User Guide for Cisco Security Manager 3.2.1
PIX/ASA/FWSM Platform User Interface Reference
Downloads: This chapterpdf (PDF - 1.98MB) The complete bookPDF (PDF - 44.35MB) | Feedback

PIX/ASA/FWSM Platform User Interface Reference

Table Of Contents

PIX/ASA/FWSM Platform User Interface Reference

NAT Policies

Address Pools Page

Address Pool Dialog Box

Translation Options Page

Translation Rules Page

Translation Exemptions (NAT 0 ACL) Tab

Dynamic Rules Tab

Policy Dynamic Rules Tab

Static Rules Tab

General Tab

Advanced NAT Options Dialog Box

Interfaces Page

Add/Edit Interface Dialog Box

Add/Edit Interface Dialog Box (PIX 7.0/ASA)

Add/Edit Interface Dialog Box (ASA 5505)

Add/Edit Interface Dialog Box (PIX 6.3)

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

FWSM Interfaces Page

FWSM Add/Edit Interface Dialog Box

Add/Edit Bridge Group Dialog Box

ASA 5505 Ports and Interfaces Page

Configure Hardware Ports Dialog Box

Bridging

ARP Table Page

Add/Edit ARP Configuration Dialog Box

ARP Inspection Page

Add/Edit ARP Inspection Dialog Box

MAC Address Table Page

Add/Edit MAC Table Entry Dialog Box

MAC Learning Page

Add/Edit MAC Learning Dialog Box

Management IP Page

AAA Page

Authentication Tab

Authorization Tab

Accounting Tab

Banner Page

Boot Image/Configuration Page

Images Dialog Box

Clock Page

Credentials Page

CPU Threshold Page

Device Access

Console Page

HTTP Page

HTTP Configuration Dialog Box

ICMP Page

Add and Edit ICMP Dialog Boxes

Management Access Page

Secure Shell Page

Add and Edit SSH Host Dialog Boxes

SNMP Page

SNMP Trap Configuration Dialog Box

Add SNMP Host Access Entry Dialog Box

Telnet Page

Telnet Configuration Dialog Box

Failover Policies

Failover Page (PIX 6.x)

Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Failover Page (FWSM)

Advanced Settings Dialog Box

Edit Failover Interface Configuration Dialog Box (FWSM)

Failover Page (ASA/PIX 7.x)

Settings Dialog Box

Add Failover Group Dialog Box

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Add Interface MAC Address Dialog Box

Bootstrap Configuration for LAN Failover Dialog Box

Hostname Page

Resources Page

Add/Edit Resource Dialog Box

Server Access

AUS Page

Add and Edit Auto Update Server Dialog Boxes

DHCP Relay Page

Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Add and Edit DHCP Relay Server Configuration Dialog Boxes

DHCP Server Page

Add/Edit DHCP Server Interface Configuration Dialog Boxes

Add/Edit DHCP Server Advanced Configuration Dialog Box

DNS Page

Add DNS Server Group Dialog Box

Add DNS Server Dialog Box

Edit Interfaces Dialog Box

DDNS Page

Add/Edit DDNS Interface Rule Dialog Box

NTP Page

NTP Server Configuration Dialog Box

SMTP Server Page

TFTP Server Page

User Accounts Page

Add/Edit User Account Dialog Box

Logging Policies

NetFlow Page

Add and Edit Collector Dialog Boxes (NetFlow)

E-Mail Setup Page

Add/Edit Email Recipient Dialog Box

Event Lists Page

Message Classes and Associated Message ID Numbers

Add/Edit Event List Dialog Box

Logging Filters Page

Edit Logging Filters Dialog Box

Logging Setup Page

Rate Limit Page

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Add/Edit Rate Limited Syslog Message Dialog Box

Server Setup Page

Logging Levels

Add/Edit Syslog Message Dialog Box

Syslog Servers Page

Add/Edit Syslog Server Dialog Box

Multicast Policies

Enable Multicast Routing Page

IGMP Page

Protocol Tab

Configure IGMP Parameters Dialog Box

Access Group Tab

Configure IGMP Access Group Parameters Dialog Box

Static Group Tab

Configure IGMP Static Group Parameters Dialog Box

Join Group Tab

Configure IGMP Join Group Parameters Dialog Box

Multicast Routing Page

Add/Edit MRoute Configuration Dialog Box

Multicast Boundary Filter Page

Add/Edit MBoundary Configuration Dialog Box

PIM Page

Protocol Tab

Add/Edit PIM Protocol Dialog Box

Neighbor Filter Tab

Bidirectional Neighbor Filter Tab

Rendezvous Points Tab

Add/Edit Rendezvous Point Dialog Box

Add/Edit Multicast Groups Dialog Box

Route Tree Tab

Multicast Group Dialog Box

Request Filter Tab

Multicast Group Dialog Box

Routing Policies

No Proxy ARP Page

Edit Interfaces Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

RIP Page

RIP Page for PIX/ASA 6.3-7.1 and FWSM

RIP Page for PIX/ASA 7.2 and Later

Static Route Page

Add/Edit Static Route Dialog Box

Security Policies

General Page

Add/Edit General Security Configuration Dialog Box

Timeouts Page

Service Policy Rules

Priority Queues Page

Priority Queue Configuration Dialog Box

IPS, QoS, and Connection Rules Page

Insert/Edit Service Policy (MPC) Rule Wizard

Interfaces Selector Dialog Boxes

User Preferences

Deployment Page

Security Contexts Page

Add/Edit Security Context Dialog Box (FWSM)

Add/Edit Security Context Dialog Box (PIX/ASA)

Allocate Interfaces Dialog Box

View Interface Allocation Dialog Box


PIX/ASA/FWSM Platform User Interface Reference


The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs).

These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration.

NAT Policies

Address Pools Page

Translation Options Page

Translation Rules Page

Translation Exemptions (NAT 0 ACL) Tab

Dynamic Rules Tab

Policy Dynamic Rules Tab

Static Rules Tab

General Tab

Interfaces

Interfaces Page

FWSM Interfaces Page

ASA 5505 Ports and Interfaces Page

Platform

Bridging

ARP Table Page

ARP Inspection Page

MAC Address Table Page

MAC Learning Page

Management IP Page

Device Admin

AAA Page

Authentication Tab

Authorization Tab

Accounting Tab

Banner Page

Boot Image/Configuration Page

Clock Page

Credentials Page

CPU Threshold Page

Device Access

Console Page

HTTP Page

ICMP Page

Management Access Page

Secure Shell Page

SNMP Page

Telnet Page

Failover Policies

Hostname Page

Resources Page

Server Access

AUS Page

DHCP Relay Page

DHCP Server Page

DNS Page

DDNS Page

NTP Page

SMTP Server Page

TFTP Server Page

User Accounts Page

Logging Policies

NetFlow Page

Syslog

E-Mail Setup Page

Event Lists Page

Logging Filters Page

Logging Setup Page

Rate Limit Page

Server Setup Page

Syslog Servers Page

Multicast Policies

Enable Multicast Routing Page

IGMP Page

Protocol Tab

Access Group Tab

Static Group Tab

Join Group Tab

Multicast Routing Page

Multicast Boundary Filter Page

PIM Page

Protocol Tab

Neighbor Filter Tab

Bidirectional Neighbor Filter Tab

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Routing Policies

No Proxy ARP Page

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

RIP Page

Static Route Page

Security Policies

General Page

Timeouts Page

Service Policy Rules

Priority Queues Page

IPS, QoS, and Connection Rules Page

User Preferences

Deployment Page

Security Contexts Page

NAT Policies

The NAT section consists of the following pages:

Address Pools Page

Translation Options Page

Translation Rules Page

Translation Exemptions (NAT 0 ACL) Tab

Dynamic Rules Tab

Policy Dynamic Rules Tab

Static Rules Tab

General Tab

Address Pools Page

Use the Address Pools page to view and manage the global address pools used in dynamic NAT rules.

Navigation Path

(Device view) Select NAT > Address Pools from the Device Policy selector.

(Policy view) Select NAT (PIX/ASA/FWSM) > Address Pools from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Address Pools to create a new policy.

Related Topics

NAT Policies

Address Pool Dialog Box

Field Reference

Table K-1 Address Pools Page 

Element
Description
Global Address Pools table

Interface

The name of the device interface to which the address pool applies.

ID

The identification number of the address pool.

IP Address(es)

The IP addresses assigned to the pool.

Description

The description assigned to the address pool.

Add button

Opens the Address Pool Dialog Box so you can define a new address pool for a specific interface.

Edit button

Opens the Address Pool Dialog Box so you can edit the selected address pool.

Delete button

Deletes the selected entry in the Global Address Pools table. A confirmation dialog box may appear; click OK to delete the entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Address Pool Dialog Box

Use the Address Pool dialog box to add or edit a global address pool for use in dynamic NAT rules.

Navigation Path

You open the Address Pool dialog box by clicking the Add Row or Edit Row buttons on the Address Pools Page.

Related Topics

NAT Policies

Address Pools Page

Field Reference

Table K-2 Address Pools Dialog Box 

Element
Description

Interface Name

Enter or Select the name of the device interface on which the mapped IP addresses will be used.

Pool ID

Enter a unique identification number for this address pool, an integer between 1 and 2147483647. When configuring a dynamic NAT rule, you select a Pool ID to specify the pool of addresses to be used for translation.

IP address ranges

Enter or Select the addresses to be assigned to this address pool. You can specify these addresses as follows:

Address range for dynamic NAT (e.g., 192.168.1.1-192.168.1.15)

Subnetwork (e.g., 192.168.1.0/24)

List of addresses separated by commas (e.g., 192.168.1.1, 192.168.1.2, 192.168.1.3)

Single address to use for PAT (192.168.1.1)

Combinations of the above (192.168.1.1-192.168.1.15, 192.168.1.25)

Names of hosts on the connected network; these will be resolved to IP addresses.

Description

Enter a description for the address pool.

Enable Interface PAT

When checked, port address translation is enabled on the specified interface.


Translation Options Page

Use the Translation Options page to set options that affect network address translation for the selected security appliance. These settings apply to all interfaces on the device.

Navigation Path

(Device view) Select NAT > Translation Options from the Device Policy selector.

(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Options to create a new policy.

Related Topics

NAT Policies

Configuring Translation Options, page 15-18

Field Reference

Table K-3 Translation Options Page 

Element
Description

Enable traffic through the firewall without address translation

When selected, lets traffic pass through the security appliance without address translation. If this option is not selected, any traffic that does not match a translation rule will be dropped.

Note This option is available only on PIX 7.x, FWSM 3.x, and ASA devices.

Enable xlate bypass

When selected, NAT sessions for untranslated traffic are disabled (this feature is called "xlate bypass"). See Configuring Translation Options, page 15-18 for more information.

Note This option is available only on FWSM 3.2 and higher.

Do not translate VPN traffic

When selected, lets VPN traffic pass through the security appliance without address translation.


Translation Rules Page

Use the Translation Rules page to define address translation rules on the selected device. The Translation Rules page consists of the following tabs:

Translation Exemptions (NAT 0 ACL) Tab

Dynamic Rules Tab

Policy Dynamic Rules Tab

Static Rules Tab

General Tab

Navigation Path

(Device view) Select NAT > Translation Rules from the Device Policy selector.

(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy.

Translation Exemptions (NAT 0 ACL) Tab

Use the Translation Exemptions (NAT 0 ACL) tab of the Translation Rules page to view and specify traffic that is exempt from address translation.


Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.


Navigation Path

You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.

Related Topics

NAT Policies

Translation Rules Page

Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Advanced NAT Options Dialog Box

General Tab

Field Reference


Note The following table describes standard Translation Exemption elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.


Table K-4 Translation Exemptions (NAT 0 ACL) Tab 

Element
Description

Filter

Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Exemptions Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.

Translation Exemptions (NAT 0 ACL) Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box for information about enabling and disabling these rules.)

No.

Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Action

Indicates whether the rule is exempt or not exempt from NAT.

Original Interface

The ID of the device interface to which the rule is applied.

Original Address

The object names or IP addresses of the source hosts and networks to which the rule applies.

Destination

The object names or IP addresses of the destination hosts and networks to which the rule applies.

Direction

The traffic direction (Inbound or Outbound) to which the rule is applied.

Category

The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

The description of the rule, if provided.

Find/Replace button

Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Translation Exemptions Rules table. See Find and Replace Page, page I-128 for more information about using this feature.

Up Row

Moves the selected entry one row higher in the table.

Down Row

Moves the selected entry one row lower in the table.

Add Row

Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you define a new translation exemption rule.

Edit Row

Opens the Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box; lets you edit the rule currently selected in the Translation Exemptions Rules table.

Delete Row

Deletes the selected entry from the Translation Exemptions Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation exemption rules.

Navigation Path

You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab. See Translation Exemptions (NAT 0 ACL) Tab for more information.

Related Topics

NAT Policies

Translation Rules Page

Translation Exemptions (NAT 0 ACL) Tab

Advanced NAT Options Dialog Box

Field Reference

Table K-5 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box 

Element
Description

Enable Rule

If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Action

Select the action for this rule:

exempt - The rule identifies traffic that is exempt from NAT.

do not exempt - The rule identifies traffic that is not exempt from NAT.

Original: Interface

Enter the name of (or Select) the device interface to which the rule applies.

Original: Sources

Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Direction

The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Traffic flow: Destinations

Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Category

To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

Enter a description of the rule.

Advanced button (FWSM only)

Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.


Dynamic Rules Tab

Use the Dynamic Rules tab of the Translation Rules page to view and configure dynamic NAT and PAT rules.


Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.


Navigation Path

You can access the Dynamic Rules tab from the Translation Rules page. For more information about the Translation Rules page, see Translation Rules Page.

Related Topics

NAT Policies

Add/Edit Dynamic Translation Rule Dialog Box

Advanced NAT Options Dialog Box

Select Address Pool Dialog Box

General Tab

Field Reference


Note The following table describes standard Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.


Table K-6 Dynamic Rules Tab 

Element
Description

Filter

Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.

Dynamic Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.)

No.

Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Original Interface

The ID of the device interface to which the rule is applied.

Original Address

The object names or IP addresses of the source hosts and networks to which the rule applies.

Translated Pool

The ID number of the pool of addresses used for translation.

Direction

The traffic direction (Inbound or Outbound) to which the rule is applied.

Category

The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

The description of the rule, if provided.

Find/Replace button

Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Dynamic Rules table. See Find and Replace Page, page I-128 for more information about using this feature.

Up Row

Moves the selected entry one row higher in the table.

Down Row

Moves the selected entry one row lower in the table.

Add Row

Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you define a new dynamic translation rule.

Edit Row

Opens the Add/Edit Dynamic Translation Rule Dialog Box; lets you edit the rule currently selected in the Dynamic Rules table.

Delete Row

Deletes the selected entry from the Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Dynamic Translation Rule Dialog Box

Use the Add/Edit Dynamic Translation Rule dialog box to define and edit dynamic NAT and PAT rules.

Navigation Path

You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. See Dynamic Rules Tab for more information.

Related Topics

NAT Policies

Translation Rules Page

Dynamic Rules Tab

Advanced NAT Options Dialog Box

Select Address Pool Dialog Box

Field Reference

Table K-7 Add/Edit Dynamic Translation Rule Dialog Box 

Element
Description

Enable Rule

If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Original: Interface

Enter the name or Select the device interface to which the rule applies.

Original: Address

Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Pool

Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box.

Enter a value of zero to specify this as an identity NAT rule.

Translated: Direction

The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Category

To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

Enter a description for the rule.

Advanced button

Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.


Select Address Pool Dialog Box

The Select Address Pool dialog box presents a list of global address pools; these pools are defined and managed via the Address Pools Page. Use this dialog box to select an address pool for use by a dynamic translation rule, or a policy dynamic translation rule.

Navigation Path

You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog Box when adding or editing a dynamic translation rule, or from the Add/Edit Policy Dynamic Rules Dialog Box when adding or editing a policy dynamic translation rule.

Related Topics

NAT Policies

Translation Rules Page

Address Pools Page

Field Reference

Table K-8 Select Address Pool Dialog Box 

Element
Description

Pool ID

The identification number of the address pool.

Interface

The name of the device interface to which the address pool applies.

IP Address Ranges

The IP addresses assigned to the pool; "interface" in this list indicates PAT is enabled on the specified Interface.

Description

The description provided for the address pool.

Selected Row

This field identifies the pool currently selected in the list. When you click OK to close the dialog box, this pool is assigned to the translation rule.


Policy Dynamic Rules Tab

Use the Policy Dynamic Rules tab of the Translation Rules page to view and configure dynamic translation rules based on source and destination addresses and services.


Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.


Navigation Path

You can access the Policy Dynamic Rules tab from the Translation Rules page. See Translation Rules Page for more information.

Related Topics

NAT Policies

Add/Edit Policy Dynamic Rules Dialog Box

Advanced NAT Options Dialog Box

Select Address Pool Dialog Box

General Tab

Field Reference


Note The following table describes standard Policy Dynamic Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.


Table K-9 Policy Dynamic Rules Tab 

Element
Description

Filter

Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Policy Dynamic Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.

Policy Dynamic Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Policy Dynamic Rules Dialog Box for information about enabling and disabling these rules.)

No.

Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Original Interface

The ID of the device interface to which the rule is applied.

Original Address

The object names or IP addresses of the source hosts and networks to which the rule applies.

Translated Pool

The ID number of the pool of addresses used for translation.

Destination

The object names and IP addresses of the destination hosts and networks to which the rule applies.

Service

The services to which the rule applies.

Direction

The traffic direction (Inbound or Outbound) to which the rule is applied.

Category

The category to which the rule is assigned. Categories can help identify rules and objects using labels and color-coding.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the category attribute.

Description

The description of the rule, if provided.

Find/Replace button

Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Policy Dynamic Rules table. See Find and Replace Page, page I-128 for more information about using this feature.

Up Row

Moves the selected entry one row higher in the table.

Down Row

Moves the selected entry one row lower in the table.

Add Row

Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you define a new policy dynamic translation rule.

Edit Row

Opens the Add/Edit Policy Dynamic Rules Dialog Box; lets you edit the rule currently selected in the Policy Dynamic Rules table.

Delete Row

Deletes the selected entry from the Policy Dynamic Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Policy Dynamic Rules Dialog Box

Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based on source and destination addresses and services.

Navigation Path

You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See Policy Dynamic Rules Tab for more information.

Related Topics

NAT Policies

Translation Rules Page

Policy Dynamic Rules Tab

Advanced NAT Options Dialog Box

Select Address Pool Dialog Box

Field Reference

Table K-10 Add/Edit Policy Dynamic Rules Dialog Box 

Element
Description

Enable Rule

If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Original: Interface

Enter the name of (or Select) the device interface to which the rule applies.

Original: Address

Enter IP addresses for (or Select) the source hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Translated: Pool

Enter (or Select) the ID number of the pool of addresses used for translation; clicking Select opens the Select Address Pool Dialog Box.

Enter a value of zero to specify this as an identity NAT rule.

Translated: Direction

The rule can be applied to Inbound or Outbound traffic, as specified with this option.

Traffic flow: Destinations

Enter IP addresses for (or Select) the destination hosts and network objects to which the rule applies. Multiple entries must be separated by commas.

Traffic flow: Services

Enter (or Select) the services to which the rule applies. Multiple entries must be separated by commas.

Category

To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

Enter a description of the rule.

Advanced button

Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.


Static Rules Tab

Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for a security appliance or shared policy.


Caution The order of Static NAT rules on a security device is important, and Security Manager preserves this ordering during deployment. However, security appliances do not support in-line editing of Static NAT rules. This means that if you move, edit, or insert a rule anywhere above the end of the list, Security Manager will remove from the device all Static NAT rules that follow the new or modified rule, and then re-send the updated list from that point. Depending on the length of the list, this can require substantial overhead, and may result in traffic interruption. Whenever possible, add any new Static NAT rules to the end of the list.

Navigation Path

You can access the Static Rules tab from the Translation Rules page. See Translation Rules Page for more information.

Related Topics

NAT Policies

Add/Edit Static Rule Dialog Box

Advanced NAT Options Dialog Box

General Tab

Field Reference


Note The following table describes standard Static Rule elements. Additional columns for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any column heading. (All columns are displayed by default on the General Tab.) Refer to Table Columns and Column Heading Features, page 3-18 for more information about showing and hiding specific columns.


Table K-11 Static Rules Tab 

Element
Description

Filter

Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Static Rules table. For more information about using the filtering bar, see Filtering Tables, page 3-17.

Static Rules Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Static Rule Dialog Box for information about enabling and disabling these rules.)

No.

Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule, but do not change the rule order unless absolutely necessary.

Original Interface

The ID of the device interface to which the rule is applied.

Original Address

The object names or IP addresses of the source hosts and networks to which the rule applies.

Local Port

The port number supplied by the host or network (for static PAT).

Translated Interface

The interface on which the translated addresses are to be used.

Translated Address

The translated addresses.

Global Port

The port number to which the original port number will be translated (for static PAT).

Destination

The object names and IP addresses of the destination hosts or networks to which the rule applies.

Service

The services to which the rule applies.

Protocol

The protocol to which the rule applies.

Nailed

Whether TCP state tracking and sequence checking is skipped for the connection: true or false. (This value is a product of device discovery; it cannot be changed in Security Manager.)

Category

The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

The description of the rule, if provided.

Find/Replace button

Opens the Find and Replace window; used to locate policy objects, text strings, or IP addresses in the Static Rules table. See Find and Replace Page, page I-128 for more information about using this feature.

Up Row

Moves the selected entry one row higher in the table.

Down Row

Moves the selected entry one row lower in the table.

Add Row

Opens the Add/Edit Static Rule Dialog Box; lets you define a new static rule.

Edit Row

Opens the Add/Edit Static Rule Dialog Box; lets you edit the rule currently selected in the Static Rules table.

Delete Row

Deletes the selected entry from the Static Rules table. A confirmation dialog box may appear; click OK to delete the entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Static Rule Dialog Box

Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.

Navigation Path

You can access the Add/Edit Static Rule dialog box from the Static Rules tab. See the Static Rules Tab for more information.

Related Topics

NAT Policies

Translation Rules Page

Static Rules Tab

Advanced NAT Options Dialog Box

Field Reference

Table K-12 Add/Edit Static Rule Dialog Box 

Element
Description

Enable Rule

If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.

Translation Type

Select the type of translation for this rule: NAT or PAT.

Original Interface

Enter (or Select) the device interface connected to the host or network with original addresses to be translated.

Original Address

Enter (or Select) the source address to be translated.

Translated Interface

Enter (or Select) the interface on which the translated addresses are to be used.

To specify this as an identity NAT rule, enter the same interface in both this and the Original Interface fields.

Use Interface IP/Use Selected Address

Specify the address used for the Translated Interface: select Use Interface IP (address), or select Use Selected Address and enter an address, or Select a network/host object.

Enable Policy NAT

Select this option to enable Policy NAT for this translation rule.

Dest Address

If Policy NAT is enabled, specify the destination addresses of the hosts or networks to which the rule applies.

Services

If Policy NAT is enabled, specify the services to which the rule applies.

Protocol

If PAT is the selected Translation Type, select the protocol, TCP or UDP, to which the rule applies.

Original Port

If PAT is the selected Translation Type, enter the port number to be translated.

Translated Port

If PAT is the selected Translation Type, enter the port number to which the original port number will be translated.

Category

To assign the rule to a category, choose the category from this list. Categories can help identify rules and objects using labels and color-coding.

To define categories, select Tools > Policy Object Manager > Category. See Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

Enter a description of the rule.

Advanced button

Click to open the Advanced NAT Options Dialog Box to configure advanced settings for this rule.


General Tab

Use the General tab of the Translation Rules page to view all current translation rules. The translation rules are listed in the order that they will be evaluated on the device.


Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules and do not need to display summary information.


Navigation Path

You can access the General tab from the Translation Rules page. See Translation Rules Page for more information.

Related Topics

NAT Policies

Translation Exemptions (NAT 0 ACL) Tab

Dynamic Rules Tab

Policy Dynamic Rules Tab

Static Rules Tab

Field Reference

Table K-13 General Tab 

Element
Description

Filter

Click the arrow preceding the Filter label to show or hide the filtering bar, which you can use to filter the information displayed in the Translation Rules Summary table. For more information about using the filtering bar, see Filtering Tables, page 3-17.

Translation Rules Summary Table

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box for information about enabling and disabling these rules.)

No.

Rules are evaluated sequentially in the order listed. This number indicates the rule's position in the ordering of the list.

Type

The type of translation rule; for example, Static, Dynamic, Exemption, etc.

Action

Displays "exempt" if the rule is exempt from NAT.

Original Interface

The ID of the device interface to which the rule is applied.

Original Address

The object names or IP addresses of the source hosts and networks to which the rule applies.

Local Port

The port number supplied by the host or network (for static PAT).

Translated Pool

The ID number of the address pool used for translation.

Translated Interface

The interface on which the translated addresses are to be used.

Translated Address

The translated addresses.

Global Port

The port number to which the original port number will be translated (for static PAT).

Destination

The object names and IP addresses of the destination hosts or networks to which the rule applies.

Protocol

The protocol to which the rule applies.

Service

The services to which the rule applies.

Direction

The traffic direction (Inbound or Outbound) on which the rule is applied.

DNS Rewrite

Whether the DNS Rewrite option is enabled: Yes or No. This option is set in the Advanced NAT Options Dialog Box.

Maximum TCP Connections

The maximum number of TCP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box.

Embryonic Limit

The number of embryonic connections allowed to form before the security appliance begins to deny these connections. If zero, the number of connections is unlimited. A positive number enables the TCP Intercept feature.

This option is set in the Advanced NAT Options Dialog Box.

Maximum UDP Connections

The maximum number of UDP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box.

Timeout

For PIX 6.x devices, this is the timeout value for a static translation rule. This value overrides the default translation timeout specified in Platform > Security > Timeouts. A Timeout value of 00:00:00 here means that translations matching this rule should use the default translation timeout specified in Platform > Security > Timeouts.

Randomize Sequence Number

Whether the security appliance will randomize the sequence number of TCP packets: Yes or No. This option is set in the Advanced NAT Options Dialog Box, and is enabled by default.

Category

The category to which the rule is assigned. Categories use labels and color-coding to help identify rules and objects.

To define and edit categories, select Tools > Policy Object Manager > Category. Refer to Understanding Category Objects, page 9-39 for more information.

Note No commands are generated for the Category attribute.

Description

The description of the rule, if provided.


Advanced NAT Options Dialog Box

Use the Advanced NAT Options dialog box to configure the advanced connection settings—DNS Rewrite, Maximum TCP and Maximum UDP Connections, Embryonic Limit, Timeout (PIX 6.x), and Randomize Sequence Number—for NAT and Policy NAT. You can also configure these options for Translation Exemption (NAT 0 ACL) rules on an FWSM.

Navigation Path

You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or editing a translation rule. See the following topics for more information:

Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Add/Edit Dynamic Translation Rule Dialog Box

Add/Edit Policy Dynamic Rules Dialog Box

Add/Edit Static Rule Dialog Box

Related Topics

NAT Policies

Translation Rules Page

Field Reference

Table K-14 Advanced NAT Options Dialog Box 

Element
Description

Translate the DNS replies that match the translation rule

If checked, the security appliance rewrites DNS replies so an outside client can resolve the name of an inside host using an inside DNS server, and vice versa. For instance, if your NAT rule includes the real address of a host with an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host: one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client.

As an example, assume an inside web server, www.example.com, has the IP address 192.168.1.1, which is translated to 10.1.1.1 on the outside interface of the appliance. An outside client sends a DNS request to an inside DNS server, which will resolve www.example.com to 192.168.1.1. When the reply comes to the security appliance with DNS Rewrite enabled, the security appliance will translate the IP address in the payload to 10.1.1.1, so that the outside client will get the correct IP address.

Note that the mapped host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with a static rule.

Max TCP Connections per Rule

Enter the maximum number of TCP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

Max UDP Connections per Rule

Enter the maximum number of UDP connections allowed; valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

Max Embryonic Connections

Enter the number of embryonic connections allowed to form before the security appliance begins to deny these connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set this limit to prevent attack by a flood of embryonic connections. Valid values are 0 through 65,535. If this value is set to zero, the number of connections is unlimited.

Any positive value enables the TCP Intercept feature. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP Intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server.

Timeout

For PIX 6.x devices, enter a timeout value for this translation rule, in the format hh:mm:ss. This value overrides the default translation timeout specified in Platform > Security > Timeouts, unless this value is 00:00:00, in which case translations matching this rule use the default translation timeout (specified in Platform > Security > Timeouts).

Randomize Sequence Number

If checked, the security appliance randomizes the sequence numbers of TCP packets. Each TCP connection has two Initial Sequence Numbers (ISNs): one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.

Disable this feature only if:

Another in-line security appliance is also randomizing initial sequence numbers and data is being scrambled.

You are using eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

You are using a WAAS device which requires that the security appliance not randomize the sequence numbers of connections.

Disabling this option opens a security hole in the security appliance.


Interfaces Page

The Interfaces page displays configured interfaces and subinterfaces, and you can add or delete interfaces and subinterfaces, as well as enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.

Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.

If you bootstrapped a new firewall device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

The Interfaces page settings vary based on the selected device type and version, the operational mode (routed vs. transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring.

Navigation Path

To access the Interfaces page, select a firewall device in Device View and then select Interfaces from the Device Policy selector.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Using the Add/Edit Interface Dialog Box, page 15-6

Field Reference

Table K-15 Interfaces Page 

Element
Description
Interfaces Table

Interface Type

The interface type. This value is derived from the hardware ID setting of the selected interface. Valid options are:

ethernet

gigabitethernet

gb-ethernet

Interface Name/Name

The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address

The IP address of the interface, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.

IP Address Type

The method by which the IP address is provided. Valid options are:

static - The IP address is manually defined.

dhcp - The IP address is obtained via a DHCP lease.

pppoe - The IP address is obtained using PPPoE.

Interface Role

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

All-Interfaces - The interface is a member of the default role assigned to all interfaces.

Internal - This interface is a member of the default role associated with all inside interfaces.

External - This interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.

Hardware ID

Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.

For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.

Vlan ID

For a subinterface, this is the VLAN ID, an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration.

If this value is not specified, the column displays native.

Enabled

Indicates if the interface is enabled: true or false.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Security Level

The interface security level; a value between 0 and 100.

Management Only

Indicates if the interface allows traffic to the security appliance for management purposes only.

MTU

The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is 1500.

Description

A description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.

ASR Group

If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add or edit an interface or subinterface. In multiple-context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-80 page for information about assigning interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information:

Add/Edit Interface Dialog Box (PIX 7.0/ASA)

Add/Edit Interface Dialog Box (ASA 5505)

Add/Edit Interface Dialog Box (PIX 6.3)

Navigation Path

You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Interfaces Page

ASA 5505 Ports and Interfaces Page

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

Add/Edit Interface Dialog Box (PIX 7.0/ASA)

Table K-16 Add/Edit Interface Dialog Box (PIX 7.0/ASA) 

Element
Description

Enable Interface

Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Management Only

Sets the interface to accept traffic to the security appliance only, and not through traffic.

Type

Type of interface. Valid values are:

Interface—Settings represent a physical interface.

Sub-interface—Settings represent a logical interface attached to the same network as its underlying physical interface.

Name

Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:

Inside—Connects to your internal network. Must be most secure interface.

DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.

Outside—Connects to an external network or the Internet. Must be least secure interface.

Hardware Port

For a physical interface, this value represents a name by which subinterfaces can associate to the interface. When you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled.

Valid values are:

Ethernet0 to Ethernetn.

Gb-ethernetn.

where n represents the number of network interfaces in the device.

Sub-interface ID

Sets the subinterface ID as an integer between 1 and 4294967293. The number of suinterfaces allowed depends on your platform.

Note You cannot change the ID after you set it.

Media Type

Specifies the media type for the interface:

RJ45

SFP

IP Type

Specifies the address type for the interface:

Static IP—Assigns a static IP address and mask to the interface.

Use DHCP—Assigns a dynamic IP address and mask to the interface.

PPPoE—Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.

IP Address

Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.

IP address must be unique for each interface.

The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

Subnet Mask

Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

DHCP Learned Route Metric

Available only if Use DHCP is selected for IP Type.

Obtain default route using DHCP

Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.

Enable Tracking for DHCP Learned Route

Available only if Use DHCP is selected for IP Type.

VPDN Group Name

Available only if PPPoE is selected for IP Type.

PPPoE Learned Route Metric

Available only if PPPoE is selected for IP Type.

Obtain Default Route using PPPoE

Available only if PPPoE is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the PPPoE server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.

Enable Tracking for PPPoE Learned Route

Available only if PPPoE is selected for IP Type.

Duplex

Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.

Speed

Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type.

10

100

1000

non-negotiable

MTU

Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

VLAN ID

For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.

Security Level

Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

Outside interface is always 0.

Inside interface is always 100.

DMZ interfaces are between 1-99.

Description

Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Roles

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.


Add/Edit Interface Dialog Box (ASA 5505)

The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page.

Table K-17 Add/Edit Interface Dialog Box (ASA 5505) 

Element
Description

Enable Interface

Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

Management Only

Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only.

Name

Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications.

Supported interface names are:

Inside—Connects to your internal network. Must be most secure interface.

DMZ—"Demilitarized zone" attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type.

Outside—Connects to an external network or the Internet. Must be the least secure interface.

IP Type

Specifies the address type for the interface; choose one of the following methods and provide related parameters:

Static IP - Provide a static IP Address and Subnet Mask that represents the security device on this interface's connected network. If you omit the Subnet Mask value, a "classful" network is assumed.

Use DHCP - Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available:

DHCP Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

Obtain Default Route using DHCP - Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Static Route Page.

Enable Tracking for DHCP Learned Route - If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available:

Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Understanding SLA Monitor Objects, page 9-129 for more information.)

PPPoE (PIX and ASA 7.2+) - Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover.

VPDN Group Name (required) - Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 15-15 for more information.

IP Address - If provided, this static IP address is used for connection and authentication, instead of a negotiated address.

Subnet Mask - The subnet mask to be used in conjunction with the provided IP Address.

PPPoE Learned Route Metric (required) - Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1.

IP Type (continued)

Obtain Default Route using PPPoE - Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration.

Enable Tracking for PPPoE Learned Route - If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available:

Dual ISP Interface - If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring.

Tracked SLA Monitor - Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Understanding SLA Monitor Objects, page 9-129 for more information.)

Note You can configure DHCP and PPPoE only on the outside interface of a security appliance.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

MTU

Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple context mode, set the MTU in the context configuration.

VLAN ID

Sets the VLAN ID, between 1 and 4090. For multiple-context mode, you can only set the VLAN ID in the system configuration.

Security Level

Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

Outside interface is always 0.

Inside interface is always 100.

DMZ interfaces are between 1-99.

Block Traffic To

Restricts this VLAN interface from initiating contact with the VLAN chosen here.

Backup Interface

Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails.

Active MAC Address

Use this field to manually assign a MAC address to the interface.

MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

Standby MAC Address

If you assign an Active MAC Address, you also can assign a Standby MAC Address.

Description

Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Roles

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.


Add/Edit Interface Dialog Box (PIX 6.3)

Table K-18 Add/Edit Interface Dialog Box (PIX 6.3) 

Element
Description

Enable Interface

Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy.

You must enable a physical interface before any traffic can pass through any enabled sub-interfaces.

Type

Type of VLAN interface. Valid values are:

Logical—VLAN is associated with a logical interface.

Physical—VLAN is on the same network as its underlying hardware interface.

Name

Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:

Inside—Connects to your internal network. Must be most secure interface.

DMZ—Demilitarized zone (Intermediate interface). Also known as a perimeter network.

Outside—Connects to an external network or the Internet. Must be least secure interface.

Hardware Port

When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device.

When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled.

Valid values are:

ethernet0 to ethernetn.

gb-ethernetn.

where n represents the number of network interfaces in the device.

IP Type

Specifies the address type for the interface.

Static IP—Assigns a static IP address and mask to the interface.

Use DHCP—Assigns a dynamic IP address and mask to the interface.

Use PPPoE—Provides an authenticated method of assigning an IP address to the interface.

Note You can configure DHCP and PPPoE only on the outside interface of a firewall device.

IP Address

Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type.

IP address must be unique for each interface.

The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list.

Subnet Mask

Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because those mask values stop traffic on that interface.

Obtain Default Route using DHCP

Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Static Route Page.

Retry Count

Identifies the number of tries before an error is returned. Valid values are 4 through 16.

Obtain default route using PPPoE

Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway.

Speed and Duplex

Lists the speed options for a physical interface; not applicable to logical interfaces.

auto—Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card.

10baset—10-Mbps Ethernet half-duplex.

10full—10-Mbps Ethernet full-duplex.

100basetx—100-Mbps Ethernet half-duplex.

100full—100-Mbps Ethernet full-duplex.

1000auto—1000-Mbps Ethernet to auto-negotiate full- or
half -duplex.

Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network.

1000full—Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex.

1000full nonnegotiate—1000-Mbps Ethernet full-duplex.

aui—10-Mbps Ethernet half-duplex communication with an AUI cable interface.

bnc—10-Mbps Ethernet half-duplex communication with a BNC cable interface.

Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly.

MTU

Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 300-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492.

Physical VLAN ID

For a physical interface, sets the VLAN ID, between 1 and 4094. This VLAN ID must not be in use on connected devices.

Logical VLAN ID

Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected.

Security Level

Sets the security level of the interface. Values are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

Outside interface is always 0.

Inside interface is always 100.

DMZ interfaces are between 1 and 99.

Roles

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.


Advanced Interface Settings Dialog Box

Navigation Path

You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page or ASA 5505 Ports and Interfaces Page.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Interfaces Page

FWSM Interfaces Page

ASA 5505 Ports and Interfaces Page

Add/Edit Interface Dialog Box

FWSM Add/Edit Interface Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

Field Reference

Table K-19 Advanced Interface Settings Dialog Box 

Element
Description

Traffic between interfaces with same security levels

Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

Disabled—Does not allow communication between interfaces on the same security level.

Inter-interface—Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device.

Intra-interface—Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface.

Both—Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level.

PPPoE Users button

Click to access the PPPoE Users dialog box.

VPDN Groups (PIX and ASA 7.2+)

Group Name

Displays the group name.

PPPoE Username

Displays the PPPoE username.

PPP Authentication

Indicates the PPP Authentication method for this VPDN group:

PAP

CHAP

MSCHAP


Add VPND Group Dialog Box

Navigation Path

You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Interfaces Page

FWSM Interfaces Page

ASA 5505 Ports and Interfaces Page

Add/Edit Interface Dialog Box

FWSM Add/Edit Interface Dialog Box

Advanced Interface Settings Dialog Box

PPPoE Users Dialog Box

Field Reference

Table K-20 Add VPND Group Dialog Box 

Element
Description

Group Name

Enter the group name.

PPPoE Username

Select the PPPoE username.

PPP Authentication

Select the PPP Authentication method:

PAP

CHAP

MSCHAP


PPPoE Users Dialog Box

Navigation Path

You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box. For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Interfaces Page

FWSM Interfaces Page

ASA 5505 Ports and Interfaces Page

Add/Edit Interface Dialog Box

FWSM Add/Edit Interface Dialog Box

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

Add and Edit PPPoE User Dialog Boxes

Field Reference

Table K-21 PPPoE Users Dialog Box 

Element
Description
PPPoE Users (PIX and ASA 7.2+)

Username

Displays the PPPoE username.

Store in Local Flash

Indicates whether this PPPoE user account is to be stored in local flash (True or False).


Add and Edit PPPoE User Dialog Boxes

Navigation Path

You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box.


Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both.


Related Topics

Configuring Firewall Device Interfaces, page 15-2

Interfaces Page

FWSM Interfaces Page

ASA 5505 Ports and Interfaces Page

Add/Edit Interface Dialog Box

FWSM Add/Edit Interface Dialog Box

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

Field Reference

Table K-22 Add and Edit PPPoE User Dialog Boxes 

Element
Description

Username

Provide a name for the PPPoE user.

Password

Enter a password for this user.

Confirm

Re-enter the password.

Store Username and Password in Local Flash

Select this option to store the PPPoE user information in flash memory.


FWSM Interfaces Page

The FWSM Interfaces page displays configured interfaces and subinterfaces. You can add or delete interfaces and subinterfaces, and also enable communication between interfaces on the same security level. Each firewall device must be configured, and each active interface must be enabled. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained.

Transparent firewall mode allows only two interfaces to pass through traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic.

If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device.

The Interfaces page settings vary based on the device type and version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining.

Navigation Path

To access this feature, select a firewall device in Device View and then select Interfaces from the Device Policy selector.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

FWSM Add/Edit Interface Dialog Box

Add/Edit Bridge Group Dialog Box

Advanced Interface Settings Dialog Box

Field Reference

Table K-23 FWSM Interfaces Page 

Element
Description
Interfaces Tab

Interface Type

Displays the interface type. This value is derived from the hardware ID setting of the selected interface. Valid options are:

ethernet

gigabitethernet

gb-ethernet

Interface Name

Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address

Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.

IP Address Type

Specifies the method by which the IP address is provided. Valid options are:

static—The IP address is manually defined.

dhcp—The IP address is obtained via a DHCP lease.

pppoe—The IP address is obtained using PPPoE.

Interface Role

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

All-Interfaces—The interface is a member of the default role assigned to all interfaces.

Internal—This interface is a member of the default role associated with all inside interfaces.

External—This interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.

Hardware ID

Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed.

For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated.

Vlan ID

For a subinterface, sets the VLAN ID, between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration.

If this value is not specified, the column displays native.

Enabled

Indicates if the interface is enabled: true or false.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Security Level

Displays the interface security level; a value between 0 and 100.

Management Only

Indicates if this interface allows traffic to the security appliance for management purposes only.

MTU

Displays the MTU. By default, the MTU is 1500.

Description

Displays a description of the interface. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.

ASR Group

Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.

Bridge Groups Tab

Bridge Group

Shows the name of the bridge group.

ID

Displays the bridge group ID.

Interface A

Identifies the first interface that is part of this bridge group.

Interface B

Identifies the second interface that is part of this bridge group.

IP

Displays the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

Netmask

Displays the netmask for the management IP address of this bridge group.

Description

Displays the description of this bridge group if one was specified.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


FWSM Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add or edit an interface or subinterface. In multiple context mode, you can only add interfaces in the system configuration. See the Configuring Security Contexts on Firewall Devices, page 15-80 page to assign interfaces to contexts.

If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored.

After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex.

The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as a physical, virtual, logical, or subinterface:

Navigation Path

You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

FWSM Interfaces Page

Add/Edit Bridge Group Dialog Box

Advanced Interface Settings Dialog Box

Field Reference

Table K-24 FWSM Add/Edit Interface Dialog Box 

Element
Description

Enable Interface

Enables this interface to pass traffic. You must also set an IP address (for routed mode) and a name before traffic can pass according to your security policy.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it.

Management Only

Sets the interface to accept traffic to the security appliance only, and not through traffic.

Name

Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are:

Inside—Connects to your internal network. Must be most secure interface.

DMZ—Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with "DMZ" to identify the interface type.

Outside—Connects to an external network or the Internet. Must be least secure interface.

IP Address

Specifies the IP address for the device. For a static IP address, select the Use Static IP option and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select the Obtain Address via DHCP option.

IP address must be unique for each interface.

The IP address is blank for interfaces that use dynamic addressing.

Note Do not use addresses being used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry.

Subnet Mask

Network mask for IP address of interface. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

MTU

Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are 64-65535 bytes. Default is 1500 for all types except PPPoE, for which the default is 1492. For multiple-context mode, set the MTU in the context configuration.

VLAN ID

For a subinterface, sets the VLAN ID between 1 and 4096. Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration.

Security Level

Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

Outside interface is always 0.

Inside interface is always 100.

DMZ interfaces are between 1-99.

Roles

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Default options include:

All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.

ASR Group

To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32.


Add/Edit Bridge Group Dialog Box

Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode.

A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.

Navigation Path

You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see FWSM Interfaces Page.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

FWSM Interfaces Page

FWSM Add/Edit Interface Dialog Box

Advanced Interface Settings Dialog Box

Field Reference

Table K-25 Add/Edit Bridge Group Dialog Box 

Element
Description

Name

Enter a name for this bridge group.

ID

Enter the bridge group ID as an integer between 1 and 100.

Interface A

Select the first interface that is part of this bridge group.

Interface B

Select the second interface that is part of this bridge group.

IP Address

Enter the management IP address for the bridge group. A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access.

Netmask

Network mask for IP address of bridge group. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note Do not use 255.255.255.254 or 255.255.255.255 for an interface connected to the network because this will stop traffic on that interface.

Description

You can enter an optional description for this bridge group.


ASA 5505 Ports and Interfaces Page

The ASA 5505 adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure:

Physical switch ports—The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Two of these ports are PoE ports. You can connect these interfaces directly to user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.

Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.


Note Subinterfaces are not available for the ASA 5505 adaptive security appliance.


Navigation Path

To access this feature, select an ASA 5505 in Device View and then select Interfaces from the Device Policy selector.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

Configure Hardware Ports Dialog Box

Add/Edit Interface Dialog Box (PIX 7.0/ASA)

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

Field Reference

Table K-26 ASA 5505 Ports and Interfaces Page 

Element
Description
Hardware Ports Tab

Hardware Port

Identifies the switch port.

Enabled

Indicates whether this switch port is enabled or not (Yes or No).

Associated VLANs

Shows the VLAN or VLANs that are associated with this port.

Associated Interface Names

Shows the interface name of the VLAN(s) that are associated with this port.

Mode

Shows the mode for this port:

Access Port—Port is in access mode.

Trunk Port—Port is in trunk mode. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets; there is no native VLAN support, and the adaptive security appliance drops all packets that do not contain a tag specified in this command.

Protected

Identifies whether the port is isolated or not (Yes or No). This option prevents the switch port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Protected option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

Interfaces Tab

Name

Displays the interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

IP Address Type

Specifies the method by which the IP address is provided. Valid options are:

static—Identifies that the IP address is manually defined.

dhcp—Identifies that the IP address is obtained via a DHCP lease.

pppoe—Identifies that the IP address is obtained using PPPoE.

IP Address

Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses.

Block Traffic To

Displays the interface to which traffic is blocked.

Backup Interface

Displays the interface that acts as backup for this interface.

Interface Role

Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces.

Valid options include:

All-Interfaces—Indicates the interface is a member of the default role assigned to all interfaces.

Internal—Indicates this interface is a member of the default role associated with all inside interfaces.

External—Indicates this interface is a member of the default role associated with all outside interfaces.

For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 9-96.

Enabled

Indicates if the interface is enabled (Yes or No).

Vlan ID

Identifies the VLAN ID for this interface.

Security Level

Displays the interface security level between 0 and 100.

Management Only

Indicates if the interface allows traffic to the security appliance or for management purposes only.

MTU

Displays the MTU. By default, the MTU is 1500.

Description

Displays a description of the interface.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Configure Hardware Ports Dialog Box

Use the Configure Hardware Ports dialog box to configure the switch ports on an ASA 5505, including setting the mode, assigning a switch port to a VLAN, and setting the Protected option.


Caution The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore, you must ensure that any connection with the appliance does not end up in a network loop.

Navigation Path

You can access the Configure Hardware Ports dialog box from the Hardware Ports tab of the ASA 5505 Interfaces page. For more information about this page, see ASA 5505 Ports and Interfaces Page.

Related Topics

Configuring Firewall Device Interfaces, page 15-2

ASA 5505 Ports and Interfaces Page

Add/Edit Interface Dialog Box (PIX 7.0/ASA)

Advanced Interface Settings Dialog Box

Add VPND Group Dialog Box

PPPoE Users Dialog Box

Field Reference

Table K-27 Configure Hardware Ports Dialog Box 

Element
Description

Enable Interface

Select to enable this switch port.

Isolated

Select this option to prevent this port from communicating with other protected switch ports on the same VLAN. You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, if you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the Isolated option to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

Hardware Port

Choose the switch port that you are configuring.

Mode

Choose a mode for this port:

Access Port—Sets the port to access mode. Access ports can be assigned to one VLAN.

Trunk Port—Sets the port to trunk mode using 802.1Q tagging. Trunk ports can carry multiple VLANs using 802.1Q tagging. Trunk mode is available only with the Security Plus license. Trunk ports do not support untagged packets, there is no native VLAN support, and the appliance drops all packets that do not contain a tag specified in this command.

VLAN ID

Enter the VLAN ID(s) according to the chosen Mode:

Access Port mode—Enter the VLAN ID to which you want to assign this switch port.

Trunk Port mode—Enter the VLAN IDs to which you want to assign this switch port, separated by commas.

Duplex

Lists the duplex options for the port, including Full, Half, or Auto. The Auto setting is the default.

If you set the duplex to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Speed

Choose a speed for the port:

auto (default)

10

100

If you set the speed to anything other than Auto on PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

The default Auto setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to Auto to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.


Bridging

This section discusses the following pages:

ARP Table Page

ARP Inspection Page

MAC Address Table Page

MAC Learning Page

Management IP Page

ARP Table Page

Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

(Device view) Select Platform > Bridging > ARP Table from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table from the Policy Type selector. Right-click ARP Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit ARP Configuration Dialog Box

Bridging

ARP Inspection Page

MAC Address Table Page

MAC Learning Page

Management IP Page

Field Reference

Table K-28 ARP Table Page 

Element
Description

Timeout (seconds)

The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds.

Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.

Note The timeout applies to the dynamic ARP table, and not the static entries contained in the ARP table.

ARP Table

Interface

The interface to which the host is attached.

IP Address

The IP address of the host.

MAC Address

The MAC address of the host.

Alias Enabled

Indicates whether the security appliance performs proxy ARP for this mapping. If this setting is enabled and the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit ARP Configuration Dialog Box

Use the Add/Edit ARP Configuration dialog box to add a static ARP entry that maps a MAC address to an IP address and identifies the interface through which the host is reached.

Navigation Path

You can access the Add/Edit ARP Configuration dialog box from the ARP Table page. For more information about the ARP Table page, see ARP Table Page.

Related Topics

Bridging

ARP Table Page

Field Reference

Table K-29 Add/Edit ARP Configuration dialog box 

Element
Description

Interface

The name of the interface to which the host network is attached.

IP Address

The IP address of the host.

MAC Address

The MAC address of the host; for example, 00e0.1e4e.3d8b.

Enable Alias

When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address. When the security appliance receives traffic destined for the host belonging to the IP address, the security appliance forwards the traffic to the host MAC address that you specify in this command. This feature is useful if you have devices that do not perform ARP, for example.

Note In transparent firewall mode, this setting is ignored and the security appliance does not perform proxy ARP.


ARP Inspection Page

Use the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.

Navigation Path

(Device view) Select Platform > Bridging > ARP Inspection from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Inspection from the Policy Type selector. Right-click ARP Inspection to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit ARP Inspection Dialog Box

Bridging

ARP Table Page

MAC Address Table Page

MAC Learning Page

Management IP Page

Field Reference

Table K-30 ARP Inspection Page 

Element
Description
ARP Inspection Table

Interface

The name of the interface to which the ARP inspection setting applies.

ARP Inspection Enabled

Indicates whether ARP inspection is enabled on the specified interface.

Flood Enabled

Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit ARP Inspection Dialog Box

Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection for a transparent firewall interface.

Navigation Path

You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection page. For more information about the ARP Inspection page, see ARP Inspection Page.

Related Topics

Bridging

ARP Inspection Page

Field Reference

Table K-31 Add/Edit ARP Inspection dialog box 

Element
Description

Interface

The name of the interface for which you are enabling or disabling ARP inspection.

Enable ARP Inspection on this interface

When selected, enables ARP inspection on the specified interface.

Flood ARP packets

When selected, packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet. If you do not select this check box, all non-matching packets are dropped.

Note The dedicated management interface, if present, never floods packets even if this parameter is set to flood.


MAC Address Table Page

Use the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.

Navigation Path

(Device view) Select Platform > Bridging > MAC Address Table from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Address Table from the Policy Type selector. Right-click MAC Address Table to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit MAC Table Entry Dialog Box

Bridging

ARP Table Page

ARP Inspection Page

MAC Learning Page

Management IP Page

Field Reference

Table K-32 MAC Address Table Page 

Element
Description

Aging Time (minutes)

Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default.

MAC Address Table

Interface

The interface to which the MAC address is associated.

MAC Address

The MAC address; for example, 00e0.1e4e.3d8b.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit MAC Table Entry Dialog Box

Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries to the MAC Address table or to modify entries in the MAC Address table.

Navigation Path

You can access the Add/Edit MAC Table Entry dialog box from the MAC Address Table page. For more information about the MAC Address Table page, see MAC Address Table Page.

Related Topics

Bridging

MAC Address Table Page

Field Reference

Table K-33 Add/Edit MAC Table Entry dialog box 

Element
Description

Interface

The interface to which the MAC address is associated.

MAC Address

The MAC address; for example, 00e0.1e4e.3d8b.


MAC Learning Page

Use the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.

Navigation Path

(Device view) Select Platform > Bridging > MAC Learning from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit MAC Learning Dialog Box

Bridging

ARP Table Page

ARP Inspection Page

MAC Address Table Page

Management IP Page

Field Reference

Table K-34 MAC Learning Page 

Element
Description
MAC Learning Table

Interface

The interface to which the MAC learning setting applies.

MAC Learning Enabled

Indicates whether the security appliance learns MAC addresses from traffic entering the interface.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit MAC Learning Dialog Box

Use the Add/Edit MAC Learning dialog box to enable or disable MAC address learning on an interface.

Navigation Path

You can access the Add/Edit MAC Learning dialog box from the MAC Learning page. For more information about the MAC Learning page, see MAC Learning Page.

Related Topics

Bridging

MAC Learning Page

Field Reference

Table K-35 Add/Edit MAC Learning dialog box 

Element
Description

Interface

The interface to which the MAC learning setting applies.

MAC Learning Enabled

When selected, the security appliance learns MAC addresses from traffic entering the interface.


Management IP Page

Use the Management IP page to set the management IP address for a security appliance or for a context in transparent firewall mode.

Navigation Path

(Device view) Select Platform > Bridging > Management IP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Bridging > Management IP from the Policy Type selector. Right-click Management IP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Bridging

ARP Table Page

ARP Inspection Page

MAC Address Table Page

MAC Learning Page

Field Reference

Table K-36 Management IP Page 

Element
Description

Management IP Address

The management IP address.

Subnet Mask

The subnet mask that corresponds to the management IP address.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


AAA Page

This page includes tabs for configuring authentication, authorization, and accounting:

Authentication Tab

Authorization Tab

Accounting Tab

Navigation Path

(Device view) Select Platform > Device Admin > AAA from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.

Authentication Tab

Use the Authentication tab to enable authentication for administrator access to the security appliance. The Authentication tab also allows you to configure the prompts and messages that a user sees when authenticated by a AAA server.

Navigation Path

You can access the Authentication tab from the AAA page. For more information about the AAA page, see AAA Page.

Related Topics

Configuring AAA, page 15-27

Authorization Tab

Accounting Tab

Field Reference

Table K-37 Authentication Tab 

Element
Description
Require AAA Authentication to allow use of privileged mode commands

Enable

Forces AAA authentication from a server group before you can access enable mode on the firewall. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears.

Server Group

Provides a drop-down menu from which you can choose a server group to force AAA authentication.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Require AAA Authorization for the following types of connections

Connection type

Specify the connection types that require authorization:

HTTP—Require AAA authentication when you start an HTTPS connection to the firewall console.

Serial—Require AAA authentication when you connect to the firewall console via the serial console cable. The firewall prompts you for your username and password before you can enter commands. If the authentication server is offline, wait until the console login request times out. You can then access the console with the firewall username and the enable password.

SSH—Require AAA authentication when you start a Secure Shell (SSH) connection to the firewall console. This option allows up to three tries to access the firewall console. If this number is exceeded, an access denied message appears. This option requests a username and password before the first command line prompt on the SSH console.

Telnet—Require AAA authentication when you start a Telnet connection to the firewall console. You must authenticate before you can enter a Telnet command.

Server Group

Specify the server group to use for authorization.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Authentication Prompts

Login Prompt

Enter the prompt a user will see when logging in to the security appliance.

User Accepted Message

Enter the message a user will see when successfully authenticated by the security appliance.

User Rejected Message

Enter the message a user will see when authentication by the security appliance fails.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Authorization Tab

The Authorization tab allows you to configure authorization for accessing firewall commands.

Navigation Path

You can access the Authorization tab from the AAA page. For more information about the AAA page, see AAA Page.

Related Topics

Configuring AAA, page 15-27

Authentication Tab

Accounting Tab

Field Reference

Table K-38 Authorization Tab 

Element
Description

Enable Authorization for Command Access

Requires authorization for accessing firewall commands.

Server Group

Specify the server group to use for authorization.

Use LOCAL when server group fails

Uses the LOCAL server group if the selected server group fails.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Accounting Tab

Use the Accounting tab to enable accounting for access to the firewall device and for access to commands on the device.

Navigation Path

You can access the Accounting tab from the AAA page. For more information about the AAA page, see AAA Page.

Related Topics

Configuring AAA, page 15-27

Authentication Tab

Authorization Tab

Field Reference

Table K-39 Accounting Tab 

Element
Description
Require AAA Accounting for privileged commands

Enable

When selected, enables the generation of accounting records to mark the entry to and exit from privileged mode for administrative access via the console.

Server Group

Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require AAA Accounting for the following types of connections

Connection type

Specify the connection types that will generate accounting records:

HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP. Valid server group protocols are RADIUS and TACACS+.

Serial—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions that are established via the serial interface to the console. Valid server group protocols are RADIUS and TACACS+.

SSH—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. Valid server group protocols are RADIUS and TACACS+.

Telnet—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet. Valid server group protocols are RADIUS and TACACS+.

Server Group

Specify the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Require Accounting for command access

Enable

When selected, enables the generation of accounting records for commands entered by an administrator/user.

Server Group

Provides a drop-down menu from which you can choose the server or group of RADIUS or TACACS+ servers to which accounting records are sent.

Privilege Level

Minimum privilege level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Banner Page

Use the Banner page to configure message of the day, login and session banners.

Navigation Path

(Device view) Select Platform > Device Admin > Banner from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner from the Policy Type selector. Right-click Banner to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Server Access

Field Reference

Table K-40 Banner Page 

Element
Description

Session(exec) Banner

Enter text that you want the system to display as a banner before displaying the enable prompt.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Login Banner

Enter text that you want the system to display as a banner before the password login prompt when someone accesses the security appliance using Telnet.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Message-of-the-Day (motd) Banner

Enter text that you want the system to display as a message-of-the-day banner.

Note The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the security appliance. When you enter a $(system) token in a context configuration, the context uses the banner configured in the system configuration.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Boot Image/Configuration Page

Use the Boot Image/Configuration page to specify which image file the security appliance will boot from, as well as which configuration file it will use at startup. You can also specify the path to the ASDM image file on the security appliance.

Navigation Path

(Device view) Select Platform > Device Admin > Boot Image/Configuration from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot Image/Configuration from the Policy Type selector. Right-click Boot Image/Configuration to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring Boot Image and Configuration Settings, page 15-32

Images Dialog Box

Field Reference

Table K-41 Boot Image/Configuration Page 

Element
Description

Boot Config Location

The configuration file to use when the system is loaded. Use the following syntax:

disk0:/[path/]filename

Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

disk1:/[path/]filename

Indicates the external Flash card.

flash:/[path/]filename

ASDM Image Location

The location of the ASDM software image to be used when ASDM sessions are initiated. Use the following syntax:

disk0:/[path/]filename

Indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

disk1:/[path/]filename

Indicates the external Flash card.

flash:/[path/]filename

tftp://[user[:password]@]server[:port]/[path/]filename

Boot Images Table

No.

Identifies the number of the boot image.

Images

Identifies the path and name of the boot image.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Images Dialog Box

Use the Images dialog box to add a boot image entry to the boot order list.

Navigation Path

You can access the Images dialog box from the Boot Image/Configuration page. For more information about the Boot Image/Configuration page, see Boot Image/Configuration Page.

Related Topics

Configuring Boot Image and Configuration Settings, page 15-32

Boot Image/Configuration Page

Field Reference

Table K-42 Images Dialog Box 

Element
Description

Image File

Enter the path and name of the image file to add to the boot order list. See the following syntax:

disk0:/[path/]filename

This option is available only for the ASA platform, and indicates the internal Flash card. You can also use flash instead of disk0, as they are aliased.

disk1:/[path/]filename

This option is available only for the ASA platform, and indicates the external Flash card.

flash:/[path/]filename

tftp://[user[:password]@]server[:port]/[path/]filename


Clock Page

The Clock page lets you set the date and time for the security appliance. In multiple context mode, set the time in the system configuration only.

To dynamically set the time using an NTP server, see Configuring NTP Settings, page 15-56; time derived from an NTP server overrides any time set manually on the Clock page.

Navigation Path

(Device view) Select Platform > Device Admin > Clock from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring Clock Settings, page 15-33

Configuring NTP Settings, page 15-56

NTP Page

Field Reference

Table K-43 Clock Page 

Element
Description

Device Time Zone

Select the time zone for the device from the list.

Daylight Savings Time (Summer Time)

Select whether daylight savings time is used and if so what method is used to specify when daylight savings time applies:

None—Disables daylight savings time on the security appliance.

Set by Date—Select this option to specify the date and time when daylight savings time begins and ends for a specific year. If you use this option, you need to reset the dates every year.

Set Recurring—Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Set by Date

Date (Begin/End)

Enter the date on which daylight savings time begins and ends in MMM dd YYYY format (for example, Jul 15 2005). You can also click Calendar to select the date from a calendar.

Hour (Begin/End)

Select the hour, from 00 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End)

Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.

Set Recurring

Specify Recurring Time

Select this option to specify the start and end dates for daylight saving time using the month, week, and day on which daylight savings time begins and ends. This option allows you to set a recurring date range that you do not need to alter yearly.

Month (Begin/End)

Select the month in which daylight savings time begins and the month in which it ends.

Week (Begin/End)

Select the week of the month in which daylight savings time begins and the week in which it ends. You can select the numerical value that corresponds to the week, 1 through 5, or you can specify the first or last week in the month by selecting first or last. For example, if the day might fall in the partial fifth week, specify "last."

Weekday (Begin/End)

Select the day on which daylight savings time begins and the day on which it ends.

Hour (Begin/End)

Select the hour, from 0 to 23, in which daylight savings time begins and the hour in which it ends.

Minute (Begin/End)

Select the minute, from 00 to 59, at which daylight savings time begins and the minute at which it ends.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Credentials Page

Use the Credentials page to specify the future contact settings that Security Manager should use when contacting a device. You can also use the Contact Credentials page to change the login password and the enable password on a device.

Navigation Path

(Device view) Select Platform > Device Admin > Credentials from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Credentials from the Policy Type selector. Right-click Credentials to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring Contact Credentials, page 15-34

User Accounts Page

Field Reference

Table K-44 Contact Credentials Page 

Element
Description

Username

Specifies the username for logging in to the device.

Password

Specifies the password for logging in to the device.

Confirm

Confirms the password entered in the Password field. The values in the Password and Confirm fields must match before you can save these settings.

Privilege Level

Specifies the privilege level of the user logging in to the device.

Enable Password

Specifies the new enable password for the device.

Confirm

Confirms the password entered in the Enable Password field. The values in the Enable Password and Confirm fields must match before you can save these settings.

Telnet/SSH Password

Specifies the new login password for the device.

Confirm

Confirms the password entered in the Telnet/SSH Password field. The values in the Telnet/SSH Password and Confirm fields must match before you can save these settings.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


CPU Threshold Page

Use the CPU Threshold Page to specify the percentage of CPU usage above which you want to receive a notification and the duration that the usage must remain above that threshold before the notification is generated.

Navigation Path

(Device view) Select Platform > Device Admin > CPU Threshold from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU Threshold from the Policy Type selector. Right-click CPU Threshold to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring SNMP, page 15-39

SNMP Page

SNMP Trap Configuration Dialog Box

Field Reference

Table K-45 CPU Threshold Page 

Element
Description

CPU Rising Threshold Percentage

Enter the percentage of CPU usage above which you want to receive a notification. If the CPU utilization percentage is equal to or above this value for the duration specified in the CPU Monitoring Period field then a notification will be sent.

CPU Monitoring Period (seconds)

Enter the number of seconds that the percentage of CPU usage must remain at or above the threshold set in the CPU Rising Threshold Percentage field before a notification is sent.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Device Access

The Device Access section is located under the Device Admin folder in the Policy selector. The following topics describe the pages for Device Access:

Console Page

HTTP Page

ICMP Page

Management Access Page

Secure Shell Page

SNMP Page

Telnet Page

Console Page

Use the Console page to specify a time period for the management console to remain active. When the time limit you specify is reached, the console shuts down.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Console from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Device Access

Field Reference

Table K-46 Console Page 

Element
Description

Console Timeout (minutes)

Number of minutes a console session can remain idle before the firewall device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


HTTP Page

The HTTP page provides a table that specifies the addresses of all the hosts or networks that are allowed access to the firewall device using HTTPS. You can use this table to add or change the hosts or networks that are allowed access.

The HTTP page also displays information about HTTP redirection and HTTPS user certificate requirements for interfaces on the firewall device. You can use this table to change the entries for HTTP redirection and HTTPS user certificate requirements.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Device Access

HTTP Configuration Dialog Box

Field Reference

Table K-47 HTTP Page 

Element
Description

Enable HTTP Server

Enables or disables HTTPS access to the firewall device.

HTTP Interface Table

Interface

Lists the interface on the firewall device from which the administrative access to the device manager is allowed.

Network

Lists the IP address and netmask, separated by a slash ("/"), of hosts or networks that are permitted to establish an HTTPS connection with the firewall device.

Authentication Certificate

Identifies if a user certificate is required to authenticate users who are establishing HTTPS connections.

Redirect Port

Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. If this column is empty, then HTTP redirect is disabled.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


HTTP Configuration Dialog Box

Use the HTTP Configuration dialog box to add a host or network that will be allowed administrative access to the firewall device manager over HTTPS.

Navigation Path

You can access the HTTP Configuration dialog box from the HTTP page. For more information about the HTTP page, see HTTP Page.

Related Topics

Device Access

HTTP Page

Field Reference

Table K-48 HTTP Configuration Dialog Box 

Element
Description

Interface Name

Specifies the interface on the firewall device from which administrative access to the firewall device manager is allowed.

IP Address/Netmask

Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to establish an HTTPS connection with the firewall device.

Enable Authentication Certificate

Specifies whether user certificate authentication is required to establish an HTTPS connection.

Redirect port

Identifies the port the security appliance listens on for HTTP requests, which it then redirects to HTTPS. To disable HTTP redirect, ensure that this field is blank.


ICMP Page

The ICMP page provides a table that lists the ICMP rules, which specify the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device. You can use this table to add or change the hosts or networks that are allowed to or prevented from sending ICMP messages to the firewall device.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Right-click ICMP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Device Access

Add and Edit ICMP Dialog Boxes

Field Reference

Table K-49 ICMP Page 

Element
Description
ICMP Rules Table

Interface

Lists the interface on the security appliance from which ICMP access is allowed.

Action

Displays whether ICMP messages are permitted or denied from the specified network or host.

Network

Lists the IP address and netmask, separated by a "/", of hosts or networks that are allowed or denied access.

ICMP Service

Lists the type of ICMP message to which the rule applies.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add and Edit ICMP Dialog Boxes

Use the Add ICMP dialog box to add an ICMP rule, which specifies the addresses of all the hosts or networks that are allowed or denied ICMP access to the firewall device.


Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.


Navigation Path

You can access the Add or Edit ICMP dialog boxes from the ICMP page. For more information about the ICMP page, see ICMP Page.

Related Topics

Device Access

ICMP Page

Field Reference

Table K-50 Add and ICMP Dialog Boxes 

Element
Description

Action

Choose whether ICMP messages are permitted or denied on the specified network or host:

Permit - ICMP messages from the specified host or network and interface are allowed.

Deny - ICMP messages from the specified host or network and interface will be dropped.

ICMP Service

Enter or Select the type of ICMP service message to which the rule applies.

Interface

Enter or Select the interface on the firewall device from which ICMP access is allowed.

Network

Enter the IP address and netmask, separated by a slash (/), of the host or network that is allowed or denied access. You also can Select a Network/Host object.


Management Access Page

The Management Access page lets you enable or disable management access on a high-security interface and thus lets you perform management functions on the firewall device. Use this feature if VPN is configured on the firewall device and the external interface is using a dynamically assigned IP address. For example, this feature is helpful for accessing and managing the firewall device securely from home using the VPN client.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Right-click Management Access to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Device Access

Field Reference

Table K-51 Management Access Page 

Element
Description

Management Access Interface

Name of firewall device interface that permits management access connections. You can click Select to select the interface from a list of interface objects.

You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time. Clear the Management Access Interface field to disable management access.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Secure Shell Page

Use the Secure Shell page to configure rules that permit only specific hosts or networks to connect to a firewall device for administrative access using the SSH protocol.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring Secure Shell, page 15-38

Device Access

Add and Edit SSH Host Dialog Boxes

Field Reference

Table K-52 Secure Shell Page 

Element
Description

Enable Secure Copy Server

Select this check box to enable the secure copy server on the security appliance.

Allowed SSH Version(s)

Restricts the version of SSH accepted by the firewall device. By default, SSH Version 1 and SSH Version 2 connections are accepted.

Timeout (minutes)

Displays the number of minutes, 1 to 60, the Secure Shell session can remain idle before the firewall device closes it.

Secure Shell Access Rule table

Interface

Displays the name of the firewall device interface that will permit SSH connections.

Network

Displays the IP address and netmask of each host or network permitted to connect to this security appliance through the specified interface.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add and Edit SSH Host Dialog Boxes

Use the Add Host dialog box to add an SSH access rule.


Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.


Navigation Path

You can access the Add and Edit Host dialog boxes from the Secure Shell page. For more information about the Secure Shell page, see Secure Shell Page.

Related Topics

Configuring Secure Shell, page 15-38

Device Access

Secure Shell Page

Field Reference

Table K-53 Add and Edit Host Dialog Boxes 

Element
Description

Interface

Enter or Select the name of the device interface that permits SSH connections.

IP Address

Enter or Select the IP address of the host or network that is permitted to establish an SSH connection with the security device.


SNMP Page

The SNMP page lets you configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring SNMP, page 15-39

Device Access

SNMP Trap Configuration Dialog Box

Add SNMP Host Access Entry Dialog Box

Field Reference

Table K-54 SNMP Page 

Element
Description

Password (Community String)

Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

System Administrator Name

Enter the name of the firewall system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Location

Specify the firewall location. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.

Port (PIX 7.x and ASA only)

Specify the port on which incoming requests will be accepted.

Configure Traps button

Click to open the SNMP Trap Configuration dialog box from which you can configure SNMP trap settings.

SNMP Hosts Table

Interface

Identifies the interface on which the SNMP management station resides.

IP Address

Identifies the IP address of the SNMP management station.

Community String

Identifies the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

SNMP Version

Identifies the version of SNMP set on the management station.

Poll/Trap

Displays the method for communicating with this management station, poll only, trap only, or both trap and poll.

Poll—Firewall device waits for a periodic request from the management station.

Trap—Sends syslog events when they occur.

UDP Port

Specifies the UDP port for the SNMP host. The default value is 162 for the SNMP host UDP port.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


SNMP Trap Configuration Dialog Box

Use the SNMP Trap Configuration dialog box to configure trap settings.

Traps are different than browsing; they are unsolicited "comments" from the managed device to the management station for certain events, such as link up, link down, and syslog event generated.

An SNMP object ID (OID) for the security appliance displays in SNMP event traps sent from the security appliance. Firewall devices provide system OID in SNMP event traps & SNMP mib-2.system.sysObjectID.

The SNMP service running on a firewall device performs two different functions:

Replies to SNMP requests from management stations (also known as SNMP clients).

Sends traps (event notifications) to management stations or other devices that are registered to receive them from the security appliance.

Cisco firewall devices support three types of traps:

firewall

generic

syslog

Navigation Path

You can access the SNMP Trap Configuration dialog box from the SNMP page. See SNMP Page for more information.

Related Topics

Configuring SNMP, page 15-39

Device Access

SNMP Page

Add SNMP Host Access Entry Dialog Box

Field Reference

Table K-55 SNMP Trap Configuration Dialog Box 

Element
Description

Standard SNMP Traps (PIX 7.x, ASA and FWSM only)

Select the standard SNMP traps you want sent:

Authentication—Enables authentication standard trap.

Cold Start—Enables cold start standard trap.

Link Up—Enables link up standard trap.

Link Down—Enables link down standard trap.

Entity MIB Notifications (PIX 7.x and ASA only)

Select the Entity MIB Notifications that you want to enable:

FRU Insert—Enables a trap notification when a Field Replaceable Unit (FRU) has been inserted.

FRU Remove—Enables a trap notification when a Field Replaceable Unit (FRU) has been removed.

Configuration Change—Enables a trap notification when there has been a hardware change.

IPsec Traps (PIX 7.x and ASA only)

Select the IPsec traps that you want to enable:

Start—Enables a trap when IPsec starts.

Stop—Enables a trap when IPsec stops.

Remote Access Traps (PIX 7.x and ASA only)

Select the Remote Access traps that you want to enable:

Session Threshold Exceeded—Enables the firewall device send traps when remote access sessions reach the defined limit.

Enable Syslog Traps

Enables or disables the sending of syslog messages to the SNMP management station.


Add SNMP Host Access Entry Dialog Box

Use the Add SNMP Host Access Entry dialog box to add SNMP management stations.

Navigation Path

You can access the Add SNMP Host Access Entry dialog box from the SNMP page. See SNMP Page for more information.

Related Topics

Device Access

SNMP Page

SNMP Trap Configuration Dialog Box

Field Reference

Table K-56 Add SNMP Host Access Entry Dialog Box 

Element
Description

Interface Name

Select the interface on which the SNMP management station resides. You can click Select to select the interface from a list of interface objects.

IP Address

Enter the IP address of the SNMP management station. You can click Select to select the IP address from a list of IP address objects.

UDP Port

Enter the UDP port for the SNMP host. This field allows you to override the default value of 162 for the SNMP host UDP port.

Community String

Enter the password used by the SNMP management station when sending requests to the firewall. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The firewall uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

SNMP Version

Select the version of SNMP set on the management station.

Server Poll/Trap Specification

Specify the method for communicating with this management station, poll only, trap only, or both trap and poll.

Poll—Firewall device waits for a periodic request from the management station.

Trap—Sends syslog events when they occur.


Telnet Page

Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.

Navigation Path

(Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring Telnet, page 15-42

Device Access

Telnet Configuration Dialog Box

Field Reference

Table K-57 Telnet Page 

Element
Description

Timeout (minutes)

Number of minutes Telnet session can remain idle before the firewall device closes it. Values can range from 1 to 1440 minutes.

Telnet Access Table

Interface

Interface that receives Telnet packets from the client.

Network

The IP address and network mask of the host or network that can access the Telnet console on the firewall device.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Telnet Configuration Dialog Box

Use the Telnet Configuration dialog box to configure Telnet options for an interface.

Navigation Path

You can access the Telnet Configuration dialog box from the Telnet page. See Telnet Page for more information.

Related Topics

Configuring Telnet, page 15-42

Device Access

Telnet Page

Field Reference

Table K-58 Telnet Configuration Dialog Box 

Element
Description

Interface Name

Select the interface that receives Telnet packets from the client. You can click Select to select the interface from a list of interface objects.

Network

Enter the IP address and netmask, separated by a "/", of the host or network that is permitted to access the firewall device's Telnet console through the specified interface. Use a comma to separate entries for multiple networks or hosts. You can click Select to select the networks from a list of network objects.

Note To limit access to a single IP address, use 255.255.255.255 or 32 as the netmask. Do not use the subnetwork mask of the internal network.


Failover Policies

This section discusses the pages that you use to configure failover for your firewall devices. The pages that are available for firewall configuration change depending on the type of firewall device you are configuring.

PIX 6.x Firewalls

Failover Page (PIX 6.x)

Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Bootstrap Configuration for LAN Failover Dialog Box

Firewall Services Modules

Failover Page (FWSM)

Advanced Settings Dialog Box

Add Interface MAC Address Dialog Box

Edit Failover Interface Configuration Dialog Box (FWSM)

Bootstrap Configuration for LAN Failover Dialog Box

Adaptive Security Appliances and PIX 7.0 Firewalls

Failover Page (ASA/PIX 7.x)

Settings Dialog Box

Add Failover Group Dialog Box

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Add Interface MAC Address Dialog Box

Bootstrap Configuration for LAN Failover Dialog Box

Failover Page (PIX 6.x)

Use the Failover page to configure failover settings for a PIX 6.x Firewall.

Navigation Path

To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

Failover Policies

Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Bootstrap Configuration for LAN Failover Dialog Box

Field Reference

Table K-59 Failover Page (PIX 6.x) 

Element
Description
Failover

Failover Method

Choose the type of failover link: Serial Cable or LAN Based.

Enable Failover

Check this box to enable failover on this device.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Failover Poll Time

Specifies how long failover waits before determining if other devices remain available between primary and standby devices over all network interfaces and failover cable. Values can range from 3 to 15 seconds; default is 15.

LAN-Based Failover

Interface

Choose the interface to be used for LAN-based failover. If "Not Selected" is chosen, LAN-Based Failover is disabled.

Shared Key

Used to encrypt communication between primary and standby devices. Value can be any string.

Confirm

Re-enter the Shared Key.

Stateful Failover

Interface

Choose the interface to be used for Stateful Failover. If "Not Selected" is chosen, Stateful Failover is disabled.

Note You must choose a fast LAN link from the list (for example, 100full, 1000full, or 1000sxfull).

Enable HTTP Replication

Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.

Failover Interface Table

Interface

Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.

Active IP Address

Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the active device.

Standby IP Address

Displays the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on same network as system IP address.

Tip You can use this IP address with the ping tool to check the status of the standby device.

Active MAC Address

Displays the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address

Displays the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

Edit Row button

Click to display the Edit Failover Interface Configuration dialog box.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Use the Edit Failover Interface Configuration dialog box to configure a failover interface for PIX 6.x devices.


Note The failover interface cannot be configured for PPPoE.


Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (PIX 6.x).

Related Topics

Failover Policies

Failover Page (PIX 6.x)

Field Reference

Table K-60 Edit Failover Interface Configuration Dialog Box (PIX 6.x) 

Element
Description

Interface

Displays the name of the interface on the active firewall device to be used for communication with standby device for failover. When configured for stateful failover, the interface is connected directly to the standby device.

Active IP Address

Displays the IP address of the active interface. This address is used by the standby device to communicate with the active device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the active device.

Netmask

Displays the netmask of the active device.

Standby IP Address

Specify the IP address of the standby interface. This address is used by the active device to communicate with the standby device. The address must be on the same network as the system IP address.

Tip You can use this IP address with the ping tool to check the status of the standby device.
Failover MAC Addresses

Active MAC Address

Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address

Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).


Failover Page (FWSM)

Use the Failover page to configure basic failover settings for FWSMs.

Navigation Path

To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

Failover Policies

Advanced Settings Dialog Box

Edit Failover Interface Configuration Dialog Box (FWSM)

Bootstrap Configuration for LAN Failover Dialog Box

Field Reference

Table K-61 Failover Page (FWSM) 

Element
Description

Enable Failover

Specifies whether failover is enabled on this device.

You must configure the logical LAN failover interface and, optionally, the stateful failover interface.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Configuration (FWSM 3.x only)

Active/Active option (FWSM 3.x only)

In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.

To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Active/Standby option (FWSM 3.x only)

In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.

When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to security appliances in single mode or multiple mode.

Settings button

Click to display the Advance Settings dialog box. See Advanced Settings Dialog Box for more information.

LAN Failover

VLAN

VLAN interface you are using for the failover link, for example, VLAN 11.

Logical Name

The logical name of the interface on the active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address

Specifies the IP address of the active interface.

Standby IP Address

Specifies the IP address of the standby interface.

Subnet Mask

Mask that corresponds with active and standby IP addresses.

State Failover

VLAN

VLAN interface you are using for the stateful failover link, for example, VLAN 12.

Logical Name

The logical name of the interface on active firewall device that communicates with the standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address

Specifies the IP address of the active interface.

Standby IP Address

Specifies the IP address of the standby interface.

Subnet Mask

Mask that corresponds with active and standby IP addresses.

Enable HTTP Replication check box

Enables stateful failover to copy active HTTP sessions to a standby firewall.

Suspend Configuration Synchronization

(FWSM 2.3 only)

When selected, configurations between the active and standby device are no longer synchronized.

Note You cannot disable this feature using the Security Manager user interface. To disable this feature after enabling it in Security Manager, issue the no failover suspend-config-sync command directly on the device, or by using the FlexConfig feature. For more information on FlexConfigs, see Understanding FlexConfig Policy Objects, page 19-1.

Shared Key
(FWSM 3.x only)

To encrypt and authenticate the communication between failover peers, specify a shared secret in the Shared Key field for the active unit of an Active/Standby failover pair or on the unit that has failover group 1 in the active state of an Active/Active failover pair. The shared key can be from 1 to 63 characters and can be any combination of numbers, letters, or punctuation.


Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If FWSM is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing the failover communication with a failover key if you are using FWSM to terminate VPN tunnels.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Advanced Settings Dialog Box

The Advanced Settings dialog box lets you configure additional failover settings for FWSMs.


Note The following reference table presents all fields that can be presented in the Advanced Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.


Navigation Path

You can access the Advance dialog box by clicking the Settings button on the Failover page. See Failover Page (FWSM) for more information.

Related Topics

Failover Policies

Failover Page (FWSM)

Add Interface MAC Address Dialog Box

Field Reference

Table K-62 Advance Dialog Box 

Element
Description
Interface Policy

Number of failed interfaces

When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces

When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.

Failover Poll Time

Unit Failover

The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.

Unit Hold Time

Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds. You cannot enter a value that is less than 3 times the Unit Failover value.

Monitored Interface

The amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Management IP Address

Active

The IP address of the management interface.

Netmask

The subnet mask for the Active and Standby addresses.

Standby

The management IP address on the standby unit, which must be on the same subnet as the Active IP address. You do not need to identify the Standby address subnet mask.

Failover Groups

Group table

This table lists failover groups on the device, with the following information:

Group Number - Numeric identifier for the group.

Preferred Role - Primary or Secondary.

Preempt Enabled - True or false.

Edit row button

Click this button to edit the selected entry in the Failover Groups table; the Edit Failover Group dialog box opens.


Edit Failover Interface Configuration Dialog Box (FWSM)

Use the Edit Failover Interface Configuration dialog box to configure a failover interface for FWSMs.


Note The failover interface cannot be configured for PPPoE.


Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information about the Failover page, see Failover Page (FWSM).

Related Topics

Failover Policies

Failover Page (FWSM)

Field Reference

Table K-63 Edit Failover Interface Configuration Dialog Box (FWSM) 

Element
Description

Interface Name

Identifies the interface name; not editable.

Active IP Address

Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address

Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

Monitor this interface for failure

Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.


Failover Page (ASA/PIX 7.x)

Use the Failover page to configure basic failover settings for ASAs and PIX 7.x firewalls.

Navigation Path

To access this feature, select an ASA or PIX 7.x firewall device in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.

Related Topics

Failover Policies

Settings Dialog Box

Add Failover Group Dialog Box

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Add Interface MAC Address Dialog Box

Bootstrap Configuration for LAN Failover Dialog Box

Field Reference

Table K-64 Failover Page (ASA/PIX 7.x) 

Element
Description

Enable Failover

Specifies whether failover is enabled on this device.

You must configure the logical LAN failover interface and, optionally, the stateful failover interface.

Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory, and RAM.

Configuration

Active/Active option

In an Active/Active failover configuration, both security appliances pass network traffic. Active/Active failover is only available to security appliances in multiple context mode.

To enable Active/Active failover on the security appliance, you must create failover groups. If you enable failover without creating failover groups, you are enabling Active/Standby failover. A failover group is a logical group of one or more security contexts. You can create two failover groups on the security appliance. You should create the failover groups on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.

Active/Standby option

In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance. Whenever the configuration of the active security appliance changes, it sends configuration information over the failover link to the standby security appliance.

When a failover occurs, the standby security appliance becomes the active unit. It assumes the IP and MAC addresses of the previously active unit. Because the other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network.

Active/Standby failover is available to security appliances in single mode or multiple mode.

Settings button

Click to display the Settings dialog box. See Settings Dialog Box for more information.

LAN Failover

Interface

Interface you are using for the failover link.

Logical Name

The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address

Specifies the IP address of the active interface.

Standby IP Address

Specifies the IP address of the standby interface.

Subnet Mask

Netmask that corresponds with active and standby IP addresses.

Bootstrap button

Click to display the Bootstrap Configuration for LAN Failover dialog box. See Bootstrap Configuration for LAN Failover Dialog Box for more information.

State Failover

Interface

Interface you are using for the stateful failover link.

Logical Name

The logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device.

Active IP Address

Specifies the IP address of the active interface.

Standby IP Address

Specifies the IP address of the standby interface.

Subnet Mask

Netmask that corresponds with active and standby IP addresses.

Enable HTTP Replication

When selected, enables stateful failover to copy active HTTP sessions to standby firewall.

Shared Key

Used to encrypt communication between primary and standby devices. Value can be any string.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Settings Dialog Box

The Settings dialog box lets you define criteria for when failover should occur on an ASA or PIX 7.x appliance.

Navigation Path

You can access the Settings dialog box by clicking the Settings button on the Failover page. For more information, see Failover Page (ASA/PIX 7.x).


Note The following reference table presents all fields that can be presented in the Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.


Related Topics

Failover Policies

Failover Page (ASA/PIX 7.x)

Add Failover Group Dialog Box

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Add Interface MAC Address Dialog Box

Bootstrap Configuration for LAN Failover Dialog Box

Field Reference

Table K-65 Settings Dialog Box 

Element
Description
Interface Policy

Number of failed interfaces

When the number of failed monitored interfaces exceeds this value, the security appliance fails over. The range is between 1 and 250 failures.

Percentage of failed interfaces

When the number of failed monitored interfaces exceeds this percentage, the security appliance fails over.

Failover Poll Time

Unit Failover

The amount of time between hello messages among units. The range is between 1 and 15 seconds, or between 200 and 999 milliseconds if the msec option is checked.

Unit Hold Time

Sets the time during which a unit must receive a hello message on the failover link, or the unit begins the testing process for peer failure. The range is between 3 and 45 seconds, or between 800 and 999 milliseconds if the msec option is checked. You cannot enter a value that is less than three times the Unit Failover value.

Monitored Interface

The amount of time between polls among interfaces. The range is between 3 and 15 seconds, or between 500 and 999 milliseconds if the msec option is checked.

Interface Hold Time

Sets the time during which a data interface must receive a hello message, after which the peer is declared failed. Valid values are from 5 to 75 seconds.

Failover Groups

Group Number

Specifies the failover group number. This number is used when assigning contexts to failover groups.

Preferred Role

Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

Preempt Enabled

Specifies whether the unit that is the preferred failover device for this failover group should become the active unit after rebooting.

Preempt Delay

Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

Interface Policy

Specifies either the number of monitored interface failures or the percentage of failures that are allowed before the group fails over. The range is between 1 and 250 failures or 1 and 100 percent.

Interface Poll Time

Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Replicate HTTP

Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

MAC Address

Identifies the MAC address of the active interface.

MAC Address Mapping

Physical Interface

Specifies the physical interface for which failover virtual MAC addresses are configured.

Active MAC Address

Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address

Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

Monitor Interface Configuration

Interface Name

Displays the name of the interface.

Is Monitored

Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

Edit Row button

Click to display the Edit Failover Interface Configuration dialog box to edit a failover interface configuration.

Management IP Address

Active

Specifies the management IP address of the active device.

Netmask

Specifies the netmask that corresponds with the active and standby IP addresses.

Standby

Specifies the management IP address of the standby device.


Add Failover Group Dialog Box

Use the Add Failover Group dialog box to define failover groups for an Active/Active failover configuration.

Navigation Path

You can access the Add Failover Group dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x).

Related Topics

Failover Policies

Failover Page (ASA/PIX 7.x)

Field Reference

Table K-66 Add Failover Group Dialog Box 

Element
Description

Preferred Role

Specifies the unit in the failover pair, primary or secondary, on which the failover group appears in the active state when both units start up simultaneously or when the preempt option is selected. You can have both failover groups in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.

"Preempt after booting with optional delay of"

Specifies the number of seconds that the preferred failover device should wait after rebooting before taking over as the active unit for this failover group. The range is between 0 and 1200 seconds.

Interface Policy

Select the failover policy for this interface:

Number of failed interfaces that triggers failover

Percentage of failed interfaces that triggers failover

Use system failover interface policy

Poll time interval for monitored interfaces

Specifies the amount of time between polls among interfaces. The range is between 3 and 15 seconds.

Enable HTTP Replication

Identifies whether Stateful Failover should copy active HTTP sessions to the standby firewall for this failover group. If you do not allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication reduces the amount of traffic on the state link. This setting overrides the HTTP replication setting on the Setup tab.

Interface Table

Physical Interface

Specifies the physical interface for which failover virtual MAC addresses are configured.

Active MAC Address

Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby MAC Address

Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).

Add

Click to display the dialog box to define a failover interface association.

Edit

Click to display the dialog box to edit a failover interface association.

Delete

Click to delete the selected failover interface association.


Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Use the Edit Failover Interface Configuration dialog box to define the standby IP address for an interface and to specify whether the status of the interface should be monitored.


Note The failover interface cannot be configured for PPPoE.


Navigation Path

You can access the Edit Failover Interface Configuration dialog box from the Failover page. For more information, see Failover Page (ASA/PIX 7.x).

Related Topics

Failover Policies

Failover Page (ASA/PIX 7.x)

Add Failover Group Dialog Box

Field Reference

Table K-67 Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x) 

Element
Description

Interface Name

Identifies the interface name.

Active IP Address

Identifies the IP address for this interface. This field does not appear if an IP address has not been assigned to the interface.

Standby IP Address

Specifies the IP address of the corresponding interface on the standby failover unit. This field does not appear if an IP address has not been assigned to the interface.

Monitor this interface for failure

Specifies whether this interface is monitored for failure. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds). Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.


Add Interface MAC Address Dialog Box

The Add Interface MAC Address dialog box allows you to define the MAC addresses of interfaces for ASA, FWSM 3.x and PIX 7.x security appliances that are configured for failover.

Related Topics

Failover Policies

Failover Page (ASA/PIX 7.x)

Settings Dialog Box

Field Reference

Table K-68 Add Interface MAC Address Dialog Box 

Element
Description

Physical Interface

Specifies the physical interface for which failover virtual MAC addresses are configured.

MAC Address

Active Interface

Specifies the MAC address of the active interface in hexadecimal format (for example, 0123.4567.89ab).

Standby Interface

Specifies the MAC address of the standby interface in hexadecimal format (for example, 0123.4567.89ab).


Bootstrap Configuration for LAN Failover Dialog Box

The Bootstrap Configuration for LAN Failover dialog box provides you with bootstrap configuration that can be applied to the primary and secondary devices in a LAN failover configuration.

Navigation Path

You can access the Bootstrap Configuration for LAN Failover dialog box from the Failover page. For more information about the Failover page, see:

Failover Page (PIX 6.x)

Failover Page (FWSM)

Failover Page (ASA/PIX 7.x)

Related Topics

Failover Policies

Failover Page (PIX 6.x)

Failover Page (FWSM)

Failover Page (ASA/PIX 7.x)

Field Reference

Table K-69 Bootstrap Configuration for LAN Failover Dialog Box 

Element
Description

Primary

Contains the bootstrap configuration for the primary device. Open a console connection to the primary device and then paste this configuration to activate failover on the device.

Secondary

Contains the bootstrap configuration for the secondary device. After the primary device becomes active, open a console connection to the secondary device and then paste this configuration to activate failover on the device.



Note For Active/Active Failover, the bootstrap configurations are only applied to the system contexts of the respective failover peer devices.


Hostname Page

You can use the Hostname page to specify a hostname for your firewall device and to set a default domain name. The firewall device uses this domain name when you do not enter the fully-qualified domain name in other commands. It also uses the domain name in RSA key generation.

Navigation Path

To access this feature, select a firewall device in Device View and then select Platform > Device Admin > Hostname from the Device Policy selector.

Related Topics

Configuring Hostname Settings, page 15-49

"PIX/ASA/FWSM Platform User Interface Reference"

Field Reference

Table K-70 Hostname Page 

Element
Description

Host Name

User-defined device name to help you differentiate among devices, for example, PIX-510-A.

Note We recommend that you use a unique hostname for each device you create. The device name can be up to 63 alphanumeric (U.S. English) characters and can include any of the following special characters: ` ( ) + - , . / : =.

Domain Name

Optional field to add domain name. Enter valid Domain Name System (DNS) domain name, for example, cisco.com.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Resources Page

Use the Resources page to view configured classes and information about each class. You can also use the Resources page to add, edit, or delete a class.

Navigation Path

In Device View, select the system context of an FWSM in multiple-context mode, and then select Platform > Device Admin > Resources from the Device Policy selector.

Related Topics

Configuring Resources on Firewall Services Modules, page 15-49

Field Reference

Table K-71 Resources Page 

Element
Description

Class

Shows the class name.

Contexts

Shows the contexts assigned to this class.

Connection Rate

Shows the limit for connections per second.

Fixups

Shows the limit for application inspections per second.

Syslogs

Shows the limit for system log messages per second.

Connections

Shows the limit for TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

Hosts

Shows the limit for hosts that can connect through the FWSM.

IPsec

Shows the limit for IPsec management sessions, by default 5.

SSH

Shows the limit for SSH sessions, by default 5.

Telnet

Shows the limit for Telnet sessions, by default 5.

Xlates

Shows the limit for address translations.

MAC Addr

Shows the limit for MAC addresses in the MAC address table in transparent firewall mode, by default 65535.

ASDM

Shows the limit for ASDM management sessions (by default 5). ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS sessions, divided between all contexts.

All

Shows the limit for all resources that you do not set individually, by default 0, which means unlimited.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Resource Dialog Box

Use the Add/Edit Resource dialog box to add or edit a resource class for a FWSM.

Navigation Path

You can access the Add/Edit Resource dialog box from the Resources page. For more information about the Resources page, see Resources Page.

Related Topics

Resources Page

Field Reference

Table K-72 Add Resource Dialog Box 

Element
Description

Class Name

The class name as a string up to 20 characters long.

Limits Tab

Note If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, the limit is the system limit by default.

TCP or UDP Connections

Sets the limit for concurrent TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 999900.

Note For concurrent connections, the FWSM allocates half of the limit to each of two NPs that accept connections. Typically, the connections are divided evenly between the NPs. However, in some circumstances, the connections are not evenly divided, and you might reach the maximum connection limit on one NP before reaching the maximum on the other. In this case, the maximum connections allowed is less than the limit you set. The NP distribution is controlled by the switch based on an algorithm. You can adjust this algorithm on the switch, or you can adjust the connection limit upward to account for the inequity.

Inspections (Fixups)

Sets the limit for application inspections per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 10000.

Syslog Messages

Sets the limit for system log messages per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 102400.

Connections

Sets the limit for connections per second. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 and 102400.

Hosts

Sets the limit for concurrent hosts that can connect through the FWSM. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 262144.

IPsec Sessions

Sets the limit for concurrent IPsec sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 10 sessions divided between all contexts.

SSH Sessions

Sets the limit for SSH sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 100 sessions divided between all contexts.

Telnet Sessions

Sets the limit for concurrent Telnet sessions. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5. The system has a maximum of 100 sessions divided between all contexts.

NAT Translations

Sets the limit for address translations. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 266144.

MAC Address

(Transparent mode only) Sets the limit for MAC address entries in the MAC address table. You can set the limit as a percentage by entering an integer and then selecting the percent check box. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 65535.

ASDM

Shows the limit for ASDM management sessions (by default 5). ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS sessions, divided between all contexts.

You can set the limit as a percentage by entering a value between 3.0 and 15.0 and then selecting the percent check box. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and deselecting the percent check box.

All Resources Limit

Sets the limit for all resources. If you also set the limit for a specific resource, then that limit overrides the limit you set for all resources. You can set the limit as a percentage by entering an integer and then selecting the percent check box, or as unlimited by setting the value to 0. You cannot set any other absolute value. You can assign more than 100 percent if you want to oversubscribe the device.

Contexts Tab

Available Contexts

Shows the contexts available to be assigned.

Selected Contexts

Shows the contexts assigned to this class.


Server Access

Server Access is under Device Admin in the Policy selector. The following topics describe the pages for Server Access:

AUS Page

DHCP Server Page

DHCP Relay Page

DNS Page

DDNS Page

NTP Page

SMTP Server Page

TFTP Server Page

AUS Page

The AUS page lets you configure a firewall device to be managed remotely from a server that supports the Auto Update specification. Auto Update lets you apply configuration changes to the firewall device and receive software updates from a remote location.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > AUS from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click AUS to create a new policy.

Related Topics

Add and Edit Auto Update Server Dialog Boxes

Server Access

Field Reference

Table K-73 AUS Page 

Element
Description

Auto Update Servers table

This table lists currently configured Auto Update servers, presenting the following information for each:

No. - Numeric position of this entry in the list, and order of precedence when contacting AUS servers. Use the Up and Down arrow buttons to change the ordering of the list by moving the selected entry up or down.

Server URL - The URL for this AUS server; produced by concatenating the Protocol://[Username:Password@]IP Address/Path provided in the Add/Edit Auto Update Server dialog box for contacting the server.

User Name - The user name provided for contacting the server (optional).

Interface - The interface to use when sending requests to the Auto Update server.

Verify Certificate - Whether SSL verification of the AUS is required; true or false.

Refer to Add and Edit Auto Update Server Dialog Boxes for information about adding and editing server entries.

Device ID Type

Method used for identifying this device to the AUS server; choose:

Hostname—The host name of this device.

Serial Number—The serial number of this device.

IP Address—The IP address of the specified interface is used: an Interface field appears; enter or Select the desired device interface.

MAC Address—The MAC address of the specified interface is used: an Interface field appears; enter or Select the desired device interface.

User Defined—A unique user-specified ID is used: a User Defined field appears; enter an arbitrary alphanumeric string.

Poll Type

Method defining how often the AUS server is polled for updates. Choose At Specified Frequency or At Scheduled Time. Different ancillary fields are displayed, depending on this choice.

If you choose At Specified Frequency, this field is displayed:

Poll Period - The number of minutes the firewall device waits between polls of the AUS server.

If you choose At Scheduled Time, the following fields are displayed. (This option is available only on ASA/PIX devices running version 7.2 or later.)

Days of the week - Select one or more days on which the device is to poll the AUS server.

Polling Start Time in Hours - The hour at which polling is to begin on the selected days; based on a 24-hour clock.

Polling Start Time in Mins - The minute within the chosen hour when polling is to begin.

Enable Randomization of the Start Time - Select this option to specify a random polling window; the Randomization Window field is enabled.

Randomization Window - The maximum number of minutes the device can use to randomize the specified polling time; valid values are 1 to 1439.

Retry Count

The number of times the device will try to poll the AUS server for new information. Optional; if you enter zero or leave this field blank, the device will not retry after a failed poll attempt.

Retry Period

If Retry Count is not zero or blank, the number of minutes the device will wait to re-poll the AUS server if the previous attempt failed; valid values are 1 to 35791. If Retry Count is not zero or blank and you leave this field blank, the value defaults to five minutes.

Disable Device After

Selecting this option ensures that if no response is received from the AUS server within the specified Timeout period, the security appliance will stop passing traffic.

Timeout

The number of minutes the firewall device will wait to timeout if no response is received from the AUS server.

Save button

Saves your changes to the Cisco Security Manager server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add and Edit Auto Update Server Dialog Boxes

Use the Add Auto Update Server dialog box to configure a new AUS server definition. The security appliance will automatically poll this server for image and configuration updates.


Note With the exception of the title, the Edit Auto Update Server dialog box is identical to the Add Auto Update Server dialog box. The following description applies to both.


Navigation Path

You can access the Add and Edit Auto Update Server dialog boxes from the AUS Page.

Related Topics

AUS Page

Configuring AUS Settings, page 15-50

Field Reference

Table K-74 Add and Edit Auto Update Server Dialog Boxes 

Element
Description

Protocol

The protocol used to communicate with the AUS server; choose http or https.

IP Address

The IP address of the AUS server.

Port

Number of the port on which communications with the AUS server take place. Defaults to 80 if http is chosen as the Protocol, and to 443 if https is chosen. If you enter an arbitrary port number, be sure the AUS server is configured to use the same port.

Path

The path to AUS services on the server. The standard path is autoupdate/AutoUpdateServlet; change this to admin/auto-update only if the AUS server host is an ASA.

AUS Interface

The interface to use when polling the Auto Update server.

Verify Certificate

Select this option to require SSL verification from the AUS server. The certificate returned by the server will be checked against Certification Authority (CA) root certificates. This requires that the AUS Server and this device use the same CA.

Username

The user name to be used for AUS authentication (optional).

Password

The password to be used for AUS authentication (optional).

Confirm

Re-enter the password (optional).


DHCP Relay Page

Use the DHCP Relay page to configure DHCP relay services on a firewall device. For more information, see Configuring DHCP Relay, page 15-51.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > DHCP Relay from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Relay from the Policy Type selector. Right-click DHCP Relay to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring DHCP Relay, page 15-51

Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Add and Edit DHCP Relay Server Configuration Dialog Boxes

Field Reference

Table K-75 DHCP Relay Page 

Element
Description
DHCP Relay Agent

Interface

Displays the interface for which DHCP relay agent is configured.

DHCP Relay Enabled

Indicates whether the DHCP relay agent is enabled on the interface. This column displays "true" if the DHCP relay agent is enabled or "false" if the DHCP relay agent is not enabled on the interface.

Set Route

Indicates whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. This column displays "true" if the DHCP relay agent is configured to change the default router address to the interface address or "false" if the DHCP relay agent does not modify the default router address.

DHCP Servers

Server

Displays the IP address of the external DHCP server to which DHCP requests are forwarded.

Interface

Displays the interface to which the specified DHCP server is attached.

Timeout (seconds)

Specifies the amount of time, in seconds, allowed for DHCP address negotiation. Valid values range from 1 to 3600 seconds.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Use the Add DHCP Relay Agent Configuration dialog box to enable and configure the DHCP relay agent for an interface. Use the Edit DHCP Relay Agent Configuration dialog box to update an existing interface relay agent.


Note The Add DHCP Relay Agent Configuration dialog box and the Edit DHCP Relay Agent Configuration dialog box are virtually identical; the following descriptions apply to both.


Navigation Path

You can access the Add and Edit DHCP Relay Agent Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page.

Related Topics

Configuring DHCP Relay, page 15-51

Server Access

DHCP Relay Page

Add and Edit DHCP Relay Server Configuration Dialog Boxes

Field Reference

Table K-76 Add and Edit DHCP Relay Agent Configuration Dialog Boxes 

Element
Description

Interface

Interface on which you want to enable the DHCP relay agent.

Enable DHCP Relay

If selected, the DHCP relay agent is enabled on the selected interface.

Set Route

Specifies whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. When this option is selected, the DHCP relay agent substitutes the address of the selected interface for the default router address in the information returned from the DHCP server.


Add and Edit DHCP Relay Server Configuration Dialog Boxes

Use the Add DHCP Relay Server Configuration dialog box to define a new DHCP relay server; use the Edit DHCP Relay Server Configuration dialog box to update existing server information. You can define up to four DHCP relay servers.


Note The Add DHCP Relay Server Configuration dialog box and the Edit DHCP Relay Server Configuration dialog box are virtually identical; the following descriptions apply to both.


Navigation Path

You can access the Add and Edit DHCP Relay Server Configuration dialog boxes from the DHCP Relay page. For more information about the DHCP Relay page, see DHCP Relay Page.

Related Topics

Configuring DHCP Relay, page 15-51

Server Access

DHCP Relay Page

Add and Edit DHCP Relay Agent Configuration Dialog Boxes

Field Reference

Table K-77 Add and Edit DHCP Relay Server Configuration Dialog Boxes 

Element
Description

Server

Enter or Select the IP address of the external DHCP server to which DHCP requests are forwarded.

Interface

Enter or Select the interface through which DHCP requests are forwarded to the external DHCP server.


DHCP Server Page

Use the DHCP Server page to configure global DHCP server and dynamic DNS (DDNS) updating options for the selected device, to set up a DHCP server on one or more device interfaces, as to configure advanced server options.

For more information about DHCP servers, see Configuring DHCP Servers, page 15-52.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > DHCP Server from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DHCP Server from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click DHCP Server to create a new policy.

Related Topics

Configuring DHCP Servers, page 15-52

Server Access

Add/Edit DHCP Server Interface Configuration Dialog Boxes

Add/Edit DHCP Server Advanced Configuration Dialog Box

Field Reference

Table K-78 DHCP Server Page 

Element
Description

Ping Timeout

Specifies the amount of time, in milliseconds, that the firewall device waits to time out a DHCP ping attempt. To avoid address conflicts, firewall devices send two ICMP ping packets to an address before assigning that address to a DHCP client. Valid values range from 10 to 10000 milliseconds.

Lease Length

Specifies the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).

Enable auto-configuration

Select this option to enable DHCP auto configuration.

DHCP auto configuration causes the DHCP server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If any of the information obtained through auto configuration is also specified manually in the Override settings from DHCP client area, the manually specified information takes precedence over the discovered information.

Interface

If Enable auto-configuration is checked, this field is available. Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.

Define settings

Domain Name (Optional)

Specifies the DNS domain name for DHCP clients. Enter a valid DNS domain name; for example, example.com.

Primary DNS Server (Optional)

Specifies the IP address of the primary DNS server for a DHCP client.

Secondary DNS Server (Optional)

Specifies the IP address of the alternate DNS server for a DHCP client.

Primary WINS Server (Optional)

Specifies the IP address of the primary WINS server for a DHCP client.

Secondary WINS Server (Optional)

Specifies the IP address of the alternate WINS server for a DHCP client.

Dynamic DNS Update

Enable Dynamic DNS Update

Select this option to define global DDNS update options:

Select the type of resource-record updating: PTR Record only, or A Record and PTR Record.

You also can select Override DHCP Client Request. If selected, DHCP server updates override any updates requested by DHCP clients.

Available only on ASA/PIX 7.2 and higher.

DHCP Server Interface Configuration table

Interface table

This table lists device interfaces on which a DHCP server, DDNS updating, or both are configured:

Interface - An interface on which a DHCP server or DDNS update is configured.

DHCP Address Pool - Identifies the pool of addresses from which the DHCP server can assign an IP address for the specified interface.

Enable DHCP Server - Indicates whether a DHCP server is enabled on the interface; true or false.

Dynamic DNS Update - Indicates whether a DDNS update is enabled on the interface; true or false.

Add button

Opens the Add DHCP Server Interface Configuration dialog box; used to define a DHCP server, DDNS updating, or both on a specific interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes for more information.

Edit button

Opens the Edit DHCP Server Interface Configuration dialog box; used to update DHCP server configuration, DDNS updating, or both on the selected interface. Refer to Add/Edit DHCP Server Interface Configuration Dialog Boxes for more information.

Delete button

Deletes the selected entry in the DHCP Server Interface Configuration table. A confirmation dialog box may appear; click OK to delete the entry.

Advanced Options

Advanced button

Click to display the Add/Edit DHCP Server Advanced Configuration dialog box. See Add/Edit DHCP Server Advanced Configuration Dialog Box for more information.


Add/Edit DHCP Server Interface Configuration Dialog Boxes

Use the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes to enable DHCP and specify a DHCP address pool for the specified interface, and to enable dynamic DNS (DDNS) updating on the interface.


Note Other than the titles, the two dialog boxes are identical.


Navigation Path

You can access the Add DHCP Server Interface Configuration and Edit DHCP Server Interface Configuration dialog boxes from the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page.

Related Topics

Configuring DHCP Servers, page 15-52

Server Access

DHCP Server Page

Add/Edit DHCP Server Advanced Configuration Dialog Box

Add/Edit DHCP Server Option Dialog Box

Field Reference

Table K-79 Add/Edit DHCP Server Interface Configuration Dialog Box 

Element
Description

Interface

Identifies the interface on which you are configuring a DHCP server. Enter an interface name, or select an interface object.

DHCP Address Pool

Enter the beginning and ending addresses, separated by a hyphen, for the range of IP addresses that the DHCP server will use when assigning IP addresses.

Enable DHCP Server

Select this option to enable a DHCP server on this interface.

Enable Dynamic DNS Update

Select this option to enable DDNS updating by this DHCP server. Select the record(s) to be updated:

PTR Record

A Record and PTR Record

You also can select Override DHCP Client Request. If selected, DHCP server updates override any updates requested by DHCP clients.


Add/Edit DHCP Server Advanced Configuration Dialog Box

The Add/Edit DHCP Server Advanced Configuration dialog box lets you manage DHCP options configured for the DHCP server. These options provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.

Navigation Path

You can access the Add/Edit DHCP Server Advanced Configuration dialog box by clicking the Advanced button on the DHCP Server page. For more information about the DHCP Server page, see DHCP Server Page.

Related Topics

Configuring DHCP Servers, page 15-52

Server Access

DHCP Server Page

Add/Edit DHCP Server Interface Configuration Dialog Boxes

Add/Edit DHCP Server Option Dialog Box

Field Reference

Table K-80 Add/Edit DHCP Server Advanced Configuration Dialog Box 

Element
Description

Options table

This table lists configured DHCP server options:

Option Code - The numeric code representing the configured option. All DHCP options (options 1 through 255) are supported except 1, 12, 50-54, 58-59, 61, 67, and 82.

Type - The type of information the option returns to the DHCP client: IP, ASCII, or HEX.

Data - The information provided for the chosen Type: one or two IP addresses, an ASCII string, or a hexadecimal string.

Add button

Opens the Add DHCP Server Option dialog box; used to define a new DHCP server option. See Add/Edit DHCP Server Option Dialog Box for more information.

Edit button

Opens the Edit DHCP Server Option dialog box; used to update the selected DHCP server option. See Add/Edit DHCP Server Option Dialog Box for more information.

Delete button

Deletes the selected entry in the Options table. A confirmation dialog box may appear; click OK to delete the entry.


Add/Edit DHCP Server Option Dialog Box

The Add and Edit DHCP Server Option dialog boxes let you configure DHCP server option parameters. You use DHCP options to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.

Navigation Path

You can access the Add and Edit DHCP Server Option dialog boxes from the Add/Edit DHCP Server Advanced Configuration Dialog Box.

Related Topics

Configuring DHCP Servers, page 15-52

DHCP Server Page

Add/Edit DHCP Server Interface Configuration Dialog Boxes

Add/Edit DHCP Server Advanced Configuration Dialog Box

Field Reference

Table K-81 Add/Edit DHCP Server Option Dialog Box 

Element
Description

Option Code

Choose an option from the list of available option codes. All DHCP options (options 1 through 255) are supported except 1, 12, 50-54, 58-59, 61, 67, and 82.

Type

Choose the type of information the option returns to the DHCP client:

IP - Choosing this type specifies that an IP address is returned to the DHCP client. You can provide up to two IP addresses.

ASCII - Choosing this type specifies that an ASCII value is returned to the DHCP client. Provide the ASCII character string, which cannot include spaces.

HEX - Choosing this type specifies that an hexadecimal value is returned to the DHCP client. Provide the HEX string with an even number of digits and no spaces; you do not need to use a 0x prefix.


DNS Page

The DNS page lets you specify one or more DNS servers for a firewall device so it can resolve server names to IP addresses in your WebVPN configuration or certificate configuration. Other features that define server names (such as AAA) do not support DNS resolution.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > DNS from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DNS from the Policy Type selector. Right-click DNS to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add DNS Server Group Dialog Box

Add DNS Server Dialog Box

Edit Interfaces Dialog Box

Field Reference

Table K-82 DNS Page 

Element
Description
DNS Server Groups

Name

The name of the DNS server group.

Servers

Lists the DNS servers to use for resolving server names in commands. You can specify up to six DNS servers. The firewall device tries each DNS server in order until it receives a response.

Timeout

Specifies the number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the firewall device retries the list of servers, this timeout doubles.

Retries

Specifies the number of times, from 0 to 10, to retry the list of DNS servers when the firewall device does not receive a response.

Domain

Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example, example.com.

DNS Lookup Interfaces

Lists the interfaces on which you want to enable DNS lookup.

Enable DNS Guard (ASA/PIX 7.0(5) only)

Select this check box to enable DNS Guard for the selected device or shared policy. DNS guard tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

This command is effective only on interfaces for which DNS inspection is disabled. When DNS inspection is enabled, the DNS guard function is always performed.

Note In releases prior to 7.0(5), the DNS guard functions are always enabled regardless of the configuration of DNS inspection.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add DNS Server Group Dialog Box

Use the Add DNS Server Group dialog box to define the DNS servers and settings for a DNS server group.

Navigation Path

You can access the Add DNS Server Group dialog box from the DNS page. For more information about the DNS page, see DNS Page.

Related Topics

DNS Page

Add DNS Server Dialog Box

Field Reference

Table K-83 Add DNS Server Group Dialog Box 

Element
Description

Name

The name of the DNS server group.

DNS Servers

Lists the DNS servers to use for resolving server names in commands. You can specify up to six DNS servers. The firewall device tries each DNS server in order until it receives a response.

Timeout

Specifies the number of seconds, from 1 to 30, to wait before trying the next DNS server. The default is 2 seconds. Each time the firewall device retries the list of servers, this timeout doubles.

Retries

Specifies the number of times, from 0 to 10, to retry the list of DNS servers when the firewall device does not receive a response.

Domain Name

Specifies the DNS domain name for the server. Enter a valid DNS domain name; for example example.com.


Add DNS Server Dialog Box

Use the Add DNS Server dialog box to define DNS servers.

Navigation Path

You can access the Add DNS Server dialog box from the Add DNS Server Group dialog box. For more information about the Add DNS Server Group dialog box, see Add DNS Server Group Dialog Box.

Related Topics

DNS Page

Add DNS Server Group Dialog Box

Field Reference

Table K-84 Add DNS Server Dialog Box 

Element
Description

DNS Server

Enter the IP address or the object name of the DNS server. When you click OK, the DNS server is added to the DNS Servers list.

Select

Click to select the DNS server from a list of host objects.


Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to specify the interfaces on which you want DNS lookup enabled.

Navigation Path

You can access the Edit Interfaces dialog box from the DNS page. For more information about the DNS page, see DNS Page.

Related Topics

DNS Page

Field Reference

Table K-85 Edit Interfaces Dialog Box 

Element
Description

Interfaces

Enter the names of the interfaces, separated by commas, on which you want to enable DNS lookup. When you click OK, the interfaces are added to the DNS Lookup Interfaces list.

Select

Click to select the interfaces on which you want to enable DNS lookup from a list of interface objects.


DDNS Page

Beginning with the version 7.2(3), security appliances can generate dynamic DNS (DDNS) updates, as hosts acquire IP addresses. The DDNS page is where you configure this feature.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > DDNS from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DDNS from the Policy Type selector. Right-click DDNS to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit DDNS Interface Rule Dialog Box

Configuring DDNS, page 15-55

Field Reference

Table K-86 DDNS Page 

Element
Description

Dynamic DNS Interface Settings

This table lists currently defined DDNS interface-update rules, presenting the following information for each:

Interface - The name of the interface to which this update method is assigned.

Method Name - The name assigned to this update method.

Hostname - The name or IP address of the DDNS client.

Update DHCP - The setting on the interface for DHCP client update requests; specifies whether the DHCP server updates the PTR resource record, both the A and PTR records, or neither.

DHCP Client requests DHCP Server to update records

The global setting on the appliance for DHCP client update requests. This option enables the client to send DDNS updates via the DHCP server, and specifies what is updated: the PTR resource record, both the A and PTR resource records, or neither. Choose Not Selected, Only PTR Record, Both A and PTR Record, or No Update.

DHCP Client ID Interface

Specify an interface on the appliance for global DHCP client update requests: enter an interface name or IP address, or Select an interface object.

Enable DHCP Client Broadcast

Select this option to allow DHCP clients on the device to broadcast DDNS updates.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit DDNS Interface Rule Dialog Box

Use the Add/Edit DDNS Interface Rule dialog box to manage rules for dynamic DNS updates. These rules are defined on a per-interface basis.

Navigation Path

You access the Add/Edit DDNS Interface Rule dialog box from the DDNS page. For more information about the DDNS page, see DDNS Page.

Related Topics

DDNS Page

DDNS Update Methods Dialog Box

Field Reference

Table K-87 Add/Edit DDNS Interface Rule Dialog Box 

Element
Description

Interface

Enter the name of the interface on which DDNS is to be configured. You also can Select the interface from a list of interface objects.

Method Name

Choose a previously defined method for DDNS update, or choose Add/Edit Update Method to define a new method. The DDNS Update Methods dialog box opens; refer to DDNS Update Methods Dialog Box for more information.

Hostname

The name of a DDNS server host to which updates will be sent.

DHCP Client requests DHCP Server to update records

Choose Not Selected, Only PTR Record, Both A and PTR Record, or No Update.


DDNS Update Methods Dialog Box

Use the DDNS Update Methods dialog box to define and manage methods for dynamic DNS updates. Each defined method specifies an update interval and the resource record(s) to be updated.

Navigation Path

You access the DDNS Update Methods dialog box by choosing Add/Edit Update Method from the Method Name drop-down list in the Add/Edit DDNS Interface Rule Dialog Box.

Related Topics

DDNS Page

Add/Edit DDNS Interface Rule Dialog Box

Add/Edit DDNS Update Methods Dialog Box

Field Reference

Table K-88 DDNS Update Methods Dialog Box 

Element
Description

Update Methods

This table lists the currently defined update methods. Each entry includes the Method Name, update Interval, and specified type of DNS server record update.

Add Row button

Opens the Add/Edit DDNS Update Methods Dialog Box, letting you define a new update method.

Edit Row button

Opens the Add/Edit DDNS Update Methods Dialog Box, letting you edit the method currently selected in the Update Methods table.

Delete Row button

Deletes the update method currently selected in the Update Methods table; confirmation may be required.


Add/Edit DDNS Update Methods Dialog Box

Use the Add/Edit DDNS Update Methods dialog box to define or edit a DDNS update method; these are listed in the DDNS Update Methods Dialog Box.

Navigation Path

You access the Add/Edit DDNS Update Methods dialog box by clicking the Add Row button or the Edit Row button in the DDNS Update Methods Dialog Box.

Related Topics

DDNS Page

Add/Edit DDNS Interface Rule Dialog Box

DDNS Update Methods Dialog Box

Field Reference

Table K-89 Add/Edit DDNS Update Methods Dialog Box 

Element
Description

Method Name

Provide an identifier for the method.

Update Interval

Specify how often records are to be updated for this method: provide a number of days, hours, minutes, and seconds.

Update Records

Specify the resource record(s) to be updated: select Not Defined, A Records, or Both A and PTR Records.


NTP Page

Use the NTP page to define NTP servers to dynamically set the time on a firewall device.


Note Time derived from an NTP server overrides any time set manually in the Clock panel.


Navigation Path

(Device view) Select Platform > Device Admin > Server Access > NTP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > NTP from the Policy Type selector. Right-click NTP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring NTP Settings, page 15-56

Server Access

NTP Server Configuration Dialog Box

Field Reference

Table K-90 NTP Page 

Element
Description

Enable NTP Authentication

Enables or disables authentication with an NTP server. NTP is used to implement a hierarchical system of servers that provide a precisely synchronized time among network systems. This kind of accuracy is required for time-sensitive operations, such as validating Certificate Revocation Lists (CRLs).

If you enable authentication, the security appliance only communicates with an NTP server if it uses the correct trusted key in the packets. The security appliance also uses an authentication key to synchronize with the NTP server.

NTP Server Table

IP Address

Specifies the IP address of the NTP server.

Interface

Identifies the interface from which the firewall gets NTP packets.

Preferred

Displays Yes if the selected server is preferred, and No if it is not preferred. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, this option specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred. We recommend that you configure an NTP server as preferred only when multiple servers have the same stratum.

Key Number

Specifies the authentication key number, a value from 1 to 4294967295.

Trusted

Specifies if the authentication key is trusted. A trusted key is similar to a password used to authenticate an NTP server.


NTP Server Configuration Dialog Box

Use the NTP Server Configuration dialog box to add or edit an NTP server.

Navigation Path

You can access the NTP Server Configuration dialog box from the NTP page. For more information about the NTP page, see NTP Page.

Related Topics

Configuring NTP Settings, page 15-56

Server Access

NTP Page

Field Reference

Table K-91 NTP Server Configuration Dialog Box 

Element
Description

IP Address

Enter the IP address of the NTP server. You can click Select to select the IP address from a list of IP address objects.

Preferred

Sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then this option specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred. We recommend that you configure an NTP server as preferred only when multiple servers have the same stratum.

Interface

Specify the outgoing interface for NTP packets. You can click Select to select the interface from a list of interface objects.

Authentication Key

Key Number

Sets the key ID for this authentication key. The NTP server packets must also use this key ID. If you previously configured a key ID for another server, you can select it in the list; otherwise, type a number between 1 and 4294967295.

Trusted

Specify whether the NTP server is trusted.

Key Value

Enter the key value, an arbitrary string of up to 32 characters.

Confirm

Re-enter the key value.


SMTP Server Page

Use the SMTP Server page to specify the IP address of an SMTP server and optionally, the IP address of a backup server.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > SMTP Server from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > SMTP Server from the Policy Type selector. Right-click SMTP Server to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring SMTP Servers, page 15-57

Field Reference

Table K-92 SMTP Server Page 

Element
Description

Primary Server IP Address

The IP address of the SMTP server.

Secondary Server IP Address

The IP address of a secondary SMTP server.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


TFTP Server Page

TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. You can use the TFTP Server page to configure a firewall device to propagate its configuration files to a server using the Trivial File Transfer Protocol (TFTP). Only one server is supported.

Navigation Path

(Device view) Select Platform > Device Admin > Server Access > TFTP Server from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > TFTP Server from the Policy Type selector. Right-click TFTP Server to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring TFTP Servers, page 15-58

Field Reference

Table K-93 TFTP Server Page 

Element
Description

Interface

Name of interface on which the TFTP server resides.

IP Address

IP address of the TFTP server.

Directory

TFTP server path, beginning with "/" and ending in the filename, to which the configuration files will be written.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


User Accounts Page

Use the User Accounts page to manage the local user database. For more information, see Configuring User Accounts, page 15-58.

Navigation Path

(Device view) Select Platform > Device Admin > User Accounts from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > User Accounts from the Policy Type selector. Right-click User Accounts to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring User Accounts, page 15-58

"PIX/ASA/FWSM Platform User Interface Reference"

Add/Edit User Account Dialog Box

Field Reference

Table K-94 User Accounts Page 

Element
Description

Username

Specifies the username to which these parameters apply.

Privilege Level

Specifies the privilege level assigned to the user. The privilege level is used with local command authorization. The range is 0 (lowest) to 15 (highest). The default privilege level is 2.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit User Account Dialog Box

Use the Add/Edit User Account dialog box to add a user account or to modify an existing user account.

Navigation Path

You can access the Add/Edit User Account dialog box from the User Accounts page. For more information about the User Accounts page, see User Accounts Page.

Related Topics

Configuring User Accounts, page 15-58

User Accounts Page

Field Reference

Table K-95 Add/Edit User Account Dialog Box 

Element
Description

Username

Enter the username for this account.

Password

Enter the unique password for this user. The minimum password length is four characters. The maximum is 32 characters. Entries are case-sensitive. The field displays only asterisks.

Note To protect security, we recommend a password length of at least eight characters.

Confirm

Re-enter the user password to verify it. The field displays only asterisks.

Privilege Level

Selects the privilege level for this user to use with local command authorization. The range is 0 (lowest) to 15 (highest). The default privilege level is 2.


Logging Policies

The Logging feature lets you enable and manage NetFlow "collectors," and enable logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslogs, configure syslog servers, and specify e-mail notification parameters.

After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for the syslogs to be sent. Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.

The Logging section consists of the following pages:

NetFlow Page

Syslog

E-Mail Setup Page

Event Lists Page

Logging Filters Page

Logging Setup Page

Rate Limit Page

Server Setup Page

Syslog Servers Page

NetFlow Page

A device configured for NetFlow data export captures flow-based traffic statistics on the device. This information is periodically transmitted from the device to a NetFlow collection server, in the form of User Datagram Protocol (UDP) datagrams.

The NetFlow page lets you enable NetFlow export on the selected device, and define and manage NetFlow "collectors" to which collected flow information is transmitted.


Note NetFlow data export is available only the ASA 5580.


Navigation Path

(Device view) Select Platform > Logging > NetFlow from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click NetFlow to create a policy.

Related Topics

Add and Edit Collector Dialog Boxes (NetFlow)

Configuring NetFlow, page 15-60

Field Reference

Table K-96 NetFlow Page 

Element
Description

Enable Flow Export

If checked, NetFlow data export is enabled.

Template Export Interval

Interval (in minutes) at which flow information is sent to the collectors. Can be from one to 3600 minutes; default is 30.

Collectors table

Displays defined NetFlow collectors.

Filter - Filters the information displayed in the Collectors table. Click the arrow before the Filter label to hide or display the filtering bar, which lets you set filtering parameters. See Filtering Tables, page 3-17 for more information about filtering the table.

Interface - Name of the device interface through which the collector is contacted.

Collector - IP address or network name of the server to which NetFlow packets will be sent.

UDP Port - UDP port on the specified Collector to which the NetFlow packets will be sent.

Add button

Opens the Add Collector dialog box to let you define a new NetFlow collector. See Add and Edit Collector Dialog Boxes (NetFlow) for more information.

Edit button

Opens the Edit Collector dialog box to let you edit the selected collector definition. See Add and Edit Collector Dialog Boxes (NetFlow) for more information.

Delete button

Deletes the selected collector definition.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add and Edit Collector Dialog Boxes (NetFlow)

Use the Add Collector dialog box to define a new NetFlow "collector."


Note With the exception of the title, the Edit Collector dialog box is identical to the Add Collector dialog box. The following description applies to both.


Navigation Path

You can access the Add and Edit Collector dialog boxes from the NetFlow Page.

Related Topics

NetFlow Page

Configuring NetFlow, page 15-60

Field Reference

Table K-97 Add and Edit Collector Dialog Boxes 

Element
Description

Interface

The Name of the device interface through which the collector is contacted.

Collector

The IP address or network name of the server to which NetFlow packets will be sent.

UDP Port

UDP port on the specified Collector to which the NetFlow packets will be sent. Values can range from 1 to 65535; default is 2055.


E-Mail Setup Page

The E-Mail Setup page lets you set up a source e-mail address as well as a list of recipients for specified syslogs to be sent as e-mails. You can filter the syslogs sent to a destination e-mail address by severity. The table shows which entries have been set up.

The syslog severity filter used for the destination e-mail address will be the higher of the severity selected in this section and the global filter set for all e-mail recipients in the Logging Filters page.

Navigation Path

(Device view) Select Platform > Logging > Syslog > E-Mail Setup from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > E-Mail Setup from the Policy Type selector. Right-click E-Mail Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Add/Edit Email Recipient Dialog Box

Field Reference

Table K-98 E-Mail Setup Page 

Element
Description

Source Email Address

Specifies the e-mail address that will be used as the source address when syslogs are sent as e-mails.

Destination Email Address column

Specifies the e-mail address of the recipient of the syslog message.

Syslog Severity column

Specifies the severity of the syslogs sent to this recipient.


Add/Edit Email Recipient Dialog Box

The Add/Edit E-Mail Recipient dialog box lets you set up a destination e-mail address for a particular severity of syslog messages to be sent.

The syslog severity filter used for the destination e-mail address will be the higher of the severity selected in this section and the global filter set for all e-mail recipients in the Logging Filters page.

Navigation Path

You can access the Add/Edit E-Mail Recipient dialog box from the E-Mail Setup page. For more information about the E-Mail Setup page, see E-Mail Setup Page.

Related Topics

Logging Policies

E-Mail Setup Page

Field Reference

Table K-99 Add/Edit Email Recipient Dialog Box 

Element
Description

Destination Email Address

Enter the e-mail address of the recipient of the syslog message.

Syslog Severity list

Select the severity of the syslogs to be sent to this recipient.


Event Lists Page

The Event Lists page lets you define a set of syslogs to filter for logging. After you enable logging and set up the logging parameters using the Logging Setup page, the Event Lists page lets you configure filters (of a set of syslogs) which can be sent to a logging destination. The Logging Filters page lets you specify a logging destination for event lists.

You can use three criteria to define an event list:

Class

Severity

Message ID

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.

Navigation Path

(Device view) Select Platform > Logging > Syslog > Event Lists from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Event Lists from the Policy Type selector. Right-click Event Lists to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Add/Edit Event List Dialog Box

Field Reference

Table K-100 Event Lists Page 

Element
Description

Name column

Lists the name of the event list.

Event Class/Severity column

Lists the event class or logging severity level associated with the event list. Event classes are described in Table K-101. Severity levels are described in Table K-112.

Message IDs column

Lists a syslog message ID or range of syslog message IDs to include in the filter. For example, 101001-101010.


Message Classes and Associated Message ID Numbers

Table K-101 lists the message classes and the range of message IDs in each class.

Table K-101 Message Classes and Associated Message ID Numbers 

Class
Definition
Message ID Numbers

auth

User Authentication

109, 113

bridge

Transparent Firewall

110, 220

ca

PKI Certification Authority

717

config

Command interface

111, 112, 208, 308

e-mail

E-mail Proxy

719

ha

Failover (High Availability)

101, 102, 103, 104, 210, 311, 709

ids

Intrusion Detection System

400, 401, 415

ip

IP Stack

209, 215, 313, 317, 408

np

Network Processor

319

ospf

OSPF Routing

318, 409, 503, 613

rip

RIP Routing

107, 312

rm

Resource Manager

321

session

User Session

106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710

snmp

SNMP

212

sys

System

199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711

vpdn

PPTP and L2TP Sessions

213, 403, 603

vpn

IKE and IPsec

316, 320, 402, 404, 501, 602, 702, 713, 714, 715

vpnc

VPN Client

611

vpnfo

VPN Failover

720

vpnlb

VPN Load Balancing

718

webvpn

Web-based VPN

716


Add/Edit Event List Dialog Box

The Add/Edit Event List dialog box lets you create or edit an event list and specify which syslogs to include in the event list filter.

You can use three criteria to define an event list:

Class

Severity

Message ID

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all syslog messages that are related to user authentication.

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

The message ID is a numeric value that uniquely identifies each message. You can use the message ID in an event list to identify a range of syslog messages, such as 101001-101010.

Navigation Path

You can access the Add/Edit Event List dialog box from the Event Lists page. For more information about the Event Lists page, see Event Lists Page.

Related Topics

Logging Policies

Event Lists Page

Field Reference

Table K-102 Add/Edit Event List Dialog Box 

Element
Description

Event List Name

A logical name that uniquely identifies this event list.

Event Class/Severity Filters table

This table organizes the event classes and severity levels that comprise the event list.

Message ID Filters table

This table organizes the message IDs that comprise the event list.


Add/Edit Syslog Class Dialog Box

The Add/Edit Syslog Class dialog box lets you specify the event class and the severity level to include in the event list filter.

The class associates related syslog messages so you do not have to select the syslogs individually. For example, the auth class lets you select all the syslog messages that are related to user authentication.

Severity defines syslogs based on the relative importance of the event in the normal functioning of the network. The highest severity is Emergency, which means the resource is no longer available. The lowest severity is Debugging, which provides detailed information about every network event.

Navigation Path

You can access the Add/Edit Syslog Class dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box.

Related Topics

Logging Policies

Event Lists Page

Add/Edit Event List Dialog Box

Field Reference

Table K-103 Add/Edit Syslog Class Dialog Box 

Element
Description

Event Class list

Specifies the event class. Event classes are described in Table K-101.

Severity list

Specifies the level of logging messages. Severity levels are described in Table K-112.


Add/Edit Syslog Message ID Filter Dialog Box

The Add/Edit Syslog Message ID Filter dialog box lets you specify the syslog message IDs to include in the event list filter.

Navigation Path

You can access the Add/Edit Syslog Message ID Filter dialog box from the Add/Edit Event List dialog box. For more information about the Add/Edit Event List dialog box, see Add/Edit Event List Dialog Box.

Related Topics

Logging Policies

Event Lists Page

Add/Edit Event List Dialog Box

Field Reference

Table K-104 Add/Edit Message ID Filter Dialog Box 

Element
Description

Message IDs

Specifies the syslog message ID or range of IDs. Use a hyphen to specify a range. For example, 101001-101010.


Logging Filters Page

The Logging Filters page lets you configure a logging destination for event lists (syslog filters) that have been configured using the Event Lists page, or for only the syslogs that you specify using the Edit Logging Filters dialog box. Syslogs from specific or all event classes can be selected using the Edit Logging Filters dialog box.

Navigation Path

(Device view) Select Platform > Logging > Syslog > Logging Filters from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Filters from the Policy Type selector. Right-click Logging Filters to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Edit Logging Filters Dialog Box

Field Reference

Table K-105 Logging Filters Page 

Element
Description

Logging Destination

Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows:

Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance.

Console. Messages matching this filter are published to any console port connections.

Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance.

Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page.

E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page.

SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page.

ASDM. Messages matching this filter are published to any ASDM sessions.

Syslogs From All Event Classes

Lists the severity on which to filter, the event list to use, or whether logging is disabled from all event classes. Event classes are described in Table K-101.

Syslogs From Specific Event Classes

Lists event class and severity set up as the filter. Event classes are described in Table K-101. Severity levels are described in Table K-112.


Edit Logging Filters Dialog Box

The Edit Logging Filters dialog box lets you edit filters for a logging destination. Syslogs can be configured from all or specific event classes, or disabled for a specific logging destination.

Navigation Path

You can access the Edit Logging Filters dialog box from the Logging Filters page. For more information about the Logging Filters page, see Logging Filters Page.

Related Topics

Logging Policies

Logging Filters Page

Field Reference

Table K-106 Edit Logging Filters Dialog Box 

Element
Description

Logging Destination list

Specifies the logging destination for this filter:

Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance.

Console. Messages matching this filter are published to any console port connections.

Telnet Sessions. Messages matching this filter are published to any Telnet sessions connected to the security appliance.

Syslog Servers. Messages matching this filter are published to any syslog servers specified on the Platform > Logging > Syslog Servers page.

E-Mail. Messages matching this filter are published to any recipients specified on the Platform > Logging > E-mail Setup (PIX7.0/ASA Only) page.

SNMP Trap. Messages matching this filter are published to any SNMP management stations specified on the Platform > Device Admin > Device Access > SNMP page.

ASDM. Messages matching this filter are published to any ASDM sessions.

Syslog from All Event Classes

Filter on severity option

Filters on the severity of the logging messages.

Filter on severity list

Specifies the level of logging messages on which to filter.

Use event list option

Specifies to use an event list.

Use event list

Specifies the event list to use. Event lists are defined on the Event Lists Page.

Disable logging option

Disables all logging to the selected destination.

Syslog from Specific Event Classes (PIX7.0)

Event Class

Specifies the event class and severity. Event classes include one or all available items. Event classes are described in Table K-101.

Severity

Specifies the level of logging messages. Severity levels are described in Table K-112.


Logging Setup Page

The Logging Setup panel lets you enable system logging on the security appliance and configure other logging parameters.

Navigation Path

(Device view) Select Platform > Logging > Syslog > Logging Setup from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Logging Setup from the Policy Type selector. Right-click Logging Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Field Reference

Table K-107 Logging Setup Page 

Element
Description

Enable Logging

Turns on logging for the main security appliance.

Enable Logging on the Failover Standby Unit

Turns on logging for the standby security appliance, if available.

Send syslogs in EMBLEM format (PIX7.0)

Enables EMBLEM format logging for every logging destination.

Note This setting is not compatible with Cisco Security MARS.

Send debug messages as syslogs (PIX7.0)

Redirects all the debug trace output to the syslog. The syslog message does not appear in the console if this option is enabled. Therefore, to see debug messages, you must enable logging at the console and configure it as the destination for the debug syslog message number and logging level. The syslog message number used is 711011. Default logging level for this syslog is debug.

Memory Size of Internal Buffer (bytes)

Specifies the size of the internal buffer to which syslogs is saved if the logging buffer is enabled. When the buffer fills up, it is overwritten. The default is 4096 bytes. The range is 4096 to 1048576.

Specify FTP Server Information (PIX7.0)

FTP Server Buffer Wrap

To save the buffer contents to the FTP server before it is overwritten, select this check box. To remove the FTP configuration, uncheck this box.

IP Address

Identifies the IP address of the FTP server.

User Name

Specifies the username to use when connecting to the FTP server.

Path

Specifies the path, relative to the FTP root, where the buffer contents should be saves.

Password/Confirm

Specifies the password used to authenticate the username to the FTP server.

Specify flash size

Flash

To save the buffer contents to the Flash before it is overwritten, select this check box. This option is only available in routed or transparent single mode.

Maximum flash to be used by logging (KB)

Specifies the maximum space to be used in the Flash for logging (in KB). This option is available only in routed or transparent single mode.

Minimum free space to be preserved (KB)

Specifies the minimum free space to be preserved in Flash (in KB). This option is available only in routed or transparent single mode.

ASDM Logging (PIX7.0)

Message Queue Size

Specifies the queue size for syslogs intended for viewing in ASDM.


Rate Limit Page

The Rate Limit page allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level and Syslog message ID. If the settings differ, Syslog message ID limits take precedence.

Navigation Path

(Device view) Select Platform > Logging > Syslog > Rate Limit from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Rate Limit from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Rate Limit to create a new policy.

Related Topics

Logging Policies

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Add/Edit Rate Limited Syslog Message Dialog Box

Field Reference

Table K-108 Rate Limit Page 

Element
Description
Rate Limits for Syslog Logging Levels Table

Logging Level

The Syslog logging level for which you are specifying a rate limit.

No. of Messages

Maximum number of messages of the specified type allowed in the specified time period.

Interval (seconds)

Number of seconds before the rate limit counter resets.

Individually Rate Limited Syslog Messages Table

Syslog ID

Identification number of the Syslog message for which you are specifying a rate limit.

No. of Messages

Maximum number of messages with the specified ID allowed in the specified time period.

Interval (seconds)

Number of seconds before the rate limit counter resets.


Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Using the Add/Edit Rate Limit for Syslog Logging Levels dialog box, you can specify the maximum number of log messages for particular log level that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID (see Add/Edit Rate Limited Syslog Message Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.

Navigation Path

You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page.

Related Topics

Logging Policies

Rate Limit Page

Add/Edit Rate Limited Syslog Message Dialog Box

Field Reference

Table K-109 Add/Edit Rate Limit for Syslog Logging Levels Dialog Box 

Element
Description

Logging Level

The syslog logging level for which you are specifying the rate limit.

Number of Messages

Maximum number of messages of the specified type allowed in the specified time period.

Interval (Seconds)

Number of seconds before the rate limit counter resets.


Add/Edit Rate Limited Syslog Message Dialog Box

Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the maximum number of log messages of a particular Syslog ID that can be generated within a given period of time. You can specify a limit for each syslog message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels Dialog Box). If the settings differ, the rate limited syslog message-level settings override rate limit logging level settings.

Navigation Path

You can access the Add/Edit Rate Limited Syslog Message dialog box from the Rate Limit page. For more information, see Rate Limit Page.

Related Topics

Logging Policies

Rate Limit Page

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box

Field Reference

Table K-110 Add/Edit Rate Limited Syslog Message Dialog Box 

Element
Description

Syslog ID

Identification number of the syslog message for which you are specifying a rate limit.

Number of Messages

Maximum number of messages with the specified ID allowed in the specified time period.

Interval (Seconds)

Number of seconds before the rate limit counter resets.


Server Setup Page

The Server Setup page allows you to configure the syslog server that runs on the security appliance. The settings that you specify on this page define the possible behaviors of the specific syslog server instance on the security appliance. You can set the facility code to include in syslogs, include timestamp in syslog, view syslog ID levels, modify syslog ID levels, and suppress syslog messages.

To generate meaningful reports about the network activity of a security appliance and to monitor the security events associated with that device, you must select the appropriate logging level. The logging level generates the syslog details required to track session-specific data. After you select a logging level, you can define a syslog rule that directs traffic to a third-party syslog server or Cisco Security MARS.

Navigation Path

(Device view) Select Platform > Logging > Syslog > Server Setup from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Server Setup from the Policy Type selector. Right-click Server Setup to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Add/Edit Syslog Message Dialog Box

Field Reference

Table K-111 Server Setup Page 

Element
Description

Facility

Syslog facility used by host as basis to file the messages. Values range between 16 and 23. Default is LOCAL0(16). Most UNIX systems expect LOCAL4(20). List presents values that enable you to identify syslog facility for selected security appliance. This value is included in any syslog messages generated by this security appliance.

Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams.

Note Because your network devices share the eight available facilities, you might need to change this value for syslog.

Enable Timestamp on Each Syslog Message

When selected, attaches timestamp (time and date) to each saved syslog message.

Enable Syslog Device ID

When selected, attaches the specified device ID to each saved syslog message. You can specify the device ID as one of the following:

Hostname—Name of the selected security appliance.

Interface name—Name of the interface in the security appliance that generated the syslog message. These names are defined on the Interfaces page.

Note If you click Select, a list displays all interfaces defined at the current scope.

User Defined ID—User-defined name specified on the Syslog Setup page that uniquely represents the security appliance to the syslog server.

Logging Level

Identifies the logging level specified for this rule.

See Logging Levels for logging levels and descriptions.

Suppressed

Identifies whether the security appliance suppresses the generation of the syslog message identified in this rule. The value is either Unsuppressed (on) or Suppressed (off).

Disable NetFlow Equivalent Syslogs

Certain syslog messages are duplicated by NetFlow logging. If NetFlow is enabled, click this button to disable Syslog logging of those messages. The button then displays "Enable NetFlow Equivalent Syslogs"; if clicked, logging of all syslog messages is re-established.


Logging Levels

The following table describes logging levels.

Table K-112 Logging Levels 

Logging Level
Type
Description

0

Emergency

System unusable. Generates messages that identify system instabilities.

1

Alerts

Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action.

2

Critical

Critical condition. Generates messages that identify critical system issues.

3

Errors

Error condition. Generates messages that identify system errors during operation.

4

Warnings

Warning condition. Generates messages that identify system warnings. For example, device might be configured incorrectly.

5

Notifications

Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.

6

Information

Informational only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records.

7

Debugging

Generates syslog messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Includes all emergency, alert, critical, error, warning, notification, and information messages.

-

Disabled

No logging.


Add/Edit Syslog Message Dialog Box

The Add/Edit Syslog Message dialog box lets you modify the logging level or suppression setting for selected syslog messages.

Navigation Path

You can access the Add/Edit Syslog Message dialog box from the Server Setup page. For more information about the Server Setup page, see Server Setup Page.

Related Topics

Logging Policies

Server Setup Page

Field Reference

Table K-113 Add/Edit Syslog Message Dialog Box 

Element
Description

Syslog ID list

Specifies the message log ID of the specific message. These values and their corresponding messages are identified in the System Log Message guides for the appropriate product. You can access these guides from the following URLs:

PIX Firewall

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html

ASA

http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html

FWSM

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

Logging Level list

Specifies the logging level for the selected message. See Table K-112 for logging levels and descriptions.

Suppressed

Specifies whether the security appliance suppresses the generation of identified syslog message. To disable the generation, select the Suppressed check box. To enable generation of the syslog, deselect the Suppressed check box.

Note The default value for all messages is Suppressed.


Syslog Servers Page

The Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.


Note Syslog messages can be sent to Cisco Security MARS and third-party products.


Navigation Path

(Device view) Select Platform > Logging > Syslog > Syslog Servers from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Logging > Syslog > Syslog Servers from the Policy Type selector. Right-click Syslog Servers to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Logging Policies

Add/Edit Syslog Server Dialog Box

Field Reference

Table K-114 Syslog Servers Page 

Element
Description

Interface

Displays the logical name of the security appliance's interface that publishes syslog messages to the syslog server. For example, inside or outside.

IP Address

Displays the IP address of syslog server.

Protocol

Displays the protocol used to publish messages to the syslog server.

Port

Displays the port to which the syslog message are sent.

Log messages in Cisco EMBLEM format

Specifies whether this device is publishing messages in the EMBLEM syslog format.

Note If the syslog server identifies a Cisco Security MARS appliance, ensure that this option is not selected. Cisco Security MARS does not process the EMBLEM format.

Port

Identifies the port from which security appliance sends either UDP or TCP syslog messages.

Queue Size

Specifies the size of the queue for storing syslog messages on the security appliance when syslog server is busy. Minimum is 1 message. Default is 512.

Note A zero value means an unlimited number of messages can be queued (subject to available block memory).

Allow user traffic to pass when TCP server is down

Specifies whether or not to restrict all traffic if any syslog server is down.


Add/Edit Syslog Server Dialog Box

The Add Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog server(s) you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.


Note There is a limit of four syslog servers that can be set up per context.


Navigation Path

You can access the Add Syslog Servers dialog box from the Syslog Servers page. For more information about the Syslog Servers page, see Syslog Servers Page.

Related Topics

Logging Policies

Syslog Servers Page

Field Reference

Table K-115 Add/Edit Syslog Server Dialog Box 

Element
Description

Interface

Specifies the interface used to communicate with the syslog server.

Note If you click Select, a list displays all hosts defined.

IP Address

Specifies the IP address of syslog server.

Note If you click Select, a list displays all interfaces defined for the security appliance.

Protocol

Specifies the protocol used by syslog server.

TCP

UDP (Default)

Note You must select UDP if you intend to use the EMBLEM format.

Port

Specifies the TCP or UDP port from which the security appliance sends syslog messages. Must be the same port at which the syslog server listens. The default ports for each protocol are:

TCP—1470.

UDP—514.

Log messages in Cisco EMBLEM format (UDP only)

Specifies whether to log messages in Cisco EMBLEM format (UDP only) or not.

Note This settings is not compatible with Cisco Security MARS.


Multicast Policies

The Multicast section consists of the following pages:

Enable Multicast Routing Page

IGMP Page

Protocol Tab

Access Group Tab

Static Group Tab

Join Group Tab

Multicast Routing Page

Multicast Boundary Filter Page

PIM Page

Protocol Tab

Neighbor Filter Tab

Bidirectional Neighbor Filter Tab

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Enable Multicast Routing Page

The Enable Multicast Routing page lets you enable multicast routing on the security appliance. Enabling multicast routing enables IGMP and PIM on all interfaces by default.

Navigation Path

(Device view) Select Platform > Multicast > Enable Multicast Routing from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Enable Multicast Routing from the Policy Type selector. Right-click Enable Multicast Routing to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Enabling Multicast Routing, page 15-69

PIM Page

IGMP Page

Multicast Routing Page

Field Reference

Table K-116 Enable Multicast Routing Page 

Element
Description

Enable multicast routing

When selected, enables IP multicast routing on the security appliance. By default, multicast is disabled. Enabling multicast enables multicast on all interfaces. You can disable multicast on a per-interface basis.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


IGMP Page

The IGMP page consists of the following tabs:

Protocol Tab

Access Group Tab

Static Group Tab

Join Group Tab

Navigation Path

(Device view) Select Platform > Multicast > IGMP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Multicast > IGMP from the Policy Type selector. Right-click IGMP to create a policy, or select an existing policy from the Shared Policy selector.

Protocol Tab

Use the Protocol tab to configure IGMP parameters for an interface on the security appliance.

Navigation Path

You can access the Protocol tab from the IGMP page. For more information about the IGMP page, see IGMP Page.

Related Topics

Configure IGMP Parameters Dialog Box

Enable Multicast Routing Page

PIM Page

Multicast Routing Page

Field Reference

Table K-117 Protocol Tab 

Element
Description
Protocol Table

Interface

The name of the interface to which the IGMP settings apply.

Enabled

Indicates whether IGMP is enabled on the interface.

Version

The version of IGMP enabled on the interface.

Query Interval

The interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds.

Query Timeout

The period of time, in seconds, before the security appliance takes over querying the interface, after the previous appliance has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.

Response Time

The maximum response time, in seconds, advertised in IGMP queries. If the security appliance does not receive any host reports within the designated response time, the IGMP group is pruned. Decreasing this value lets the security appliance prune groups faster. Valid values range from 1 to 12 seconds. The default value is 10 seconds. Changing this value is only valid only for IGMP Version 2.

Group Limit

The maximum number of hosts that can join on an interface. Valid values range from 1 to 500. The default value is 500.

Maximum Groups (PIX 6.3)

The maximum number of groups enabled for multicast. Valid values range from 0 to 2000.

Forward Interface

The name of the interface to which the selected interface forwards IGMP host reports if IGMP forwarding is enabled.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Configure IGMP Parameters Dialog Box

Use the Configure IGMP Parameters dialog box to configure IGMP parameters for an interface on the security appliance.

Navigation Path

You can access the Configure IGMP Parameters dialog box from the Protocol tab. For more information about the Protocol tab, see Protocol Tab.

Related Topics

Protocol Tab

IGMP Page

Field Reference

Table K-118 Configure IGMP Parameters Dialog Box 

Element
Description

Interface

The name of the interface to which the IGMP settings apply.

Forward Interface

The name of the interface to which IGMP host reports are forwarded if IGMP forwarding is enabled.

Version

The version of IGMP to enable on the interface. Choose 1 to enable IGMP Version 1, or 2 to enable IGMP Version 2. Some features require IGMP Version 2. By default, the security appliance uses IGMP Version 2.

Query Interval

The interval, in seconds, at which the designated router sends IGMP host-query messages. Valid values range from 1 to 3600 seconds. The default value is 125 seconds.

Response Time

The maximum response time, in seconds, advertised in IGMP queries. If the security appliance does not receive any host reports within the designated response time, the IGMP group is pruned. Decreasing this value lets the security appliance prune groups faster. Valid values range from 1 to 12 seconds. The default value is 10 seconds. Changing this value is valid only for IGMP Version 2.

Maximum Groups (PIX 6.3)

The maximum number of groups enabled for multicast. Valid values range from 0 to 2000.

PIX 7.x and ASA Only

Enable IGMP

When selected, IGMP is enabled on the interface.

Group Limit

The maximum number of hosts that can join on an interface. Valid values range from 1 to 500. The default value is 500.

Query Timeout

The period of time, in seconds, before the security appliance takes over querying the interface, after the previous appliance has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.


Access Group Tab

Use the Access Group tab to control the multicast groups that are allowed on an interface.

Navigation Path

You can access the Access Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.

Related Topics

Configure IGMP Access Group Parameters Dialog Box

Enable Multicast Routing Page

PIM Page

Multicast Routing Page

Field Reference

Table K-119 Access Group Tab 

Element
Description
IGMP Table

Interface

The interface with which the access group is associated.

Multicast Group Network

The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.

Action

Displays "permit" if the multicast group address is permitted by the access rule. Displays "deny" if the multicast group address is denied by the access rule.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Configure IGMP Access Group Parameters Dialog Box

Use the Configure IGMP Access Group Parameters dialog box to add or modify an access group entry.

Navigation Path

You can access the Configure IGMP Access Group Parameters dialog box from the Access Group tab. For more information about the Access Group tab, see Access Group Tab.

Related Topics

Access Group Tab

IGMP Page

Field Reference

Table K-120 Configure IGMP Access Group Parameters Dialog Box 

Element
Description

Interface

The name of the interface with which the access group is associated.

Multicast Group Network

The multicast group address to which this rule applies.

Action

Select "permit" if the multicast group address is permitted by the access rule. Displays "deny" if the multicast group address is denied by the access rule.


Static Group Tab

Use the Static Group tab to statically assign a multicast group to an interface.

Navigation Path

You can access the Static Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.

Related Topics

Configure IGMP Static Group Parameters Dialog Box

Enable Multicast Routing Page

PIM Page

Multicast Routing Page

Field Reference

Table K-121 Static Group Tab 

Element
Description

Interface

The name of the interface with which the static group is associated.

Multicast Group Address

The multicast group address to which this rule applies.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Configure IGMP Static Group Parameters Dialog Box

Use the Configure IGMP Static Group Parameters dialog box to statically assign a multicast group to an interface or to change existing static group assignments.

Navigation Path

You can access the Configure IGMP Static Group Parameters dialog box from the Static Group tab. For more information about the Static Group tab, see Static Group Tab.

Related Topics

Static Group Tab

IGMP Page

Field Reference

Table K-122 Configure IGMP Static Group Parameters Dialog Box 

Element
Description

Interface

The name of the interface with which the static group is associated.

Multicast Group

The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.


Join Group Tab

Use the Join Group tab to configure an interface to be a member of a multicast group.

Navigation Path

You can access the Join Group tab from the IGMP page. For more information about the IGMP page, see IGMP Page.

Related Topics

Configure IGMP Join Group Parameters Dialog Box

Enable Multicast Routing Page

PIM Page

Multicast Routing Page

Field Reference

Table K-123 Join Group Tab 

Element
Description

Interface

The name of the interface for which you are configuring multicast group membership.

Multicast Group Address

The multicast group address to which this rule applies.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Configure IGMP Join Group Parameters Dialog Box

Use the Configure IGMP Join Group Parameters dialog box to configure an interface to be a member of a multicast group or to change existing membership information.

Navigation Path

You can access the Configure IGMP Join Group Parameters dialog box from the Join Group tab. For more information about the Join Group tab, see Join Group Tab.

Related Topics

Join Group Tab

IGMP Page

Field Reference

Table K-124 Configure IGMP Join Group Parameters Dialog Box 

Element
Description

Interface

The name of the interface for which you are configuring multicast group membership.

Join Group

The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.


Multicast Routing Page

Use the Multicast Routing page to define static multicast routes for a security appliance.

Navigation Path

(Device view) Select Platform > Multicast > Multicast Routing from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Routing from the Policy Type selector. Right-click Multicast Routing to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Add/Edit MRoute Configuration Dialog Box

Enable Multicast Routing Page

PIM Page

IGMP Page

Field Reference

Table K-125 Multicast Routing Page 

Element
Description

Source Interface

The incoming interface for the multicast route.

Source Network

The IP address and mask of the multicast source.

Output Interface

The outgoing interface for the multicast route.

Multicast Network (PIX 6.3)

The group that is to receive the multicast packets.

Distance (PIX 7.x and ASA)

The administrative distance of the static multicast route.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit MRoute Configuration Dialog Box

Use the Add/Edit MRoute Configuration dialog box to add static multicast routes to the security appliance or to change existing static multicast routes.

Navigation Path

You can access the Add/Edit MRoute Configuration dialog box from the Multicast Routing page. For more information about the Multicast Routing page, see Multicast Routing Page.

Related Topics

Multicast Routing Page

Multicast Policies

Field Reference

Table K-126 Add/Edit MRoute Configuration Dialog Box 

Element
Description

Source Interface

The incoming interface for the multicast route.

Source Network

The IP address and mask of the multicast source.

Output Interface/Dense

The outgoing interface for the multicast route.

Multicast Network (PIX 6.3)

The group that is to receive the multicast packets. This must be a multicast IP address in the range of 224.0.1.0-239.255.255.255.

Distance (PIX 7.x and ASA)

The administrative distance of the static multicast route. If the static multicast route has the same administrative distance as the unicast route, the static multicast route takes precedence.


Multicast Boundary Filter Page

On an ASA running version 7.2(1) or later, you can use the Multicast Boundary Filter page to configure the appliance to act as a boundary between multicast domains. The ASA compares multicast group addresses to an access list, blocking all multicast traffic except that specifically permitted by the list.

The Add/Edit MBoundary Configuration dialog box, accessed from this page, is used to define and manage per-interface boundary filter lists. The Add/Edit MBoundary Interface Configuration dialog box, accessed from the Add/Edit MBoundary Configuration dialog box, is used to specifically permit or deny multicast group addresses for the selected interface.

Navigation Path

(Device view) Select Platform > Multicast > Multicast Boundary Filter from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Boundary Filter from the Policy Type selector. Select an existing policy from the Shared Policy selector, or you can right-click Multicast Boundary Filter to create a new policy.

Related Topics

Add/Edit MBoundary Configuration Dialog Box

Add/Edit MBoundary Interface Configuration Dialog Box

Configuring Multicast Boundary Filters, page 15-71

Field Reference

Table K-127 Multicast Boundary Filter Page 

Element
Description

Interface

The interfaces for which multicast boundary filters are defined.

Boundary Filter

The boundary filters defined for each listed interface.

AutoFilter

True indicates "Remove any Auto-RP group range announcements..." is checked for an interface; false indicates it is not.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit MBoundary Configuration Dialog Box

Use the Add/Edit MBoundary Configuration dialog box to add, edit and delete multicast boundary filter lists for individual interfaces.

Navigation Path

You can access the Add/Edit MBoundary Configuration dialog box from the Multicast Boundary Filter Page.

Related Topics

Add/Edit MBoundary Interface Configuration Dialog Box

Multicast Boundary Filter Page

Field Reference

Table K-128 Add/Edit MBoundary Configuration Dialog Box 

Element
Description

Interface

Enter or Select an interface defined on this appliance.

Remove any Auto_RP group range announcements

If you check this box, Auto-RP messages denied by the boundary access control list for this interface are dropped.

Multicast boundary filter configuration list (Action and Mboundary Filter)

Lists the multicast group addresses specifically permitted or denied for the specified interface. This list is managed with the Add/Edit MBoundary Interface Configuration Dialog Box.


Add/Edit MBoundary Interface Configuration Dialog Box

Use this dialog box to add, edit or delete multicast address entries for the list in the Add/Edit MBoundary Configuration dialog box. Each multicast address is assigned an action: permit or deny.

Navigation Path

You can access the Add/Edit MBoundary Interface Configuration dialog box from the Add/Edit MBoundary Configuration Dialog Box.

Related Topics

Multicast Boundary Filter Page

Add/Edit MBoundary Configuration Dialog Box

Field Reference

Table K-129 Add/Edit MBoundary Interface Configuration Dialog Box 

Element
Description

Action

Choose permit or deny to specify the action taken for this multicast address.

Multicast Group

Enter a single multicast address, or a multicast group address, to which this action applies. The address must be 0.0.0.0, or from 224.0.0.0 to 239.255.255.255. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.


PIM Page

PIM (protocol independent multicast) protocol provides a scalable method for determining the best paths in a network for distributing a specific multicast transmission to each host that has registered using IGMP to receive the transmission. With PIM sparse mode (PIM SM), which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one MC router to the next until the packets reach every registered host. If a more direct path to the traffic source exists, the last-hop router sends a join message toward the source that causes the traffic to be rerouted along the better path.

The following topics discuss configuring PIM:

Protocol Tab

Neighbor Filter Tab (ASA 7.2(1) or later)

Bidirectional Neighbor Filter Tab (ASA 7.2(1) or later)

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Navigation Path

(Device view) Select Platform > Multicast > PIM from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Multicast > PIM from the Policy Type selector. Right-click PIM to create a policy, or select an existing policy from the Shared Policy selector.

Protocol Tab

Use the Protocol tab to configure PIM properties for the interfaces on a security appliance running PIX 7.x or later.

Navigation Path

You can access the Protocol tab from the PIM page. For more information about the PIM page, see PIM Page.

Related Topics

Add/Edit PIM Protocol Dialog Box

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Multicast Policies

Field Reference

Table K-130 Protocol Tab 

Element
Description

Interface

The name of the security appliance interface to which the PIM settings apply.

PIM Enabled

Indicates whether PIM is enabled on the interface or not.

DR Priority

The designated router priority for the selected interface. The router with the highest DR priority on subnet becomes the designated router. A value of zero makes the security appliance interface ineligible to become the default router.

Hello Interval

The frequency, in seconds, at which the interface sends PIM hello messages.

Join-Prune Interval

The frequency, in seconds, at which the interface sends PIM join and prune advertisements.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit PIM Protocol Dialog Box

Use the Add/Edit PIM Protocol dialog box to configure PIM properties for an interface on a security appliance running PIX 7.x or later.

Navigation Path

You can access the Add/Edit PIM Protocol dialog box from the Protocol tab. For more information about the Protocol tab, see Protocol Tab.

Related Topics

Protocol Tab

PIM Page

Field Reference

Table K-131 Add/Edit PIM Protocol Dialog Box 

Element
Description

Interface

The name of the interface for which you are configuring PIM settings.

Enable PIM

When selected, PIM is enabled on the selected interface.

DR Priority

The designated router priority for the selected interface. The router with the highest DR priority on subnet becomes the designated router. Valid values range from 0 to 4294967294. The default DR priority is 1. Setting this value to 0 makes the security appliance interface ineligible to become the default router.

Hello Interval (seconds)

The frequency, in seconds, at which the interface sends PIM hello messages. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.

Join-Prune Interval (seconds)

The frequency, in seconds, at which the interface sends PIM join and prune advertisements. Valid values range from 10 to 600 seconds. The default value is 60 seconds.


Neighbor Filter Tab

On an ASA running version 7.2(1) or later, you can use the Neighbor Filter tab to control the routers that can become PIM neighbors. By filtering routers that can become PIM neighbors, you can prevent unauthorized routers from becoming PIM neighbors, and prevent attached stub routers from participating in PIM.

The Add/Edit PIM Neighbor Filter Dialog Box, accessed from this page, is used to define and manage the per-interface neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.

Navigation Path

You can access the Neighbor Filter tab from the PIM Page in Device view.

Related Topics

Add/Edit PIM Neighbor Filter Dialog Box

PIM Page

Protocol Tab

Bidirectional Neighbor Filter Tab

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Field Reference

Table K-132 Neighbor Filter Tab 

Element
Description

Interface

The interfaces for which neighbor filters are defined.

Network

The network names or addresses provided for each listed interface.

Action

The action assigned to each specified network: permit or deny.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit PIM Neighbor Filter Dialog Box

Use the Add/Edit PIM Neighbor Filter dialog box to add or edit entries in the neighbor access control list displayed on the Neighbor Filter Tab.

Navigation Path

You can access the Add/Edit PIM Neighbor Filter dialog box from the Neighbor Filter tab on the PIM Page.

Related Topics

Neighbor Filter Tab

Field Reference

Table K-133 Add/Edit PIM Neighbor Filter Dialog Box 

Element
Description

Interface

Enter or Select an interface defined on this appliance.

Neighbor Filter Group

Enter a single multicast address, or a multicast group address, to which the chosen Action applies. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.

Action

Choose permit or deny to specify the action taken for this address.


Bidirectional Neighbor Filter Tab

On an ASA running version 7.2(1) or later, you can use the Bidirectional Neighbor Filter tab to filter bidirectional PIM neighbors to control which bidirectional routers can participate in bidirectional trees and designated forwarder (DF) election.

The Add/Edit PIM Bidirectional Neighbor Filter Dialog Box, accessed from this page, is used to define and manage the per-interface bidirectional neighbor filter list, by specifically permitting or denying multicast source addresses for the selected interface.

Navigation Path

You can access the Bidirectional Neighbor Filter tab from the PIM Page.

Related Topics

Add/Edit PIM Bidirectional Neighbor Filter Dialog Box

PIM Page

Protocol Tab

Neighbor Filter Tab

Rendezvous Points Tab

Route Tree Tab

Request Filter Tab

Field Reference

Table K-134 Bidirectional Neighbor Filter Tab 

Element
Description

Interface

The interfaces for which bidirectional neighbor filters are defined.

Network

The network names or addresses provided for each listed interface.

Action

The action assigned to each specified network: permit or deny.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit PIM Bidirectional Neighbor Filter Dialog Box

Use the Add/Edit PIM Bidirectional Neighbor Filter dialog box to add or edit entries in the bidirectional neighbor access control list displayed on the Bidirectional Neighbor Filter Tab.

Navigation Path

You can access the Add/Edit PIM Bidirectional Neighbor Filter dialog box from the Bidirectional Neighbor Filter Tab on the PIM Page.

Related Topics

Bidirectional Neighbor Filter Tab

Field Reference

Table K-135 Add/Edit PIM Bidirectional Neighbor Filter Dialog Box 

Element
Description

Interface

Enter or Select an interface defined on this appliance.

Neighbor Filter Group

Enter a single multicast address, or a multicast group address, to which the chosen Action applies. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8).

You also can select a named network/host to be permitted or denied.

Action

Choose permit or deny to specify the action taken for this address.


Rendezvous Points Tab

Use the Rendezvous Points tab to define rendezvous points. A rendezvous point is a single, common root of a shared distribution tree and is statically configured on each router. First hop routers use the rendezvous point to send register packets on behalf of the source multicast hosts.

Navigation Path

You can access the Rendezvous Points tab from the PIM page. For more information about the PIM page, see PIM Page.

Related Topics

Add/Edit Rendezvous Point Dialog Box

Add/Edit Multicast Groups Dialog Box

Protocol Tab

Route Tree Tab

Request Filter Tab

Multicast Policies

Field Reference

Table K-136 Rendezvous Points Tab 

Element
Description

Generate older IOS compatible register messages (Enable if your Rendezvous Point is an IOS router)

Select this check box if your rendezvous point is a Cisco IOS router. The security appliance software accepts register messages with the checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS software method—accepting register messages with the checksum on the entire PIM message for all PIM message types.

Rendezvous Points table

Displays the rendezvous points configured on the security appliance.

Rendezvous Point

The IP address of the rendezvous point.

Multicast Groups

The multicast groups associated with the rendezvous point. Displays "—All Groups—" if the rendezvous point is associated with all multicast groups on the interface.

Bi-directional

Displays "true" if the specified multicast groups are to operate in bidirectional mode. Displays "false" if the specified groups are to operate in sparse mode.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Rendezvous Point Dialog Box

Use the Add/Edit Rendezvous Point dialog box to add an entry to the Rendezvous Points table or to change a rendezvous point entry.

Please note the following:

You cannot use the same rendezvous point address twice.

You cannot specify All Groups for more than one rendezvous point.

Navigation Path

You can access the Add/Edit Rendezvous Point dialog box from the Rendezvous Points tab. For more information about the Rendezvous Points tab, see Rendezvous Points Tab.

Related Topics

Add/Edit Multicast Groups Dialog Box

Rendezvous Points Tab

PIM Page

Field Reference

Table K-137 Add/Edit Rendezvous Point Dialog Box 

Element
Description

Rendezvous Point IP Address

Enter the IP address of the rendezvous point. This is a unicast address. When editing a rendezvous point entry, you cannot change this value.

Use bi-directional forwarding

Select this option if you want the specified multicast groups to operate in bidirectional mode. In bidirectional mode, if the security appliance receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a Prune message back to the source. Deselect this option if you want the specified multicast groups to operate in sparse mode.

Note The security appliance always advertises the bidirectional capability in the PIM hello messages regardless of the actual bidir configuration.

Use this RP for All Multicast Groups

Select this option to use the specified rendezvous point for all multicast groups on the interface.

Use this RP for the Multicast Groups as specified below

Select this option to designate the multicast groups to use with specified rendezvous point.

Multicast Groups table

Displays the multicast groups associated with the specified rendezvous point.

The table entries are processed from the top down. You can create a rendezvous point entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Add/Edit Multicast Groups dialog box for the selected entry.

Action—Displays "permit" if the multicast group is included or "deny" if the multicast group is excluded.

Multicast Group Network—The address and network mask of the multicast group.


Add/Edit Multicast Groups Dialog Box

Use the Add/Edit Multicast Groups dialog box to create a multicast group rule or to modify a multicast group rule.

Navigation Path

You can access the Add/Edit Multicast Group dialog box from the Add/Edit Rendezvous Point dialog box. For more information about the Add/Edit Rendezvous Point dialog box, see Add/Edit Rendezvous Point Dialog Box.

Related Topics

Add/Edit Rendezvous Point Dialog Box

Rendezvous Points Tab

PIM Page

Field Reference

Table K-138 Add/Edit Multicast Groups Dialog Box 

Element
Description

Action

Select "permit" to create a group rule that allows the specified multicast addresses; select "deny" to create a group rule that filters the specified multicast addresses.

Multicast Group Network

The multicast address and network mask associated with the group.


Route Tree Tab

Use the Route Tree tab to specify whether a multicast group should use shortest-path tree or shared tree.

Navigation Path

You can access the Route Tree tab from the PIM page. For more information about the PIM page, see PIM Page.

Related Topics

Multicast Group Dialog Box

Protocol Tab

Rendezvous Points Tab

Request Filter Tab

Multicast Policies

Field Reference

Table K-139 Route Tree Tab 

Element
Description

Use Shortest Path Tree for All Groups

When selected, the security appliance uses shortest-path tree for all multicast groups.

Use Shared Tree for All Groups

When selected, the security appliance uses shared tree for all multicast groups.

Use Shared Tree for the Groups specified below

When selected, the security appliance uses shared tree for the groups specified in the Multicast Groups table. Shortest-path tree is used for any group not specified in the Multicast Groups table.

Multicast Groups table

Displays the multicast groups to use Shared Tree with.

The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Multicast Group dialog box for the selected entry.

Action—Displays "permit" if the multicast group is included or "deny" if the multicast group is excluded.

Multicast Group Network—The address and network mask of the multicast group.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Multicast Group Dialog Box

Use the Multicast Group dialog box to create a multicast group rule or to modify a multicast group rule.

Navigation Path

You can access the Multicast Group dialog box from the Route Tree tab. For more information about the Route Tree tab, see Route Tree Tab.

Related Topics

Route Tree Tab

PIM Page

Field Reference

Table K-140 Multicast Group Dialog Box 

Element
Description

Action

Select "permit" to create a group rule that allows the specified multicast addresses; select "deny" to create a group rule that filters the specified multicast addresses.

Multicast Group

The multicast address and network mask associated with the group.


Request Filter Tab

When the security appliance is acting as a rendezvous point, you can restrict specific multicast sources from registering with it. This prevents unauthorized sources from registering with the rendezvous point. You can use the Request Filter tab to define the multicast sources from which the security appliance accepts PIM register messages.

Navigation Path

You can access the Request Filter tab from the PIM page. For more information about the PIM page, see PIM Page.

Related Topics

Multicast Group Dialog Box

Protocol Tab

Rendezvous Points Tab

Route Tree Tab

Multicast Policies

Field Reference

Table K-141 Request Filter Tab 

Element
Description

Filter PIM register messages using

Select the method to use for filtering PIM register messages:

None—Do not filter PIM register messages.

route-map—Filter PIM register messages using a route map. Only PIM register messages that are permitted by the route map are allowed to reach the rendezvous point.

access-list—Filter PIM register messages using an access list. Only PIM register messages that are permitted by the access list are allowed to reach the rendezvous point.

Route Map

Specifies a route-map name. Use standard host ACLs in the referenced route-map; extended ACLs are not supported.

Multicast Groups table

Displays the request filter access rules.

The table entries are processed from the top down. You can create an entry that includes a range of multicast groups but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.

Double-click an entry to open the Multicast Group dialog box for the selected entry.

No—The rule number.

Action—Displays "permit" if the multicast source is allowed to register or "deny" if the multicast source is excluded.

Source—The address and network mask of the source of the register message.

Destination—The address and network mask of the multicast destination.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Multicast Group Dialog Box

Use the Multicast Group dialog box to define the multicast sources that are allowed to register with the security appliance when the security appliance acts as a rendezvous point. You create the filter rules based on the source IP address and the destination multicast address.

Navigation Path

You can access the Multicast Group dialog box from the Request Filter tab. For more information about the Request Filter tab, see Request Filter Tab.

Related Topics

Request Filter Tab

PIM Page

Field Reference

Table K-142 Multicast Group Dialog Box 

Element
Description

Action

Select "permit" to create a rule that allows the specified source of the specified multicast traffic to register with the security appliance; select "deny" to create a rule that prevents the specified source of the specified multicast traffic from registering with the security appliance.

Source Network

The IP address and network mask for the source of the register message.

Destination Network

The multicast destination address.


Routing Policies

The Routing feature lets you specify static route, RIP, OSPF, and proxy ARP configuration parameters. The Routing section consists of the following pages:

No Proxy ARP Page

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

RIP Page

Static Route Page

No Proxy ARP Page

Use the No Proxy ARP page to disable proxy ARP for global addresses. For more information, see Configuring No Proxy ARP, page 15-72.

Navigation Path

(Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Right-click No Proxy ARP to create a policy, or select an existing policy from the Shared Policy selector.

Related Topics

Configuring No Proxy ARP, page 15-72

Edit Interfaces Dialog Box

Static Route Page

RIP Page

OSPF Page

Field Reference

Table K-143 No Proxy ARP Page 

Element
Description

Interfaces

Lists the interfaces for which proxy ARP is disabled. By default, proxy ARP is enabled for all interfaces.

Edit button

Click to open the Edit Interfaces dialog box from which you can specify the interfaces for which you want to disable proxy ARP.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to specify the interfaces for which you want to disable proxy ARP.

Navigation Path

You can access the Edit Interfaces dialog box from the No Proxy ARP page. For more information about the No Proxy ARP page, see No Proxy ARP Page.

Related Topics

Configuring No Proxy ARP, page 15-72

No Proxy ARP Page

Field Reference

Table K-144 Edit Interfaces Dialog Box 

Element
Description

Interfaces

Enter the names of the interfaces for which you want to disable proxy ARP. Separate multiple interfaces with a comma.

Tip You can click Select to select the interfaces from a list of interface objects.

OSPF Page

Use the OSPF page to enable and configure OSPF on a firewall device. The following topics provide more information about enabling and configuring OSPF:

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Navigation Path

(Device view) Select Platform > Routing > OSPF from the Device Policy selector.

(Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Right-click OSPF to create a policy, or select an existing policy from the Shared Policy selector.

General Tab

Use the General tab on the OSPF page to enable OSPF processes. You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.


Note You cannot enable OSPF if you have RIP enabled.


Navigation Path

You can access the General tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Table K-146

OSPF Page

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-145 General Tab 

Element
Description

OSPF Process 1 and 2 group boxes

Each group box contains the settings for a specific OSPF process.

Enable this OSPF Process

Select the check box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this check box to remove the OSPF process.

OSPF Process ID

Enter a unique numeric identifier for the OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535.

Advanced button

Opens the OSPF Advanced dialog box, from which you can configure the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


OSPF Advanced Dialog Box

Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.

Navigation Path

You can access the OSPF Advanced dialog box from the General tab. For more information about the General tab, see General Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-146 OSPF Advanced Dialog Box 

Element
Description

OSPF Process

Displays the OSPF process you are configuring. You cannot change this value.

Router ID

To use a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID.

Ignore LSA MOSPF

Select this check box to suppress the sending of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets. This setting is deselected by default.

RFC 1583 Compatible

Select this check box to calculate summary route costs per RFC 1583. Deselect this check box to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically. This setting is selected by default.

Adjacency Changes

Contains settings that define the adjacency changes that cause syslog messages to be sent.

Log Adjacency Changes—Select this check box to cause the security appliance to send a syslog message whenever an OSPF neighbor goes up or down. This setting is selected by default.

Log Adjacency Changes Detail—Select this check box to cause the security appliance to send a syslog message whenever any state change occurs, not just when a neighbor goes up or down. This setting is deselected by default.

Administrative Route Distances

Contains the settings for the administrative distances of routes based on the route type.

Inter Area—Sets the administrative distance for all routes from one area to another. Valid values range from 1 to 255. The default value is 100.

Intra Area—Sets the administrative distance for all routes within an area. Valid values range from 1 to 255. The default value is 100.

External—Sets the administrative distance for all routes from other routing domains that are learned through redistribution. Valid values range from 1 to 255. The default value is 100.

Timers (in seconds)

Contains the settings used to configure LSA pacing and SPF calculation timers.

SPF Delay—Specifies the time between when OSPF receives a topology change and when the SPF calculation starts. Valid values range from 0 to 65535. The default value is 5.

SPF Hold—Specifies the hold time between consecutive SPF calculations. Valid values range from 1 to 65534. The default value is 10.

LSA Group Pacing—Specifies the interval at which LSAs are collected into a group and refreshed, checksummed, or aged. Valid values range from 10 to 1800. The default value is 240.

Default Information Originate

Contains the settings used by an ASBR to generate a default external route into an OSPF routing domain.

Enable Default Information Originate—Select this check box to enable the generation of the default route into the OSPF routing domain.

Always advertise the default route—Select this check box to always advertise the default route. This option is deselected by default.

Metric Value—Specifies the OSPF default metric. Valid values range from 0 to 16777214. The default value is 1.

Metric Type—Specifies the external link type associated with the default route advertised into the OSPF routing domain. Valid values are 1 or 2, indicating a Type 1 or a Type 2 external route. The default value is 2.

Route Map—(Optional) The name of the route map to apply. The routing process generates the default route if the route map is satisfied.


Area Tab

Use the Area tab on the OSPF page to configure OSPF areas and networks.

Navigation Path

You can access the Area tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Add/Edit Area/Area Networks Dialog Box

OSPF Page

General Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-147 Area Tab 

Element
Description

OSPF Process

The OSPF process the area applies to.

Area ID

The area ID.

Area Type

The area type (Normal, Stub, or NSSA).

Networks

The area networks.

Options

The options, if any, set for the area type.

Authentication

The type of authentication set for the area (None, Password, or MD5).

Cost

The default cost for the area.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Area/Area Networks Dialog Box

Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.

Navigation Path

You can access the Add/Edit Area/Area Networks dialog box from the Area tab. For more information about the Area tab, see Area Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-148 Add/Edit Area/Area Networks Dialog Box 

Element
Description

OSPF Process

When adding a new area, choose the OSPF process ID for the OSPF process for which the area is being added. If there is only one OSPF process enabled on the security appliance, that process is selected by default. When editing an existing area, you cannot change the OSPF process ID.

Area ID

When adding a new area, enter the area ID. You can specify the area ID as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295. You cannot change the area ID when editing an existing area.

Area Type

Normal

Choose this option to make the area a standard OSPF area. This option is selected by default when you first create an area.

Stub

Choosing this option makes the area a stub area. Stub areas do not have any routers or areas beyond it. Stub areas prevent AS External LSAs (Type 5 LSAs) from being flooded into the stub area. When you create a stub area, you can prevent summary LSAs (Type 3 and 4) from being flooded into the area by deselecting the Summary check box.

Summary (allows sending LSAs into the stub area)

When the area being defined is a stub area, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas.

NSSA

Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs. When you create a NSSA, you can prevent summary LSAs from being flooded into the area by deselecting the Summary check box. You can also disable route redistribution by deselecting the Redistribute check box and enabling Default Information Originate.

Redistribute (imports routes to normal and NSSA areas)

Deselect this option to prevent routes from being imported into the NSSA. This option is selected by default.

Summary (allows sending LSAs into the NSSA area)

When the area being defined is a NSSA, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for NSSAs.

Default Information Originate (generate a
Type 7 default)

Select this option to generate a Type 7 default into the NSSA. This option is deselected by default.

Metric Value

Specifies the OSPF metric value for the default route. Valid values range from 0 to 16777214. The default value is 1.

Metric Type

The OSPF metric type for the default route. The choices are 1 (Type 1) or 2 (Type 2). The default value is 2.

Network

The IP address and network mask of the network or host to be added to the area. Use 0.0.0.0 with a netmask of 0.0.0.0 to create the default area. You can only use 0.0.0.0 in one area.

Tip You can click Select to select the interfaces from a list of interface objects.

Authentication

Contains the settings for OSPF area authentication.

None—Choose this option to disable OSPF area authentication. This is the default setting.

Password—Choose this option to use a clear text password for area authentication. This option is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication.

Default Cost

Specify a default cost for the area. Valid values range from 0 to 65535. The default value is 1.


Range Tab

Use the Range tab to summarize routes between areas.

Navigation Path

You can access the Range tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Add/Edit Area Range Network Dialog Box

OSPF Page

General Tab

Area Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-149 Range Tab 

Element
Description

Process ID

The ID of the OSPF process associated with the route summary.

Area ID

The ID of the area associated with the route summary.

Network

The summary IP address and network mask.

Advertise

Displays "true" if the route summaries are advertised when they match the address/mask pair or "false" if the route summaries are suppressed when they match the address/mask pair.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Area Range Network Dialog Box

Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.

Navigation Path

You can access the Add/Edit Area Range Network dialog box from the Range tab. For more information about the Range tab, see Range Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-150 Add/Edit Area Range Network Dialog Box 

Element
Description

OSPF Process

Select the OSPF process to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Area

Select the area ID of the area to which the route summary applies. You cannot change this value when editing an existing route summary entry.

Network

The IP address and mask of the network for the routes being summarized.

Tip You can click Select to select the networks from a list of network objects.

Advertise

Select this check box to set the address range status to "advertise". This causes Type 3 summary LSAs to be generated. Deselect this check box to suppress the Type 3 summary LSA for the specified networks.


Neighbors Tab

Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.

Navigation Path

You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Add/Edit Static Neighbor Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-151 Neighbors Tab 

Element
Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Interface

The interface associated with the static neighbor.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Static Neighbor Dialog Box

Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.

Navigation Path

You can access the Add/Edit Static Neighbor dialog box from the Neighbors tab. For more information about the Neighbors tab, see Neighbors Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-152 Add/Edit Static Neighbor Dialog Box 

Element
Description

OSPF Process

The OSPF process associated with the static neighbor.

Neighbor

The IP address of the static neighbor.

Tip You can click Select to choose the neighbor from a list of host objects.

Interface

The interface associated with the static neighbor.

Tip You can click Select to choose the interface from a list of interface objects.

Redistribution Tab

Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.

Navigation Path

You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Redistribution Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-153 Redistribution Tab 

Element
Description

OSPF Process

The OSPF process associated with the route redistribution entry.

Route Type

The source protocol the routes are being redistributed from. Valid entries are the following:

Static—The route is a static route.

Connected—The route was established automatically by virtue of having IP enabled on the interface.

OSPF—The route is an OSPF route from another process.

Match

The conditions used for redistributing routes from one routing protocol to another.

Subnets

Displays "true" if subnetted routes are redistributed. Does not display anything if only routes that are not subnetted are redistributed.

Metric Value

The metric that is used for the route. This column is blank for redistribution entries if the default metric is used.

Metric Type

Displays "1" if the metric is a Type 1 external route, "2" if the metric is Type 2 external route.

Tag Value

A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Route Map

The name of the route map to apply to the redistribution entry.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Redistribution Dialog Box

Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.

Navigation Path

You can access the Redistribution dialog box from the Redistribution tab. For more information about the Redistribution tab, see Redistribution Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-154 OSPF Redistribution Settings Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the route redistribution entry.

Route Type

Select the source protocol from which the routes are being redistributed. You can choose one of the following options:

Static—The route is a static route.

Connected—The route was established automatically by virtue of having IP enabled on the interface.

OSPF—The route is an OSPF route from another process.

Match

The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions:

Internal—The route is internal to a specific AS.

External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes.

External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes.

NSSA External 1—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

NSSA External 2—Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.

Metric Value

The metric value for the routes being redistributed. Valid values range from 1 to 16777214. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. When redistributing other processes to an OSPF process, the default metric is 20 when no metric value is specified.

Metric Type

Select "1" if the metric is a Type 1 external route, "2" if the metric is a Type 2 external route.

Tag Value

The tag value is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between ASBRs. Valid values range from 0 to 4294967295.

Use Subnets

When selected, redistribution of subnetted routes is enabled. Deselect this check box to cause only routes that are not subnetted to be redistributed.

Route Map

The name of the route map to apply to the redistribution entry.


Virtual Link Tab

Use the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.

Navigation Path

You can access the Virtual Link tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Add/Edit OSPF Virtual Link Configuration Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-155 Virtual Link Tab 

Element
Description

OSPF Process

The OSPF process associated with the virtual link.

Area ID

The ID of the transit area.

Peer Router

The IP address of the virtual link neighbor.

Authentication

Displays the type of authentication used by the virtual link:

None—No authentication is used.

Password—Clear text password authentication is used.

MD5—MD5 authentication is used.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit OSPF Virtual Link Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link Configuration dialog box to define virtual links or change the properties of existing virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link Configuration dialog box from the Virtual Link tab. For more information about the Virtual Link tab, see Virtual Link Tab.

Related Topics

Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-156 Add/Edit OSPF Virtual Link Configuration Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the virtual link.

Area ID

Select the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a stub area.

Peer Router

Enter the IP address of the virtual link neighbor.

Hello Interval

The interval, in seconds, between hello packets sent on an interface. The smaller the hello interval, the faster topological changes are detected but the more traffic is sent on the interface. This value must be the same for all routers and access servers on a specific interface. Valid values range from 1 to 65535 seconds. The default value is 10 seconds.

Retransmit Interval

The time, in seconds, between LSA retransmissions for adjacencies belonging to the interface. When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgement message. If the router receives no acknowledgement, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. The default value is 5 seconds.

Transmit Delay

The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. The default value is one second.

Dead Interval

The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this field is four times the interval set by the Hello Interval field.

Authentication

Contains the OSPF authentication options.

None—Choose this option to disable OSPF authentication.

Password—Choose this option to use clear text password authentication. This is not recommended where security is a concern.

MD5—Choose this option to use MD5 authentication (recommended).

Authentication Password

Contains the settings for entering the password when password authentication is enabled.

Password—Enter a text string of up to 8 characters.

Confirm—Re-enter the password.

MD5 IDs and Keys

Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID.

MD5 Key ID and MD5 Key Table

MD5 Key ID—A numerical key identifier. Valid values range from 1 to 255.

MD5 Key—An alphanumeric character string of up to 16 bytes.


Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box

Use the Add/Edit OSPF Virtual Link MD5 Configuration dialog box to define MD5 keys for authentication of virtual links.

Navigation Path

You can access the Add/Edit OSPF Virtual Link MD5 Configuration dialog box from the Add/Edit OSPF Virtual Link Configuration dialog box. For more information about the Add/Edit OSPF Virtual Link Configuration dialog box, see Add/Edit OSPF Virtual Link Configuration Dialog Box.

Related Topics

Add/Edit OSPF Virtual Link Configuration Dialog Box

Virtual Link Tab

OSPF Page

Field Reference

Table K-157 Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box 

Element
Description

MD5 Key ID

A numerical key identifier. Valid values range from 1 to 255.

MD5 Key

An alphanumeric character string of up to 16 bytes.

Confirm

Re-enter the MD5 key.


Filtering Tab

Use the Filtering tab to configure the ABR Type 3 LSA filters for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

Benefits

OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.

Restrictions

Only type-3 LSAs that originate from an ABR are filtered.

Navigation Path

You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Add/Edit Filtering Dialog Box

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-158 Filtering Tab 

Element
Description

OSPF Process

The OSPF process associated with the filter entry.

Area ID

The ID of the area associated with the filter entry.

Filtered Network

The IP address and mask of the network being filtered.

Traffic Direction

Displays "Inbound" if the filter entry applies to LSAs coming in to an OSPF area or "Outbound" if it applies to LSAs going out of an OSPF area.

Sequence #

The sequence number for the filter entry. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action

Displays "Permit" if LSAs matching the filter are allowed or "Deny" if LSAs matching the filter are denied.

Lower Range

The minimum prefix length to be matched.

Upper Range

The maximum prefix length to be matched.

Save button

Saves your changes to the server but keeps them private.

Note To publish your changes, click the Submit button on the toolbar.


Add/Edit Filtering Dialog Box

Use the Add/Edit Filtering dialog box to add new filters to the Filter table or to modify an existing filter.

Navigation Path

You can access the Add/Edit Filtering dialog box from the Filtering tab. For more information about the Filtering tab, see Filtering Tab.

Related Topics

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Summary Address Tab

Interface Tab

Field Reference

Table K-159 Add/Edit Filtering Dialog Box 

Element
Description

OSPF Process

Select the OSPF process associated with the filter entry.

Area ID

Select the ID of the area associated with the filter entry.

Prefix List Name

 

Filtered Network

Enter the IP address and mask of the network being filtered.

Traffic Direction

Select the traffic direction to filter. Choose "Inbound" to filter LSAs coming into an OSPF area or "Outbound" to filter LSAs going out of an OSPF area.

Sequence Number

Enter a sequence number for the filter. Valid values range from 1 to 4294967294. When multiple filters apply to an LSA, the filter with the lowest sequence number is used.

Action

Select "Permit" to allow the LSA traffic or "Deny" to block the LSA traffic.

Lower Range

Specify the minimum prefix length to be matched. The value of this setting must be greater than the length of the network mask entered in the Filtered Network field and less than or equal to the value, if present, entered in the Upper Range field.

Upper Range

Enter the maximum prefix length to be matched. The value of this setting must be greater than or equal to the value, if present, entered in the Lower Range field, or, if the Lower Range field is left blank, greater than the length of the network mask length entered in the Filtered Network field.


Summary Address Tab

Use the Summary Address tab to configure summary addresses for each OSPF routing process.

Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.

Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.

Navigation Path

You can access the Summary Address tab from the OSPF page. For more information about the OSPF page, see OSPF Page.

Related Topics

Table K-161

OSPF Page

General Tab

Area Tab

Range Tab

Neighbors Tab

Redistribution Tab

Virtual Link Tab

Filtering Tab

Interface Tab

Field Reference

Table K-160 Summary Address Tab 

Element
Description

OSPF Process

The OSPF process associated with the summary address.

Network

The IP address and network mask of the summary address.

<