-
Cisco Security Appliance Command Line Configuration Guide, Version 7.2
-
About This Guide
-
Getting Started and General Information
-
Introduction to the Security Appliance
-
Getting Started
-
Enabling Multiple Context Mode
-
Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing
-
Configuring Multicast Routing
-
Configuring DHCP, DDNS, and WCCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Applying NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Using Modular Policy Framework
-
Managing AIP SSM and CSC SSM
-
Preventing Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring ARP Inspection and Bridging Parameters
-
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring WebVPN
-
Configuring SSL VPN Client
-
Configuring Certificates
-
- System Administration
- Reference
-
Glossary
-
Index
-
Table Of Contents
Example 1: Multiple Mode Firewall With Outside Access
Example 1: System Configuration
Example 1: Admin Context Configuration
Example 1: Customer A Context Configuration
Example 1: Customer B Context Configuration
Example 1: Customer C Context Configuration
Example 2: Single Mode Firewall Using Same Security Level
Example 3: Shared Resources for Multiple Contexts
Example 3: System Configuration
Example 3: Admin Context Configuration
Example 3: Department 1 Context Configuration
Example 3: Department 2 Context Configuration
Example 4: Multiple Mode, Transparent Firewall with Outside Access
Example 4: System Configuration
Example 4: Admin Context Configuration
Example 4: Customer A Context Configuration
Example 4: Customer B Context Configuration
Example 4: Customer C Context Configuration
Example 5: WebVPN Configuration
Example 7: Cable-Based Active/Standby Failover (Routed Mode)
Example 8: LAN-Based Active/Standby Failover (Routed Mode)
Example 8: Primary Unit Configuration
Example 8: Secondary Unit Configuration
Example 9: LAN-Based Active/Active Failover (Routed Mode)
Example 9: Primary Unit Configuration
Example 9: Primary System Configuration
Example 9: Primary admin Context Configuration
Example 9: Primary ctx1 Context Configuration
Example 9: Secondary Unit Configuration
Example 10: Cable-Based Active/Standby Failover (Transparent Mode)
Example 11: LAN-Based Active/Standby Failover (Transparent Mode)
Example 11: Primary Unit Configuration
Example 11: Secondary Unit Configuration
Example 12: LAN-Based Active/Active Failover (Transparent Mode)
Example 12: Primary Unit Configuration
Example 12: Primary System Configuration
Example 12: Primary admin Context Configuration
Example 12: Primary ctx1 Context Configuration
Example 12: Secondary Unit Configuration
Example 13: Dual ISP Support Using Static Route Tracking
Example 14: ASA 5505 Base License
Example 15: ASA 5505 Security Plus License with Failover and Dual-ISP Backup
Example 15: Primary Unit Configuration
Example 15: Secondary Unit Configuration
Example 16: Network Traffic Diversion
Inspecting All Traffic with the AIP SSM
Inspecting Specific Traffic with the AIP SSM
Verifying the Recording of Alert Events
Troubleshooting the Configuration
Sample Configurations
This appendix illustrates and describes a number of common ways to implement the security appliance, and includes the following topics:
•
Example 1: Multiple Mode Firewall With Outside Access
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Example 1: Multiple Mode Firewall With Outside Access
This configuration creates three security contexts plus the admin context, each with an inside and an outside interface. The Customer C context includes a DMZ interface where a Websense server for HTTP filtering resides on the service provider premises (see Figure B-1).
Inside hosts can access the Internet through the outside using dynamic NAT or PAT, but no outside hosts can access the inside.
The Customer A context has a second network behind an inside router.
The admin context allows SSH sessions to the security appliance from one host.
Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage.
Figure B-1 Example 1
See the following sections for the configurations for this scenario:
•
•
•
•
•
Example 1: System Configuration
You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.
hostname Farscapepassword passw0rdenable password chr1cht0nmac-address autoasdm image disk0:/asdm.binboot system disk0:/image.binadmin-context admininterface gigabitethernet 0/0shutdowninterface gigabitethernet 0/0.3vlan 3no shutdowninterface gigabitethernet 0/1no shutdowninterface gigabitethernet 0/1.4vlan 4no shutdowninterface gigabitethernet 0/1.5vlan 5no shutdowninterface gigabitethernet 0/1.6vlan 6no shutdowninterface gigabitethernet 0/1.7vlan 7no shutdowninterface gigabitethernet 0/1.8vlan 8no shutdownclass goldlimit-resource rate conns 2000limit-resource conns 20000class silverlimit-resource rate conns 1000limit-resource conns 10000class bronzelimit-resource rate conns 500limit-resource conns 5000context adminallocate-interface gigabitethernet 0/0.3allocate-interface gigabitethernet 0/1.4config-url disk0://admin.cfgmember defaultcontext customerAdescription This is the context for customer Aallocate-interface gigabitethernet 0/0.3allocate-interface gigabitethernet 0/1.5config-url disk0://contexta.cfgmember goldcontext customerBdescription This is the context for customer Ballocate-interface gigabitethernet 0/0.3allocate-interface gigabitethernet 0/1.6config-url disk0://contextb.cfgmember silvercontext customerCdescription This is the context for customer Callocate-interface gigabitethernet 0/0.3allocate-interface gigabitethernet 0/1.7-gigabitethernet 0/1.8config-url disk0://contextc.cfgmember bronzeExample 1: Admin Context Configuration
The host at 10.1.1.75 can access the context using SSH, which requires a key to be generated using the crypto key generate command.
hostname Admindomain ispinterface gigabitethernet 0/0.3nameif outsidesecurity-level 0ip address 209.165.201.2 255.255.255.224no shutdowninterface gigabitethernet 0/1.4nameif insidesecurity-level 100ip address 10.1.1.1 255.255.255.0no shutdownpasswd secret1969enable password h1andl0route outside 0 0 209.165.201.1 1ssh 10.1.1.75 255.255.255.255 insidenat (inside) 1 10.1.1.0 255.255.255.0! This context uses dynamic NAT for inside users that access the outsideglobal (outside) 1 209.165.201.10-209.165.201.29! The host at 10.1.1.75 has access to the Websense server in Customer C, so! it needs a static translation for use in Customer C's access liststatic (inside,outside) 209.165.201.30 10.1.1.75 netmask 255.255.255.255Example 1: Customer A Context Configuration
interface gigabitethernet 0/0.3nameif outsidesecurity-level 0ip address 209.165.201.3 255.255.255.224no shutdowninterface gigabitethernet 0/1.5nameif insidesecurity-level 100ip address 10.1.2.1 255.255.255.0no shutdownpasswd hell0!enable password enter55route outside 0 0 209.165.201.1 1! The Customer A context has a second network behind an inside router that requires a! static route. All other traffic is handled by the default route pointing to the router.route inside 192.168.1.0 255.255.255.0 10.1.2.2 1nat (inside) 1 10.1.2.0 255.255.255.0! This context uses dynamic PAT for inside users that access that outside. The outside! interface address is used for the PAT addressglobal (outside) 1 interfaceExample 1: Customer B Context Configuration
interface gigabitethernet 0/0.3nameif outsidesecurity-level 0ip address 209.165.201.4 255.255.255.224no shutdowninterface gigabitethernet 0/1.6nameif insidesecurity-level 100ip address 10.1.3.1 255.255.255.0no shutdownpasswd tenac10usenable password defen$eroute outside 0 0 209.165.201.1 1nat (inside) 1 10.1.3.0 255.255.255.0! This context uses dynamic PAT for inside users that access the outsideglobal (outside) 1 209.165.201.9 netmask 255.255.255.255access-list INTERNET remark Inside users only access HTTP and HTTPS servers on the outsideaccess-list INTERNET extended permit tcp any any eq httpaccess-list INTERNET extended permit tcp any any eq httpsaccess-group INTERNET in interface insideExample 1: Customer C Context Configuration
interface gigabitethernet 0/0.3nameif outsidesecurity-level 0ip address 209.165.201.5 255.255.255.224no shutdowninterface gigabitethernet 0/1.7nameif insidesecurity-level 100ip address 10.1.4.1 255.255.255.0no shutdowninterface gigabitethernet 0/1.8nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdownpasswd fl0werenable password treeh0u$eroute outside 0 0 209.165.201.1 1url-server (dmz) vendor websense host 192.168.2.2 url-block block 50url-cache dst 128filter url http 10.1.4.0 255.255.255.0 0 0! When inside users access an HTTP server, the security appliance consults with a! Websense server to determine if the traffic is allowednat (inside) 1 10.1.4.0 255.255.255.0! This context uses dynamic NAT for inside users that access the outsideglobal (outside) 1 209.165.201.9 netmask 255.255.255.255! A host on the admin context requires access to the Websense server for management using! pcAnywhere, so the Websense server uses a static translation for its private addressstatic (dmz,outside) 209.165.201.6 192.168.2.2 netmask 255.255.255.255access-list MANAGE remark Allows the management host to use pcAnywhere on the Websense serveraccess-list MANAGE extended permit tcp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-dataaccess-list MANAGE extended permit udp host 209.165.201.30 host 209.165.201.6 eq pcanywhere-statusaccess-group MANAGE in interface outsideExample 2: Single Mode Firewall Using Same Security Level
This configuration creates three internal interfaces. Two of the interfaces connect to departments that are on the same security level, which allows all hosts to communicate without using access lists. The DMZ interface hosts a Syslog server. The management host on the outside needs access to the Syslog server and the security appliance. To connect to the security appliance, the host uses a VPN connection. The security appliance uses RIP on the inside interfaces to learn routes. The security appliance does not advertise routes with RIP; the upstream router needs to use static routes for security appliance traffic (see Figure B-2).
The Department networks are allowed to access the Internet, and use PAT.
Figure B-2 Example 2
passwd g00fba11enable password gen1u$hostname Busterasdm image disk0:/asdm.binboot system disk0:/image.bininterface gigabitethernet 0/0nameif outsidesecurity-level 0ip address 209.165.201.3 255.255.255.224no shutdowninterface gigabitethernet 0/1nameif dept2security-level 100ip address 10.1.2.1 255.255.255.0mac-address 000C.F142.4CDE standby 000C.F142.4CDFno shutdownrip authentication mode md5rip authentication key scorpius key_id 1interface gigabitethernet 0/2nameif dept1security-level 100ip address 10.1.1.1 255.255.255.0no shutdowninterface gigabitethernet 0/3nameif dmzsecurity-level 50ip address 192.168.2.1 255.255.255.0no shutdownsame-security-traffic permit inter-interfaceroute outside 0 0 209.165.201.1 1nat (dept1) 1 10.1.1.0 255.255.255.0nat (dept2) 1 10.1.2.0 255.255.255.0! The dept1 and dept2 networks use PAT when accessing the outsideglobal (outside) 1 209.165.201.9 netmask 255.255.255.255! Because we perform dynamic NAT on these addresses for outside access, we need to perform! NAT on them for all other interface access. This identity static statement just! translates the local address to the same address.static (dept1,dept2) 10.1.1.0 10.1.1.0 netmask 255.255.255.0static (dept2,dept1) 10.1.2.0 10.1.2.0 netmask 255.255.255.0! The syslog server uses a static translation so the outside management host can access! the serverstatic (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255access-list MANAGE remark Allows the management host to access the syslog serveraccess-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnetaccess-group MANAGE in interface outside! Advertises the security appliance IP address as the default gateway for the downstream! router. The security appliance does not advertise a default route to the upstream! router. Listens for RIP updates from the downstream router. The security appliance does! not listen for RIP updates from the upstream router because a default route to the! upstream router is all that is required.router ripnetwork 10.0.0.0default information originateversion 2! The client uses a pre-shared key to connect to the security appliance over IPSec. The! key is the password in the username command following.isakmp policy 1 authentication pre-shareisakmp policy 1 encryption 3desisakmp policy 1 group 2isakmp policy 1 hash shaisakmp enable outsidecrypto ipsec transform-set vpn_client esp-3des esp-sha-hmacusername admin password passw0rdcrypto ipsec transform-set vpn esp-3des esp-sha-hmaccrypto dynamic-map vpn_client 1 set transform-set vpncrypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_clientcrypto map telnet_tunnel interface outsideip local pool client_pool 10.1.1.2access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2telnet 10.1.1.2 255.255.255.255 outsidetelnet timeout 30logging trap 5! System messages are sent to the syslog server on the DMZ networklogging host dmz 192.168.2.2logging enableExample 3: Shared Resources for Multiple Contexts
This configuration includes multiple contexts for multiple departments within a company. Each department has its own security context so that each department can have its own security policy. However, the syslog, mail, and AAA servers are shared across all departments. These servers are placed on a shared interface (see Figure B-3).
Department 1 has a web server that outside users who are authenticated by the AAA server can access.
Figure B-3 Example 3
See the following sections for the configurations for this scenario:
•
•
•
•
Example 3: System Configuration
You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.
hostname Ubikpassword pkd55enable password deckard69asdm image disk0:/asdm.binboot system disk0:/image.binmac-address autoadmin-context admininterface gigabitethernet 0/0no shutdowninterface gigabitethernet 0/0.200vlan 200no shutdowninterface gigabitethernet 0/1shutdowninterface gigabitethernet 0/1.201vlan 201no shutdowninterface gigabitethernet 0/1.202vlan 202no shutdowninterface gigabitethernet 0/1.300vlan 300no shutdowncontext adminallocate-interface gigabitethernet 0/0.200allocate-interface gigabitethernet 0/1.201allocate-interface gigabitethernet 0/1.300config-url disk0://admin.cfgcontext department1allocate-interface gigabitethernet 0/0.200allocate-interface gigabitethernet 0/1.202allocate-interface gigabitethernet 0/1.300config-url ftp://admin:passw0rd@10.1.0.16/dept1.cfgcontext department2allocate-interface gigabitethernet 0/0.200allocate-interface gigabitethernet 0/1.203allocate-interface gigabitethernet 0/1.300config-url ftp://admin:passw0rd@10.1.0.16/dept2.cfgExample 3: Admin Context Configuration
hostname Admininterface gigabitethernet 0/0.200nameif outsidesecurity-level 0ip address 209.165.201.3 255.255.255.224no shutdowninterface gigabitethernet 0/0.201nameif insidesecurity-level 100ip address 10.1.0.1 255.255.255.0no shutdowninterface gigabitethernet 0/0.300nameif sharedsecurity-level 50ip address 10.1.1.1 255.255.255.0no shutdownpasswd v00d00enable password d011route outside 0 0 209.165.201.2 1nat (inside) 1 10.1.0.0 255.255.255.0! This context uses PAT for inside users that access the outsideglobal (outside) 1 209.165.201.6 netmask 255.255.255.255! This context uses PAT for inside users that access the shared networkglobal (shared) 1 10.1.1.30! Because this host can access the web server in the Department 1 context, it requires a! static translationstatic (inside,outside) 209.165.201.7 10.1.0.15 netmask 255.255.255.255! Because this host has management access to the servers on the Shared interface, it! requires a static translation to be used in an access liststatic (inside,shared) 10.1.1.78 10.1.0.15 netmask 255.255.255.255access-list SHARED remark -Allows only mail traffic from inside to exit shared interfaceaccess-list SHARED remark -but allows the admin host to access any server.access-list SHARED extended permit ip host 10.1.1.78 anyaccess-list SHARED extended permit tcp host 10.1.1.30 host 10.1.1.7 eq smtp! Note that the translated addresses are used.access-group SHARED out interface shared! Allows 10.1.0.15 to access the admin context using Telnet. From the admin context, you! can access all other contexts.telnet 10.1.0.15 255.255.255.255 insideaaa-server AAA-SERVER protocol tacacs+aaa-server AAA-SERVER (shared) host 10.1.1.6key TheUauthKeyserver-port 16! The host at 10.1.0.15 must authenticate with the AAA server to log inaaa authentication telnet console AAA-SERVERaaa authorization command AAA-SERVER LOCALaaa accounting command AAA-SERVERlogging trap 6! System messages are sent to the syslog server on the Shared networklogging host shared 10.1.1.8logging enableExample 3: Department 1 Context Configuration
interface gigabitethernet 0/0.200nameif outsidesecurity-level 0ip address 209.165.201.4 255.255.255.224no shutdowninterface gigabitethernet 0/0.202nameif insidesecurity-level 100ip address 10.1.2.1 255.255.255.0no shutdowninterface gigabitethernet 0/0.300nameif sharedsecurity-level 50ip address 10.1.1.2 255.255.255.0no shutdownpasswd cugelenable password rhialtonat (inside) 1 10.1.2.0 255.255.255.0! The inside network uses PAT when accessing the outsideglobal (outside) 1 209.165.201.8 netmask 255.255.255.255! The inside network uses dynamic NAT when accessing the shared networkglobal (shared) 1 10.1.1.31-10.1.1.37! The web server can be accessed from outside and requires a static translationstatic (inside,outside) 209.165.201.9 10.1.2.3 netmask 255.255.255.255access-list WEBSERVER remark -Allows the management host (its translated address) on the access-list WEBSERVER remark -admin context to access the web server for managementaccess-list WEBSERVER remark -it can use any IP protocolaccess-list WEBSERVER extended permit ip host 209.165.201.7 host 209.165.201.9access-list WEBSERVER remark -Allows any outside address to access the web serveraccess-list WEBSERVER extended permit tcp any eq http host 209.165.201.9 eq httpaccess-group WEBSERVER in interface outsideaccess-list MAIL remark -Allows only mail traffic from inside to exit out the shared int! Note that the translated addresses are used.access-list MAIL extended permit tcp host 10.1.1.31 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.32 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.33 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.34 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.35 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.36 eq smtp host 10.1.1.7 eq smtpaccess-list MAIL extended permit tcp host 10.1.1.37 eq smtp host 10.1.1.7 eq smtpaccess-group MAIL out interface sharedaaa-server AAA-SERVER protocol tacacs+aaa-server AAA-SERVER (shared) host 10.1.1.6key TheUauthKeyserver-port 16! All traffic matching the WEBSERVER access list must authenticate with the AAA serveraaa authentication match WEBSERVER outside AAA-SERVERlogging trap 4! System messages are sent to the syslog server on the Shared networklogging host shared 10.1.1.8logging enableExample 3: Department 2 Context Configuration
interface gigabitethernet 0/0.200nameif outsidesecurity-level 0ip address 209.165.201.5 255.255.255.224no shutdowninterface gigabitethernet 0/0.203nameif insidesecurity-level 100ip address 10.1.3.1 255.255.255.0no shutdowninterface gigabitethernet 0/0.300nameif sharedsecurity-level 50ip address 10.1.1.3 255.255.255.0no shutdownpasswd maz1r1anenable password ly0ne$$eroute outside 0 0 209.165.201.2 1nat (inside) 1 10.1.3.0 255.255.255.0! The inside network uses PAT when accessing the outsideglobal (outside) 1 209.165.201.10 netmask 255.255.255.255! The inside network uses PAT when accessing the shared networkglobal (shared) 1 10.1.1.38access-list MAIL remark -Allows only mail traffic from inside to exit out the shared intaccess-list MAIL extended permit tcp host 10.1.1.38 host 10.1.1.7 eq smtp! Note that the translated PAT address is used.access-group MAIL out interface sharedlogging trap 3! System messages are sent to the syslog server on the Shared networklogging host shared 10.1.1.8logging enableExample 4: Multiple Mode, Transparent Firewall with Outside Access
This configuration creates three security contexts plus the admin context. Each context allows OSPF traffic to pass between the inside and outside routers (see Figure B-4).
Inside hosts can access the Internet through the outside, but no outside hosts can access the inside.
An out-of-band management host is connected to the Management 0/0 interface.
The admin context allows SSH sessions to the security appliance from one host.
Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage.
Figure B-4 Example 4
See the following sections for the configurations for this scenario:
•
•
•
•
•
Example 4: System Configuration
You must first enable multiple context mode using the mode multiple command. The mode is not stored in the configuration file, even though it endures reboots. Enter the show mode command to view the current mode.
firewall transparenthostname Farscapepassword passw0rdenable password chr1cht0nasdm image disk0:/asdm.binboot system disk0:/image.binadmin-context admininterface gigabitethernet 0/0no shutdowninterface gigabitethernet 0/0.150vlan 150no shutdowninterface gigabitethernet 0/0.151vlan 151no shutdowninterface gigabitethernet 0/0.152vlan 152no shutdowninterface gigabitethernet 0/0.153vlan 153no shutdowninterface gigabitethernet 0/1shutdowninterface gigabitethernet 0/1.4vlan 4no shutdowninterface gigabitethernet 0/1.5vlan 5no shutdowninterface gigabitethernet 0/1.6vlan 6no shutdowninterface gigabitethernet 0/1.7vlan 7no shutdowninterface management 0/0no shutdowncontext adminallocate-interface gigabitethernet 0/0.150allocate-interface gigabitethernet 0/1.4allocate-interface management 0/0config-url disk0://admin.cfgcontext customerAdescription This is the context for customer Aallocate-interface gigabitethernet 0/0.151allocate-interface gigabitethernet 0/1.5config-url disk0://contexta.cfgcontext customerBdescription This is the context for customer Ballocate-interface gigabitethernet 0/0.152allocate-interface gigabitethernet 0/1.6config-url disk0://contextb.cfgcontext customerCdescription This is the context for customer Callocate-interface gigabitethernet 0/0.153allocate-interface gigabitethernet 0/1.7config-url disk0://contextc.cfgExample 4: Admin Context Configuration
The host at 10.1.1.75 can access the context using SSH, which requires a key pair to be generated using the crypto key generate command.
hostname Admindomain ispinterface gigabitethernet 0/0.150nameif outsidesecurity-level 0no shutdowninterface gigabitethernet 0/1.4nameif insidesecurity-level 100no shutdowninterface management 0/0nameif managesecurity-level 50ip address 10.2.1.1 255.255.255.0no shutdownpasswd secret1969enable password h1andl0ip address 10.1.1.1 255.255.255.0route outside 0 0 10.1.1.2 1ssh 10.1.1.75 255.255.255.255 insideaccess-list OSPF remark -Allows OSPFaccess-list OSPF extended permit 89 any anyaccess-group OSPF in interface outsideExample 4: Customer A Context Configuration
interface gigabitethernet 0/0.151nameif outsidesecurity-level 0no shutdowninterface gigabitethernet 0/1.5nameif insidesecurity-level 100no shutdownpasswd hell0!enable password enter55ip address 10.1.2.1 255.255.255.0route outside 0 0 10.1.2.2 1access-list OSPF remark -Allows OSPFaccess-list OSPF extended permit 89 any anyaccess-group OSPF in interface outsideExample 4: Customer B Context Configuration
interface gigabitethernet 0/0.152nameif outsidesecurity-level 0no shutdowninterface gigabitethernet 0/1.6nameif insidesecurity-level 100no shutdownpasswd tenac10usenable password defen$eip address 10.1.3.1 255.255.255.0route outside 0 0 10.1.3.2 1access-list OSPF remark -Allows OSPFaccess-list OSPF extended permit 89 any anyaccess-group OSPF in interface outsideExample 4: Customer C Context Configuration
interface gigabitethernet 0/0.153nameif outsidesecurity-level 0no shutdowninterface gigabitethernet 0/1.7nameif insidesecurity-level 100no shutdownpasswd fl0werenable password treeh0u$eip address 10.1.4.1 255.255.255.0route outside 0 0 10.1.4.2 1access-list OSPF remark -Allows OSPFaccess-list OSPF extended permit 89 any anyaccess-group OSPF in interface outsideExample 5: WebVPN Configuration
This configuration shows the commands needed to create WebVPN connections to the security appliance.
WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTP(S) Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.
Step 1
webvpn! WebVPN sessions are allowed on the outside and dmz1 interfaces, ASDM is not allowed.enable outsideenable dmz161title-color greensecondary-color 200,160,0text-color blackdefault-idle-timeout 3600! The NetBios Name server used for CIFS resolution.nbns-server 172.31.122.10 master timeout 2 retry 2accounting-server-group RadiusACS1! WebVPN sessions are authenticated to a RADIUS aaa server.authentication-server-group RadiusACS2Step 2
access-list maia2 remark -deny access to url and send a syslog every 300 secondsaccess-list maia2 remark -containing the hit-count (how many times the url was accessed)access-list maia2 webtype deny url https://sales.example.com log informational interval 300access-list maia2 remark -Permits access to the URL.access-list maia2 webtype permit url http://employee-connection.example.comaccess-list maia2 remark -Permits access to the site using ssh.access-list maia2 remark -To be enforced via Port-Forwarding application.access-list maia2 webtype permit tcp asa-35.example.com 255.255.255.255 eq sshaccess-list maia2 remark -Denies access to the application on port 1533.access-list maia2 webtype deny tcp im.example.com 255.255.255.255 eq 1533access-list maia2 remark -Permits access to files on this file share viaaccess-list maia2 remark -WebVPN Common Internet File System (CIFS).access-list maia2 webtype permit url cifs://server-bos/people/mkting log informational 3600Step 3
url-list HomeURL "Sales" https://sales.example.comurl-list HomeURL "VPN3000-1" http://vpn3k-1.example.comurl-list HomeURL "OWA-2000" http://10.160.105.2/exchangeurl-list HomeURL "Exchange5.5" http://10.86.195.113/exchangeurl-list HomeURL " Employee Benefits" http://benefits.example.comurl-list HomeURL "Calendar" http://http://eng.example.com/cal.htmlStep 4
port-forward Apps1 4001 10.148.1.81 telnet term-servrport-forward Apps1 4008 router1-example.com sshport-forward Apps1 10143 flask.example.com imap4port-forward Apps1 10110 flask.example.com pop3port-forward Apps1 10025 flask.example.com smtpport-forward Apps1 11533 sametime-im.example.com 1533port-forward Apps1 10022 secure-term.example.com sshport-forward Apps1 21666 tuscan.example.com 1666 perforce-f1port-forward Apps1 1030 sales.example.com httpsStep 5
group-policy SSLVPNusers internalgroup-policy SSLVPNusers attributesbanner value Welcome to Web Services !!!vpn-idle-timeout 2vpn-tunnel-protocol IPSec webvpnwebvpnfunctions url-entry file-access file-entry file-browsing port-forward filterurl-list value HomeURLport-forward value Apps1Step 6
! Enables the HTTP server to allow ASDM and WebVPN HTTPS sessions.http server enable! Allows ASDM session(s) from host 10.20.30.47 on the inside interface ; WebVPN sessions! are not allowed on this interface.http 10.10.10.45 255.255.255.255 inside! Allows WebVPN sessions on outside interfce using HTTP to be re-directed to HTTPS.! ASDM session is not allowed on this interface.http redirect outside 80! Allows WebVPN sessions on dmz1 interfce using HTTP to be re-directed to HTTPS.http redirect dmz161 80Step 7
ssl encryption 3des-sha1ssl trust-point CA-MS insideStep 8
imap4senable outsideenable insideenable dmz161default-group-policy DfltGrpPolicypop3senable outsideenable insideenable dmz161default-group-policy DfltGrpPolicysmtpsenable outsideenable insideenable dmz161default-group-policy DfltGrpPolicyExample 6: IPv6 Configuration
This sample configuration shows several features of IPv6 support on the security appliance:
•
•
•
•
•
•
Figure B-5 IPv6 Dual Stack Configuration
enable password myenablepasswordpasswd mypasswordhostname coyupixasdm image flash:/asdm.binboot system flash:/image.bininterface Ethernet0nameif outsidesecurity-level 0ip address 10.142.10.100 255.255.255.0ipv6 address 2001:400:3:1::100/64ipv6 nd suppress-raospf mtu-ignore autono shutdowninterface Ethernet1nameif insidesecurity-level 100ip address 10.140.10.100 255.255.255.0ipv6 address 2001:400:1:1::100/64ospf mtu-ignore autono shutdownaccess-list allow extended permit icmp any anyssh 10.140.10.75 255.255.255.255 insidelogging enablelogging buffered debuggingipv6 enforce-eui64 insideipv6 route outside 2001:400:6:1::/64 2001:400:3:1::1ipv6 route outside ::/0 2001:400:3:1::1ipv6 access-list outacl permit icmp6 2001:400:2:1::/64 2001:400:1:1::/64ipv6 access-list outacl permit tcp 2001:400:2:1::/64 2001:400:1:1::/64 eq telnetipv6 access-list outacl permit tcp 2001:400:2:1::/64 2001:400:1:1::/64 eq ftpipv6 access-list outacl permit tcp 2001:400:2:1::/64 2001:400:1:1::/64 eq wwwaccess-group allow in interface outsideaccess-group outacl in interface outsideroute outside 0.0.0.0 0.0.0.0 16.142.10.1 1Example 7: Cable-Based Active/Standby Failover (Routed Mode)
Figure B-6 shows the network diagram for a failover configuration using a serial Failover cable. This configuration is only available on the PIX security appliance.
Figure B-6 Cable-Based Failover Configuration
The following are the typical commands in a cable-based failover configuration.
enable password myenablepasswordpasswd mypasswordhostname pixfirewallasdm image flash:/asdm.binboot system flash:/image.bininterface Ethernet0nameif outsidesecurity-level 0speed 100duplex fullip address 209.165.201.1 255.255.255.224 standby 209.165.201.2no shutdowninterface Ethernet1nameif insidesecurity-level 100speed 100duplex fullip address 192.168.2.1 255.255.255.0 standby 192.168.2.2no shutdowninterface Ethernet3description STATE Failover Interfacetelnet 192.168.2.45 255.255.255.255 insideaccess-list acl_in permit tcp any host 209.165.201.5 eq 80access-group acl_in in interface outsidefailoverfailover link state Ethernet3failover interface ip state 192.168.253.1 255.255.255.252 standby 192.168.253.2global (outside) 1 209.165.201.3 netmask 255.255.255.224nat (inside) 1 0.0.0.0 0.0.0.0static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0route outside 0.0.0.0 0.0.0.0 209.165.201.4 1Example 8: LAN-Based Active/Standby Failover (Routed Mode)
Figure B-7 shows the network diagram for a failover configuration using an Ethernet failover link. The units are configured to detect unit failures and to fail over in under a second (see the failover polltime unit command in the primary unit configuration).
Figure B-7 LAN
