access lists downloadable ACE add/edit/paste ACL enabling IPSEC authenticated inbound sessions to bypass ACLs 28-61 extended standard
28-12 28-42 28-13 28-12 19-13 28-47

Add/Edit IGMP Static Group dialog box description fields


15-7 15-7

15-6

Accounting tab, tunnel group

Add/Edit Multicast Group dialog box description fields


15-12 15-12

15-12

Extended ACL tab

Add/Edit Multicast Route dialog box description fields


15-8 14-5 15-8

for WebVPN
28-11

Add/Edit OSPF Area dialog box description fields


28-13 14-5 14-5

ACL Manager Add/Edit/Paste ACE dialog box ACLs defining traffic match criteria Active/Active failover
21-4 28-11

Add/Edit OSPF Neighbor Entry dialog box description fields


14-18 14-18 14-18

14-18

Restrictions

Add/Edit Periodic Time Range dialog box

6-114

ASDM User Guide OL-10106-01

IN-1

Index

Add/Edit Redistribution dialog box description fields


14-16 14-16

14-16

APN, GTP application inspection APPE command, denied request application access

6-62 6-55

Add/Edit Rendezvous Point dialog box description fields


15-11 15-11 15-11

15-11

and e-mail proxy and Web Access

30-7 30-7 30-6 30-6

configuring client applications enabling cookies on browser


14-8

restrictions about fields


14-8 14-8

Add/Edit Route Summarization dialog box

privileges

30-6 30-6 30-6

quitting properly setting up on client


11-8

Add/Edit SSH Configuration dialog box description fields


11-8 11-8

using e-mail

30-7 30-7 6-69

with IMAP client application firewall application inspection described


6-113 14-20 6-30

Add/Edit Summary Address dialog box description fields


14-19 14-19

enabling for different protocols security level requirements Apply button description
28-48 26-12 1-21 14-5

21-15

Add/Edit Time Range dialog box Add/Edit Virtual Link dialog box description fields
14-21 14-20

4-1, 5-17

Area/Networks tab
14-5

address assignment, client address pools, tunnel group admin context overview
7-1

fields

14-5 14-1

Address Pool panel, VPN wizard


28-48

area border router ARP inspection


26-13

Address Translation Exemption panel, VPN wizard

configuring ARP spoofing ARP table monitoring static entry

23-1 23-2

administrative access using ICMP for description fields


9-7 14-14 9-7 8-7 9-7

40-1 23-3

Advanced DHCP Options dialog box

ASA 5505 client Xauth ASBR definition of ASDM


14-21 14-1 28-64

Advanced OSPF Interface Properties dialog box description fields


14-14 14-14

Advanced OSPF Virtual Link Properties dialog box description fields


14-21 28-48 8-8, 8-9 14-21

version attacks

1-23 21-14

assured forwarding (AF), traffic match criteria DNS HINFO request


24-9 24-9

Advanced tab, tunnel group

alternate address, ICMP message


ASDM User Guide

DNS request for all records

IN-2

OL-10106-01

Index

DNS zone transfer

24-9 24-9

learning, disabling overview static entry Browse ICMP Browse Other


23-5 23-6 24-8

23-6

DNS zone transfer from high port fragmented ICMP traffic IP fragment
24-6 24-6 24-8

management IP address
28-17 28-18

8-1

IP impossible packet large ICMP traffic ping of death


24-8

Browse Source or Destination Address


24-9 24-10 24-9 24-8 24-8

28-15

proxied RPC request statd buffer overflow TCP FIN only flags TCP NULL flags UDP bomb UDP snork
24-9

Browse Source or Destination Port Browse Time Range building blocks


6-1 28-9

28-15

TCP SYN+FIN flags UDP chargen DoS


24-9

C
CA certificate call agents
26-12 33-1

24-9

Attributes Pushed to Client panel, VPN wizard authenticating a certificate authentication FTP HTTP Telnet
19-5 19-5 19-5 14-10 33-1

MGCP application inspection Cancel button certificate exporting fingerprint importing installing managing
33-16 33-2 33-17 33-17 33-5 33-1 1-21

6-85, 6-86

CDUP command, denied request

6-55

Authentication tab description fields


14-11 14-10

Authentication tab, tunnel group Authorization tab, tunnel group Auto Signon group-policy
28-41

28-45 28-46

certificate authentication certificate enrollment classes

33-2 28-23

Cisco Client Parameters tab See resource management

B
bandwidth Basic tab general tab, tunnel group
28-44 28-51 28-55 1-24 28-22

Client Access Rule, add or edit Client Address Assignment Client Configuration tab Client Firewall tab
28-26

28-20

28-48 26-10

Client Authentication panel, VPN wizard


28-21

banner, view/configure

client parameters, configuring

28-21 28-3

IPSec LAN-to-LAN, General tab bridging MAC address table

Client Update, edit , Windows and VPN 3002 clients Client Update window, Windows and VPN 3002 clients 28-1 configuration
ASDM User Guide

tunnel group WebVPN Access, General tab

OL-10106-01

IN-3

Index

context files factory default description fields


15-5

7-2 2-1 15-5

configuring fields
36-18

36-18

CSC File Transfer panel CSC IP address configuring CSC license


36-9

Configure IGMP Parameters dialog box


15-5

configuring CSC activation CSC email CSC file transfer CSC IP address CSC license
36-8 36-11 36-8 36-15 36-18 36-9

configuring configuring CSC memory monitoring

36-8

CSC management access


36-11

38-5

CSC management access CSC notifications CSC password CSC updates CSC Web CSC Setup Wizard
36-18 36-14 36-10 36-11 36-12

CSC notifications configuring CSC password configuring monitoring


36-11 36-10

CSC security events


38-2 36-12 36-13 1-24 28-35

CSC wizard summary connections per second Content Filtering tab context mode viewing contexts See security contexts
1-23

CSC Setup Wizard summary monitoring CSC SSM getting started overview
8-8, 8-9 36-1 36-5 36-13

CSC software updates


38-3

36-3

conversion error, ICMP message CPU usage CRL cache refresh time enforce next update retrieval method retrieval policy CSC activation configuring CSC CPU monitoring CSC email configuring
36-15 38-4 36-8 33-15 33-15 1-23

what to scan CSC threats


21-3

Create a Service Policy and Apply to group box

monitoring CSC updates configuring CSC Web configuring CSD Setup CTIQBE

38-1

36-18

33-13 33-12

36-14

29-8

application inspection, enabling cut-through proxy


19-1

21-15

D
data flow

CSC file transfer


ASDM User Guide

IN-4

OL-10106-01

Index

routed firewall default class


7-12

16-3 16-12

digital certificates DNS


2-1 21-4

33-1 29-12

transparent firewall default configuration default routes

disabling content rewrite

application inspection, enabling DNS client


9-9 24-9

21-15

default inspection traffic

DNS HINFO request attack


14-29 14-29 14-30 28-4 28-15

defining equal cost routes definition of for tunneled traffic default tunnel gateway destination port, browse Device Pass-Through DHCP configuring monitoring interface lease IP addresses server services statistics DHCP relay overview description fields
9-3 9-3 9-1 9-1 40-2 40-4 40-2 40-2 9-4

DNS request for all records attack DNS zone transfer attack downloadable access lists configuring DSCP traffic match criteria duplex
21-4, 21-14 19-13 24-9

24-9

DNS zone transfer from high port attack

24-9

destination address, browse


28-65

28-15

converting netmask expressions

19-17

interface IP address

4-8, 5-20

interface system

4-5, 4-11, 5-25 4-5

E
Easy VPN client Xauth
28-64 28-65

statistics
9-1

40-4

Easy VPN, advanced properties Easy VPN client


9-3 28-63 28-63 8-7

DHCP Relay - Add/Edit DHCP Server dialog box


9-3

Easy VPN Remote ECMP


14-29

echo reply, ICMP message

restrictions description fields


9-2

Edit DHCP Relay Agent Settings dialog box description fields


9-3 9-3 9-3 9-6 9-3

9-2

DHCP Relay panel


9-1

prerequisites
9-2 9-1 9-4

prerequisites restrictions description fields


9-4

restrictions description fields


9-6

Edit DHCP Server dialog box


9-6

DHCP Server panel


9-4

Edit OSPF Interface Authentication dialog box


9-1 21-14

14-11

DHCP services

description fields
14-11

14-11

DiffServ, traffic match criteria

ASDM User Guide OL-10106-01

IN-5

Index

Edit OSPF Interface Properties dialog box fields


14-13

14-13

in multiple context mode interface


14-3 4-6 4-3

12-26

Edit OSPF Process Advanced Properties dialog box description fields


14-3 15-9 14-3

system key

12-15, 12-27 39-4 39-4

make active make standby monitoring


15-9

Edit PIM Protocol dialog box description fields


15-9

39-1 12-20

monitoring interfaces reload standby


30-7 28-61 39-4

e-mail proxy and WebVPN enrolling certificate ESMTP application inspection, enabling established command security level requirements Ethernet MTU
4-9, 5-22 21-14 4-2, 5-17 21-15 33-2

reset

39-4, 39-8 12-3 12-27

Enable IPSec authenticated inbound sessions

stateful stateless status about adding editing reset filtering

Stateful Failover
12-3 39-1

failover groups
12-29 12-30 12-30 39-8

monitoring
39-10 33-16

expedited forwarding (EF), traffic match criteria exporting a certificate extended ACL
28-12 20-5 28-6

benefits of rules
20-8

20-5

external filtering server

External Group Policy, add or edit

security level requirements servers supported


20-1

4-1, 5-17

F
factory default configuration failover about virtual MAC addresses criteria
12-20, 12-28 12-18, 12-19 12-22 12-21 2-1

URLs

20-1 28-35

filtering, Content Filtering tab Filtering panel benefits fields


14-8 14-8 14-8

description
14-9

defining standby IP addresses defining virtual MAC addresses enable


12-26 12-15

restrictions fingerprint certificate firewall mode

14-9

33-2 28-26

enabling Active/Standby enabling LAN-based

firewall, client, configuring settings configuring overview viewing


1-23 2-5 16-1

12-16 12-27

enabling LAN-based failover enabling Stateful Failover graphs


39-4
ASDM User Guide

12-16

IN-6

OL-10106-01

Index

firewall server, Zone Labs Flash memory, amount fragmentation policy, IPSec Fragment Edit panel Fragment panel FTP application inspection enabling viewing
21-15 24-12

28-62

H323 RAS application inspection, enabling


21-16

1-23 27-5 24-8

Hardware Client tab Help button Help menu


1-21

28-28

fragmented ICMP traffic attack


24-10, 24-11

HELP command, denied request


1-19 2-9 28-35

6-55

history metrics Homepage tab HSRP HTTP


16-9

6-32, 6-33, 6-35, 6-36, 6-42, 6-44, 6-45, 6-51, 6-52, 6-57, 6-63, 6-64, 6-65, 6-70, 6-71, 6-77, 6-81, 6-82, 6-85, 6-89, 6-91, 6-92, 6-93, 6-96, 6-98 20-9 28-32

application inspection enabling viewing filtering


21-16 6-69 20-1 20-5 20-9

filtering option

Functions tab, WebVPN

benefits of

G
gateway, default tunnel gateway gateways MGCP application inspection General Client Parameters tab graphs bookmarking printing
40-8 28-58 40-8 40-8 6-87 28-21 28-4

configuring HTTPS

enabling access to ASDM filtering option


20-9

11-6

I
ICMP add group browse
28-7 28-17 21-16

interface monitoring

Group Aliases and URLs, tunnel group Group Policy window add or edit, General tab introduction GTP application inspection enabling viewing
21-15 6-56 28-4 28-19

application inspection, enabling


28-17 8-7

rules for access to ADSM ICMP Error

IPSec tab, add or edit

application inspection, enabling ICMP Group ICMP types selecting IGMP access groups
15-2 8-7, 8-8 28-17

21-16

configuring interface parameters

15-5

H
H225 application inspection, enabling
21-16

group membership interface parameters IGMP panel

15-3 15-4 15-6

static group assignment

ASDM User Guide OL-10106-01

IN-7

Index

IGMP overview
15-1 26-4

IP address

8-1 4-8, 5-20 4-6, 5-18

configuration configuring interface DHCP


21-16 33-3 33-17 8-8, 8-9 8-8, 8-9 1-23

IKE Policy panel, VPN wizard IKE tunnels, amount ILS

4-8, 5-20 8-1

application inspection, enabling import certificate panel importing a certificate

management, transparent firewall IP audit enabling monitoring signatures statistics IP audit


24-3 43-8 24-5

information reply, ICMP message information request, ICMP message installing a certificate interface add system system duplex system edit system failover system IP address DHCP MTU name speed
4-8, 5-20 4-7, 5-20 4-3 4-6 4-3 33-17

signature matches
IP fragment attack
24-6

43-8 21-4, 21-14

IP DiffServ CodePoints, traffic match criteria IP fragment database, defaults IP fragment database, displaying IP fragment database, editing IP impossible packet attack IP precedence traffic match criteria IPS IP audit IPSec Cisco VPN Client
27-13 27-5 24-3 21-5, 21-14 24-6 24-7 24-12 24-10, 24-11

configuring
4-2 4-5, 4-11, 5-25 4-5

24-13

IP overlapping fragments attack

failover link
4-3

management only
4-9, 5-22 4-8, 5-20

fragmentation policy

security level
4-5, 4-11 4-5 4-6

4-8, 5-20

IPSec Encryption and Authentication panel, VPN wizard 26-5 IPSec tab internal group policy IPSec LAN-to-LAN tunnel group
28-49 1-23 28-19 28-53

system state link status

1-24 4-8

subinterface, adding throughput Interface panel interfaces enabled status monitoring


1-24 14-10

IPSec tunnels, amount IP teardrop attack


24-7

J
4-2, 4-3, 4-4, 4-6, 4-7 40-6
ASDM User Guide

Java

IN-8

OL-10106-01

Index

applet filtering benefits of configuring Join Group panel description fields


15-3 15-3 20-5 20-9 15-3

built-in-switch monitoring overview static entry managing


40-5

23-5 23-6

learning, disabling
16-12, 23-5 23-6

management traffic certificates


33-5

4-7, 5-20

K
key pair panel key-pair name size type usage key pairs adding
33-4 33-4 33-4 33-4 33-4 33-5 33-4

man-in-the-middle attack mask reply, ICMP message

23-2 8-8, 8-9 8-8, 8-9

mask request, ICMP message maximum sessions, IPSec memory, amount Flash menus MGCP application inspection configuring enabling
24-8 6-87 1-23 1-23

28-61

memory usage
1-4

showing details

L
large ICMP traffic attack Layer 2 firewall See transparent firewall license login FTP LSA about Type 1 about Type 2 about Type 3 about Type 4 about Type 5 about Type 7
41-1 41-2 41-3 41-3 41-4 41-5 19-5 1-23 26-6

21-16 6-84 28-21

viewing

Microsoft client parameters, configuring Microsoft Client Parameters tab mode context firewall model
1-23 7-9 2-5 28-24

mobile redirection, ICMP message

8-8, 8-9

Local Hosts and Networks panel, VPN wizard

monitoring ARP table CSC CPU


40-1 38-4 38-5 38-2 38-3

CSC memory

CSC security events CSC software updates CSC threats DHCP


38-1

M
MAC address table
23-4

interface lease IP addresses server


40-2

40-2 40-2

ASDM User Guide OL-10106-01

IN-9

Index

statistics failover

40-4

O
39-8 2-9

39-1, 39-5

failover groups history metrics interfaces routes


40-6

Options menu OSPF about


40-5 14-1

1-7

MAC address table


41-7

adding an LSA filter authentication settings authentication support

14-9 14-10 14-1 14-11 14-18 14-13

monitoring interfaces MRoute panel description fields MTU


15-7 4-9, 5-22 15-8 15-7

12-20

configuring authentication defining a static neighbor interaction with NAT interface properties LSA filtering LSAs
15-8 14-2 41-1 41-1 41-5 14-15 14-8

defining interface properties

14-1, 14-2 14-10, 14-12

Multicast panel description fields


15-1 15-1

Multicast Route panel multicast traffic


16-9

LSA types

monitoring LSAs
7-9

multiple mode, enabling

neighbor states static neighbor summary address virtual links


28-31

route redistribution

14-17 14-18

N
N2H2 filtering server name resolution NAT application inspection
6-30 14-34 9-9 20-5

14-20

NAC tab (Network Admission Control)

OSPF area defining


14-5 41-5

OSPF Neighbors panel description fields


41-5 41-5

disabling proxy ARP for global addresses security level requirements transparent firewall NETBIOS application inspection, enabling NetBIOS server add/edit tab
28-57 28-58 21-16 16-11 4-2, 5-17

OSPF parameters dead interval hello interval transmit delay about


14-7 14-8 28-38 30-7 14-14 14-14 14-14

retransmit interval

14-14

OSPF route summarization defining

Network Address Translation See NAT New Authentication Server Group panel, VPN wizard 26-10 new features
1-2

Other tab, WebVPN

Outlook Web Access (OWA) and WebVPN oversubscribing resources


7-11

ASDM User Guide

IN-10

OL-10106-01

Index

P
packet classifier packet flow routed firewall
16-3 1-11 8-8, 8-9 7-2 16-12

Protocol Group, add description fields


15-4 15-4

28-19 15-4

Protocol panel (IGMP)

flow, transparent firewall

Protocol panel (PIM) description fields


15-9 15-9

15-9

packet trace, enabling password WebVPN PIM interface parameters overview


15-8 30-1

proxied RPC request attack proxy ARP, disabling proxy bypass


6-58, 6-60 29-19 14-34

24-9

parameter problem, ICMP message

PDP context, GTP application inspection


15-9

Q
QoS traffic match criteria
21-4, 21-14

register message filter rendezvous points ping of death attack platform model Port Forwarding
1-23

15-12

15-10 15-14

shortest path tree settings


24-8

R
RADIUS downloadable access lists
30-6 19-13 19-13

network access authorization RAM, amount memory, amount


28-37 28-37 28-32 28-36

configuring client applications Port forwarding port forwarding entry port forwarding list pppoe_client PPTP application inspection, enabling printing graphs
40-8 14-3 40-9 28-51

RAM

1-23 28-10

recurring time range, add or edit redirect, ICMP message Redistribution panel description fields
21-16 14-15 14-15 8-7, 8-9 14-15

Posture Validation Exception, add/edit PPP tab, tunnel-group

Remote Access Client panel, VPN wizard Remote Site Peer panel, VPN wizard Rendezvous Points panel description fields
15-10 15-12 15-10 15-10 26-3

26-8

Process Instances tab description fields


14-3 14-12 14-12 14-3

Request Filter panel description fields reset


21-12 15-13 15-13

Properties tab description fields


14-12

Protocol and Service group box

ASDM User Guide OL-10106-01

IN-11

Index

inbound connections outside connections Reset button configuring default class overview unlimited RIP authentication definition of support for RIP panel fields
14-23 14-23 14-22 14-22 14-22 14-22 1-21

24-14 24-14

RTSP application inspection, enabling rules filtering ICMP


20-5 8-7 21-1 21-16

resource management
7-10 7-12 7-11

service policy

oversubscribing
7-11 7-11

S
29-12

rewrite, disabling

same security level supported


20-1

4-5, 5-18

Secure Computing SmartFilter filtering server URL for website Secure Copy panel description fields
14-23 6-55 6-55 8-13 8-13 8-13 20-1 8-13

limitations

limitations description fields


11-7

RIP Version 2 Notes

Secure Shell panel


11-7

RNFR command, denied request RNTO command, denied request routed mode setting
2-5

security contexts admin context


8-7, 8-8, 8-9

router advertisement, ICMP message router solicitation, ICMP message Routes panel description fields about fields
41-7 41-7

overview cascading classifier files

7-1 7-7 7-2

8-8, 8-9

configuration
7-2 7-8 7-9 14-7

38-4, 41-7

Route Summarization tab


14-7 14-7 15-14

logging in

multiple mode, enabling nesting or cascading overview


7-1 15-14 7-8

Route Tree panel description fields RPC


15-14

resource management unsupported features security level


21-16

7-11 7-2

application inspection, enabling RSH application inspection, enabling RTP range in traffic match criteria
ASDM User Guide

configuration overview same


4-5, 5-18

4-8, 5-20

4-1, 5-16

21-16

segment size
21-4, 21-13

maximum and minimum

24-14

IN-12

OL-10106-01

Index

Server and URL List add/edit


28-39

configuration CSC SSM


36-3 28-25

Server or URL dialog box Setup panel about signatures attack and informational single mode backing up configuration configuration enabling restoring SIP application inspection, enabling SITE command, denied request Skinny application inspection, enabling SNMP application inspection enabling viewing software license version
1-23 1-23 28-15 21-16 6-103 21-16 21-16 6-55 7-9 7-10 7-9 7-9 24-5 14-2 28-39 21-1

Standard Access List Rule, add/edit Standard ACL tab


28-11 7-2 24-10 6-30

service policy rules


14-2

startup configuration

statd buffer overflow attack stateful application inspection Stateful Failover enabling settings interface system
12-16 12-3

Logical Updates Statistics


12-27

39-7, 39-9

stateful failover
4-6 4-3 12-3 15-6

stateless failover Static Group panel description fields


15-6

15-6

Static Neighbor panel description fields about floating status bar


14-17 14-17

14-17

static routes
14-29 14-29 1-21

stealth firewall See transparent firewall STOU command, denied request subinterface
8-9 8-7 6-55 28-15 21-12

source address, browse source port, browse Source Port group box

source quench, ICMP message source-quench, ICMP message speed interface system SQLNET
4-5, 4-11 4-5 24-13

add system adding edit system


4-3 33-1 14-18 4-3 4-8

spoofing, preventing

subordinate certificate Summary Address panel


21-16

application inspection, enabling SSL VPN Client SSM


28-39

description fields
14-18

14-18

Summary panel, VPN wizard

26-7
ASDM User Guide

OL-10106-01

IN-13

Index

Sun Microsystems Java Runtime Environment (JRE) and WebVPN 29-16, 30-6 SVC system interface add edit speed
4-3 4-5 28-39 23-5

traffic flow routed firewall


16-3 16-12 21-1

transparent firewall traffic match criteria traffic usage data flow guidelines HSRP
4-3 16-9 1-24

switch MAC address table

transparent firewall
16-12 16-10

duples
4-3

failover link
4-5

MAC address table learning, disabling


4-2 23-6

interface configuration system configuration network settings overview


7-1 7-2

overview static entry

23-5 23-6 8-1

management IP address multicast traffic NAT


16-11 16-9 16-9

T
TCP application inspection maximum segment size TIME_WAIT state TCP FIN only flags attack TCP NULL flags attack TCP Service Group, add TFTP application inspection, enabling TIME_WAIT state time range add or edit browse recurring
28-9 28-9 28-10 8-8, 8-9 8-8, 8-9 24-14 8-7, 8-8, 8-9 21-17 6-30 21-4, 21-13

overview VRRP

16-9

transparent mode guidelines overview trustpoint


24-9 24-8 28-16 24-8 16-10 16-8 16-11

destination port in traffic match criteria


24-14 24-14

unsupported features definition


33-7

trustpoint configuration panel advanced options


33-15 33-7 33-9 33-13 33-12

33-7

TCP SYN+FIN flags attack

CA certificate subject certificate parameters CRL retrieval method CRL retrieval policy editing DN request CRL
33-10

time exceeded, ICMP message

device certificate subject enrollment settings


33-7 33-7 33-8

33-7

trustpoint name

timestamp reply, ICMP message timestamp request, ICMP message Tools menu
1-9 1-9, 1-14

trustpoint export panel trustpoint import panel Tunneled Management tunnel gateway, default

33-16 33-17 28-65 28-4

traceroute, enabling

ASDM User Guide

IN-14

OL-10106-01

Index

tunnel group introduction


28-43 21-4 28-56

configuring URLs filtering


20-1

20-9

traffic match criteria Type 1 panel description fields


41-2 41-2 41-2 41-1 41-1

WebVPN Tab, Basic Tab

filtering, configuration username WebVPN


30-1

20-4 26-11

User Accounts panel, VPN wizard

Type 2 panel description fields


41-2

Xauth for Easy VPN client

28-64

Type 3 panel description fields


41-3

41-3 41-3

V
version ASDM
1-23 1-23 28-22

Type 4 panel description fields


41-3

41-3 41-3

platform software View/Config Banner virtual firewalls

Type 5 panel description fields


41-4

41-4 41-4

See security contexts Virtual Link panel description


14-20 14-20

Type 7 panel description fields


41-5

41-4 41-5

fields

14-20

virtual MAC address defining for Active/Active failover virtual MAC addresses about
12-21, 12-33 12-32 12-32

U
UDP application inspection bomb attack
24-9 24-9 21-4, 21-13 6-30

defaults for Active/Active failover defining


12-22

defining for Active/Standby failover virtual private network overview VPN overview
24-13 26-1, 26-2 28-61 27-13 26-2

12-34

chargen DoS attack snork attack


24-9

destination port in traffic match criteria Unicast Reverse Path Forwarding unreachable messages ICMP type uptime URL filtering benefits of
20-5 1-23 8-7, 8-9 8-7

system options

VPN Client, IPSec attributes VPN wizard


26-1 26-12

VPN Tunnel Type panel, VPN wizard Address Pool panel

26-2

required for MTU discovery

Address Translation Exemption panel Attributes Pushed to Client panel Client Authentication panel
26-10

26-13

26-12

ASDM User Guide OL-10106-01

IN-15

Index

IKE Policy panel

26-4 26-5

WebVPN tab Functions tab Other tab Wizards menu


28-32 26-8 28-38 1-19

IPSec Encryption and AUthentication panel Remote Access Client panel Remote Site Peer panel Summary panel
26-7 26-11 26-2 26-3

User Accounts panel VPNwizard

VPN Tunnel Type panel

X
Xauth, Easy VPN client
26-6 26-10 28-64

Local Hosts and Networks panel VRRP


16-9

XDMCP application inspection, enabling


21-17

New Authentication Server Group panel

Z W
Zone Labs Integrity Server web browsing with WebVPN Web Page (tunnel-group) tab Websense filtering server WebVPN client application requirements client requirements
30-2 30-5 30-5 30-6 30-6 30-2 30-4 28-60 28-62

20-1, 20-5

for file management for network browsing for port forwarding for using applications for web browsing start-up
30-3 30-6

30-4

enable cookies for end user set-up printing and


30-3

30-1

remote system configuration and end-user requirements 30-3 security tips


30-2 30-2

supported applications supported browsers URL


30-3

30-3 30-3

supported types of Internet connections username and password required usernames and passwords use suggestions
30-1, 30-2 30-1 30-3

ASDM User Guide

IN-16

OL-10106-01

You might also like