-
Cisco Security Appliance Command Line Configuration Guide, Version 7.2
-
About This Guide
-
Getting Started and General Information
-
Introduction to the Security Appliance
-
Getting Started
-
Enabling Multiple Context Mode
-
Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing
-
Configuring Multicast Routing
-
Configuring DHCP, DDNS, and WCCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Applying NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Using Modular Policy Framework
-
Managing AIP SSM and CSC SSM
-
Preventing Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring ARP Inspection and Bridging Parameters
-
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring WebVPN
-
Configuring SSL VPN Client
-
Configuring Certificates
-
- System Administration
- Reference
-
Glossary
-
Index
-
Table Of Contents
Symbols - Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
Symbols
/bits subnet masks D-3
?
command string C-4
help C-4
Numerics
4GE SSM
connector types 5-1
fiber 5-3
SFP 5-3
support A-9
802.1Q tagging 4-11
802.1Q trunk 5-3
A
AAA
about 13-1
accounting 19-13
addressing, configuring 31-2
authentication
CLI access 40-5
network access 19-1
privileged EXEC mode 40-6
authorization
command 40-7
downloadable access lists 19-8
network access 19-6
local database support 13-9
performance 19-1
server
adding 13-12
types 13-2
support summary 13-3
web clients 19-5
abbreviating commands C-3
Access Control Server 33-1, 33-2, 33-5
access hours, username attribute 30-71
accessing the security appliance using SSL 37-3
accessing the security appliance using TKS1 37-3
access list filter, username attribute 30-73
access lists
about 16-1
ACE logging, configuring 16-19
comments 16-17
deny flows, managing 16-21
downloadable 19-9
EtherType, adding 16-8
exemptions from posture validation 33-4
extended
about 16-5
adding 16-6
group policy WebVPN filter 30-63
implicit deny 16-3
inbound 18-1
interface, applying 18-2
IP address guidelines 16-3
IPSec 27-20
logging 16-19
NAT guidelines 16-3
Network Admission Control, default 33-3
object groups 16-17
outbound 18-1
remarks 16-17
scheduling activation 16-18
standard, adding 16-10
types 16-2
WebVPN username connections 30-80
access ports 4-9
ACEs
See access lists
Active/Active failover
about 14-10
actions 14-13
command replication 14-12
configuration synchronization 14-11
configuring
asymmetric routing support 14-35
cable-based failover 14-27
failover criteria 14-34
failover group preemption 14-33
HTTP replication 14-33
interface monitoring 14-33
LAN-based failover 14-29
prerequisites 14-27
virtual MAC addresses 14-34
device initialization 14-11
duplicate MAC addresses, avoiding 14-10, 14-34
primary status 14-10
secondary status 14-10
triggers 14-13
Active/Standby failover
about 14-6
actions 14-9
command replication 14-7
configuration synchronization 14-7
configuring
cable-based 14-19
failover criteria 14-26
HTTP replication 14-24
interface monitoring 14-25
interface poll times 14-38
LAN-based 14-21
prerequisites 14-19
unit poll times 14-38
virtual MAC addresses 14-26
device initialization 14-7
primary unit 14-6
secondary unit 14-6
triggers 14-8
Active Directory, settings for password management 30-24
Active Directory proceduresE-19to E-22
Adaptive Security Algorithm 1-4
admin context
about 3-2
changing 6-13
administrative distance 9-3
Advanced Encryption Standard (AES) 27-3
AIP SSM
about 22-1
checking status 22-13
configuration 22-2
initial setup 22-4
loading an image 22-14
sending traffic to 22-2
support A-9
alternate address, ICMP message D-15
Application Access Panel, WebVPN 37-33
application access using WebVPN
and e-mail proxy 37-50
and hosts file errors 37-18
and Web Access 37-50
configuring client applications 37-49
enabling cookies on browser 37-49
group policy WebVPN attribute 30-64
privileges 37-49
quitting properly 37-19
re-enabling 37-20
setting up on client 37-49
username WebVPN attribute 30-81
using e-mail 37-50
with IMAP client 37-50
application inspection
about 25-2
applying 25-5
configuring 25-5
inspection class map 21-11
inspection policy map 21-8
security level requirements 7-1
special actions 21-7
Application Profile Customization Framework 37-30
ARP inspection
about 26-1
enabling 26-2
static entry 26-2
ARP spoofing 26-2
ARP test, failover 14-17
ASA (Adaptive Security Algorithm) 1-4
ASA 5505
Base license 4-2
client
authentication 34-11
configuration restrictions, table 34-2
device pass-through 34-8
group policy attributes pushed to 34-9
mode 34-3
remote management 34-8
split tunneling 34-7
TCP 34-4
trustpoint 34-7
tunnel group 34-6
tunneling 34-5
Xauth 34-4
interfaces, about 4-1
MAC addresses 4-4
maximum VLANs 4-2
native VLAN support 4-11
non-forwarding interface 4-6
power over Ethernet 4-4
protected switch ports 4-9
Security Plus license 4-2
server (headend) 34-1
SPAN 4-4
Spanning Tree Protocol, unsupported 4-9
VLAN interface configuration 4-5
ASDM software
allowing access 40-3
configuring ASDM and WebVPN on the same interface 40-4
installing 41-3
ASR 14-35
asymmetric routing support 14-35
attributes
LDAP E-5
policy E-2
RADIUS E-25
username 30-71
attribute-value pairs
TACACS+ E-32
attribute-value pairs (AVP) 30-30
authentication
about 13-1
ASA 5505 as Easy VPN client 34-11
CLI access 40-5
FTP 19-3
HTTP 19-2
network access 19-1
privileged EXEC mode 40-6
restrictions, WebVPN 37-5
Telnet 19-2
web clients 19-5
WebVPN users with digital certificates 37-15
authorization
about 13-2
command 40-7
downloadable access lists 19-8
network access 19-6
Auto-MDI/MDIX 5-1
auto-signon
group policy WebVPN attribute 30-63
username WebVPN attribute 30-82
Auto-Update, configuring 41-9
B
backup device, load balancing 29-5
backup server attributes, group policy 30-47
Baltimore Technologies, CA server support 39-5
banner message, group policy 30-40
bits subnet masks D-3
Black Ice firewall 30-56
BPDUs, EtherType access list 16-10
bridge
entry timeout 26-4
table, See MAC address table
broadcast Ping test 14-17
bypass authentication 34-8
C
CA
certificate validation, not done in WebVPN 37-2
CRs and 39-2
public key cryptography 39-1
revoked certificates 39-2
server support 39-5
supported servers 39-5
caching 37-28
capturing packets 43-11
cascading access lists 27-15
certificate
authentication, e-mail proxy 37-27
enrollment protocol 39-7
group matching
configuring 27-9
rule and policy, creating 27-10
Certificate Revocation Lists
See CRLs
certification authority
See CA
changing between contexts 6-11
Cisco-AV-Pair LDAP attributes E-14
Cisco Integrated Firewall 30-55
Cisco IP Phones
DHCP 10-4
Cisco IP Phones, application inspection 25-71
Cisco LDAP attributes E-5
Cisco Security Agent 30-55
Cisco Trust Agent 33-5
Class A, B, and C addresses D-1
class-default class map 21-4
classes, logging
filtering messages by 42-16
message class variables 42-16
types 42-16
classes, MPF
See class map
classes, resource
See resource management
class map
inspection 21-11
Layer 3/4
management traffic 21-7
match commands 21-5
through traffic 21-5
regular expression 21-14
CLI
abbreviating commands C-3
adding comments C-6
command line editing C-3
command output paging C-5
displaying C-5
help C-4
paging C-5
syntax formatting C-3
client
VPN 3002 hardware, forcing client update 29-3
Windows, client update notification 29-3
client access rules, group policy 30-57
client firewall, group policy 30-54
clientless authentication 33-5
client mode 34-3
client update, performing 29-3
cluster
IP address, load balancing 29-6
load balancing configurations 29-7
mixed scenarios 29-8
virtual 29-5
command authorization
about 40-7
configuring 40-7
command prompts C-2
comments
access lists 16-17
configuration C-6
configuration
clearing 2-9
comments C-6
factory default
commands 2-1
restoring 2-2
saving 2-6
text file 2-9
URL for a context 6-9
viewing 2-8
configuration mode
accessing 2-5
prompt C-2
connection blocking 23-11
connection limits
configuring 23-6
per context 6-6
connect time, maximum, username attribute 30-73
console port logging 42-8
content transformation, WebVPN 37-28
contexts
See security contexts
conversion error, ICMP message D-16
cookies, enabling for WebVPN 37-5
CRACK protocol 27-28
crash dump 43-11
crypto map
acccess lists 27-20
applying to interfaces 27-20, 36-7
clearing configurations 27-27
creating an entry to use the dynamic crypto map 32-7
definition 27-12
dynamic 27-24
dynamic, creating 32-6
entries 27-12
examples 27-21
policy 27-13
crypto show commands 27-26
CSC SSM
about 22-5
checking status 22-13
failover 22-7
getting started 22-7
loading an image 22-14
sending traffic to 22-11
support A-9
what to scan 22-9
CSD support A-11
custom firewall 30-55
customization, WebVPN
group policy WebVPN attribute 30-60
login windows for WebVPN users 30-23
username WebVPN attribute 30-20, 30-79
cut-through proxy 19-1
D
data flow
routed firewall 15-3
transparent firewall 15-13
DDNS 10-6
debugging IPSec 28-7
debug messages 43-10
default
class 6-3
DefaultL2Lgroup 30-1
DefaultRAgroup 30-1
domain name, group policy 30-42
LAN-to-LAN tunnel group 30-13
remote access tunnel group, configuring 30-5
routes, defining equal cost routes 9-4
default configuration
commands 2-1
restoring 2-2
default policy 21-3
default routes
about 9-4
configuring 9-4
deny flows, logging 16-21
deny in a crypto map 27-15
deny-message
group policy WebVPN attribute 30-61
username WebVPN attribute 30-80
DES, IKE policy keywords (table) 27-3
device ID, including in messages 42-19
device pass-through, ASA 5505 as Easy VPN client 34-8
DfltGrpPolicy 30-31
DHCP
addressing, configuring 31-3
Cisco IP Phones 10-4
options 10-3
relay 10-5
transparent firewall 16-6
DHCP Intercept, configuring 30-43
Diffie-Hellman
Group 5 27-4
groups supported 27-4
DiffServ preservation 24-5
digital certificates
authenticating WebVPN users 37-15
SSL 37-5
WebVPN authentication restrictions 37-5
directory hierarchy search E-4
disabling content rewrite 37-29
disabling messages, specific message IDs 42-20
DMZ, definition 1-1
DNS
configuring for WebVPN 37-16
dynamic 10-6
inspection
about 25-13
managing 25-13
rewrite, about 25-14
rewrite, configuring 25-15
NAT effect on 17-14
server, configuring 30-34
domain attributes, group policy 30-42
domain name 8-2
dotted decimal subnet masks D-3
downloadable access lists
configuring 19-9
converting netmask expressions 19-12
DSCP preservation 24-5
dual IP stack, configuring 12-4
dual-ISP support 9-5
duplex, configuring 5-1
dynamic crypto map 27-24
creating 32-6
See also crypto map
Dynamic DNS 10-6
dynamic NAT
See NAT
E
Easy VPN
client
authentication 34-11
configuration restrictions, table 34-2
enabling and disabling 34-1
group policy attributes pushed to 34-9
mode 34-3
remote management 34-8
trustpoint 34-7
tunnels 34-8
Xauth 34-4
server (headend) 34-1
Easy VPN client
ASA 5505
device pass-through 34-8
split tunneling 34-7
TCP 34-4
tunnel group 34-6
tunneling 34-5
echo reply, ICMP message D-15
ECMP 9-3
editing command lines C-3
EIGRP 16-6
closing the Outlook connection 37-27
configuring for WebVPN 37-26
proxies, WebVPN 37-26
proxy, certificate authentication 37-27
WebVPN, configuring 37-26
EMBLEM format, using in logs 42-20
enable command 2-5
end-user interface, WebVPN, defining 37-32
Enterprises 10-4
Entrust, CA server support 39-5
ESP security protocol 27-2
established command, security level requirements 7-2
Ethernet
Auto-MDI/MDIX 5-1
duplex 5-1
speed 5-1
EtherType
assigned numbers 16-10
See also access lists
external group policy, configuring 30-33
F
facility, syslog 42-8
factory default configuration
commands 2-1
restoring 2-2
failover
about 14-1
Active/Active, configuring 14-26
Active/Active, See Active/Active failover
Active/Standby, configuring 14-19
Active/Standby, See Active/Standby failover
configuration file
terminal messages, Active/Active 14-11
terminal messages, Active/Standby 14-7
configuring 14-18
contexts 14-6
controlling 14-49
debug messages 14-50
disabling 14-49
displaying commands 14-48
encrypting failover communication 14-39
Ethernet failover cable 14-4
examples
Active/Active LAN-based failover B-22, B-28
Active/Standby cable-based failover B-20, B-26
Active/Standby LAN-based failover B-21, B-27
failover link 14-3
forcing 14-49
health monitoring 14-16
interface health 14-17
interface monitoring 14-17
interface tests 14-17
licenses 14-2
link communications 14-3
MAC addresses
about 14-6
automatically assigning 6-11
monitoring, configuration 14-49
monitoring, health 14-16
network tests 14-17
primary unit 14-6
restoring a failed group 14-50
restoring a failed unit 14-50
secondary unit 14-6
serial cable 14-4
SNMP syslog traps 14-51
software versions 14-2
Stateful Failover, See Stateful Failover
state link 14-5
subsecond 14-38
system log messages 14-50
system requirements 14-2
testing 14-48
type selection 14-14
understanding 14-1
unit health 14-16
verifying the configuration 14-39
fast path 1-4
fiber interfaces 5-3
filter (access list)
group policy WebVPN attribute 30-63
username WebVPN attribute 30-80
filtering
about 20-1
ActiveX 20-2
FTP 20-9
Java applets 20-3
security level requirements 7-2
servers supported 20-4
show command output C-4
URLs 20-4
firewall
Black Ice 30-56
Cisco Integrated 30-55
Cisco Security Agent 30-55
custom 30-55
Network Ice 30-56
none 30-55
Sygate personal 30-56
Zone Labs 30-55
firewall mode
about 15-1
configuring 2-5
firewall policy, group policy 30-54
FO (failover) license 14-3
FO_AA license 14-3
format of messages 42-23
fragmentation policy, IPSec 27-8
fragment size 23-11
FTP inspection
about 25-27
configuring 25-26
functions, WebVPN
username WebVPN attribute 30-76
WebVPN group policy attribute 30-59
G
general attributes, tunnel group 30-2
general parameters, tunnel group 30-2
general tunnel-group connection parameters 30-2
generating RSA keys 39-6
global addresses
recommendations 17-13
specifying 17-23
global e-mail proxy attributes 37-26
global IPSec SA lifetimes, changing 27-22
group-lock, username attribute 30-74
group policy
address pools 30-53
attributes 30-34
backup server attributes 30-47
client access rules 30-57
configuring 30-33
default domain name for tunneled packets 30-42
domain attributes 30-42
Easy VPN client, attributes pushed to ASA 5505 34-9
external, configuring 30-33
firewall policy 30-54
hardware client user idle timeout 30-45
internal, configuring 30-34
IP phone bypass 30-45
IPSec over UDP attributes 30-40
LEAP Bypass 30-46
network extension mode 30-46
security attributes 30-38
split tunneling attributes 30-41
split-tunneling domains 30-43
user authentication 30-44
VPN attributes 30-35
VPN hardware client attributes 30-44
webvpn attributes 30-58
WINS and DNS servers 30-34
group policy, default 30-30
group policy, secure unit authentication 30-44
group policy WebVPN attributes
application access 30-64
auto-signon 30-63
customization 30-60
deny-message 30-61
filter 30-63
home page 30-62
html-content filter 30-61
keep-alive-ignore 30-65
port forward 30-64
port-forward-name 30-65
sso-server 30-66
svc 30-67
url-list 30-64
GTP inspection
about 25-32
configuring 25-32
H
H.225 timeouts 25-42
H.245 troubleshooting 25-43
H.323 inspection
about 25-38
configuring 25-38
limitations 25-39
troubleshooting 25-44
hairpinning 27-20
hardware client, group policy attributes 30-44
help, command line C-4
HMAC hashing method 27-3
hold-period 33-8
homepage
group policy WebVPN attribute 30-62
username WebVPN attribute 30-79
hostname
configuring 8-2
in banners 8-2
multiple context mode 8-2
hosts, subnet masks for D-3
hosts file
errors 37-18
reconfiguring 37-20
WebVPN 37-19
HSRP 15-9
html-content-filter
group policy WebVPN attribute 30-61
username WebVPN attribute 30-78
HTTP(S)
authentication 40-5
filtering 20-4
HTTP/HTTPS Web VPN proxy, setting 37-5
HTTP compression, WebVPN, enabling 30-66, 30-83
HTTP inspection
about 25-44
configuring 25-44
HTTP redirection for login, Easy VPN client on the ASA 5505 34-12
HTTPS for WebVPN sessions 37-3
hub-and-spoke VPN scenario 27-20
I
ICMP
testing connectivity 43-1
type numbers D-15
idle timeout
hardware client user, group policy 30-45
username attribute 30-72
ID method for ISAKMP peers, determining 27-6
IKE
benefits 27-2
creating policies 27-4
keepalive setting, tunnel group 30-3
pre-shared key, Easy VPN client on the ASA 5505 34-6
See also ISAKMP
ILS inspection 25-53
inbound access lists 18-1
Individual user authentication 34-12
information reply, ICMP message D-15
information request, ICMP message D-15
inheritance
tunnel group 30-1
username attribute 30-71
inside, definition 1-1
inspection_default class-map 21-4
inspection engines
See application inspection
Instant Messaging inspection 25-65
intercept DHCP, configuring 30-43
interfaces
ASA 5505
about 4-1
enabled status 4-9
IP address 4-7
MAC addresses 4-4
maximum VLANs 4-2
non-forwarding 4-6
protected switch ports 4-9
switch port configuration 4-9
trunk ports 4-11
VLAN interface configuration 4-5
configuring for remote access 32-2
configuring IPv6 on 12-3
duplex 5-1
enabled status 5-1
enabling 5-2
failover monitoring 14-17
fiber 5-3
global addresses 17-23
IDs 5-2
IP address 7-4
MAC addresses
automatically assigning 6-11
manually assigning to interfaces 7-4
mapped name 6-8
naming, physical and subinterface 7-3
naming, VLAN 4-6
SFP 5-3
speed 5-1
subinterfaces 5-3
viewing monitored interface status 14-48
internal group policy, configuring 30-34
Internet Security Association and Key Management Protocol
See ISAKMP
intrusion prevention configuration 22-2
IP addresses
ASA 5505 4-7
classes D-1
configuring an assignment method for remote access clients 31-1
configuring for VPNs 31-1
configuring local IP address pools 31-2
interface 7-4
management, transparent firewall 8-5
private D-2
subnet mask D-4
IP phone 34-8
IP phone bypass, group policy 30-45
IPS configuration 22-2
IPSec
about 27-2
access list 27-20
anti-replay window 24-10
basic configuration with static crypto maps 27-22
Cisco VPN Client 27-2
crypto map entries 27-12
enabling debug 28-7
fragmentation policy 27-8
LAN-to-LAN configurations 27-2
modes 28-2
over NAT-T, enabling 27-7
over TCP, enabling 27-8
over UDP, group policy, configuring attributes 30-40
remote access configurations 27-2
remote-access tunnel group 30-6
SA lifetimes, changing 27-22
setting maximum active VPN sessions 29-3
tunnel 27-11
viewing configuration 27-26
IPSec parameters, tunnel group 30-3
ipsec-ra, creating an IPSec remote-access tunnel 30-6
IP spoofing, preventing 23-10
IPv6
access lists 12-6
commands 12-1
configuring alongside IPv4 12-4
default route 12-5
dual IP stack 12-4
duplicate address detection 12-4
enabling 12-3
neighbor discovery 12-7
router advertisement messages 12-9
static neighbor 12-11
static routes 12-5
verifying 12-11
IPv6 addresses
anycast D-9
command support for 12-1
format D-5
multicast D-8
prefixes D-10
required D-10
types of D-6
unicast D-6
ISAKMP
about 27-2
determining an ID method for peers 27-6
disabling in aggressive mode 27-6
enabling on the outside interface 27-6, 32-3
keepalive setting, tunnel group 30-3
policies, configuring 27-5
See also IKE
J
Java applets, filtering 20-2
Java object signing 37-29
java-trustpoint 37-29
K
keep-alive-ignore
group policy WebVPN attribute 30-65
username WebVPN attribute 30-82
Kerberos
configuring 13-12
support 13-5
L
L2TP description 28-1
LAN-to-LAN tunnel group, configuring 30-13
latency
about 24-1
reducing 24-5
Layer 2 firewall
See transparent firewall
Layer 2 forwarding table
See MAC address table
Layer 2 Tunneling Protocol 28-1
Layer 3/4
matching multiple policy maps 21-18
LDAP
AAA support 13-6
application inspection 25-53
attribute mapping 13-8
Cisco attributes E-5
Cisco-AV-pair E-14
configuring 13-12
configuring a AAA serverE-2to E-18
directory about E-3
directory search E-4
example configuration proceduresE-19to E-22
hierarchy example E-3
permissions policy E-2
SASL 13-6
schema example E-15
schema loading E-18
server configuration about E-3
server type 13-7
user authentication 13-6
user authorization 13-7
user permissions E-18
LEAP Bypass, group policy 30-46
licenses
FO 14-3
FO_AA 14-3
managing 41-1
per model A-1
UR 14-3
link up/down test 14-17
LLQ
See low-latency queue
load balancing
cluster configurations 29-7
concepts 29-5
eligible clients 29-7
eligible platforms 29-7
implementing 29-6
mixed cluster scenarios 29-8
platforms 29-7
prerequisites 29-6
local user database
adding a user 13-11
configuring 13-10
logging in 40-6
support 13-9
lockout recovery 40-15
log buffer
save to internal Flash 42-13
send to FTP server 42-14
logging
access lists 16-19
classes
filtering messages by 42-15
types 42-16
device-id, including in system log messages 42-19
configuring as output destination 42-9
destination address 42-10
source address 42-9
EMBLEM format 42-20
facility option 42-8
filtering
by message class 42-16
by message list 42-17
by severity level 42-5
logging queue, configuring 42-19
output destinations
ASDM 42-10
console port 42-8
email address 42-9