-
Cisco Security Appliance Command Line Configuration Guide, Version 8.0
-
Index
-
About This Guide
-
Getting Started and General Information
-
Introduction to the Security Appliance
-
Getting Started
-
Enabling Multiple Context Mode
-
Configuring Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing
-
Configuring Multicast Routing
-
Configuring DHCP, DDNS, and WCCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Configuring NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Using Modular Policy Framework
-
Managing AIP SSM and CSC SSM
-
Preventing Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring ARP Inspection and Bridging Parameters in Transparent Mode
-
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
Configuring Certificates
-
- System Administration
- Reference
-
Glossary
-
Table Of Contents
Monitoring the Security Appliance
Logging in Multiple Context Mode
Enabling and Disabling Logging
Enabling Logging to All Configured Output Destinations
Disabling Logging to All Configured Output Destinations
Configuring Log Output Destinations
Sending System Log Messages to a Syslog Server
Sending System Log Messages to the Console Port
Sending System Log Messages to an E-mail Address
Sending System Log Messages to ASDM
Sending System Log Messages to a Telnet or SSH Session
Sending System Log Messages to the Log Buffer
Filtering System Log Messages by Class
Filtering System Log Messages with Custom Message Lists
Customizing the Log Configuration
Including the Date and Time in System Log Messages
Including the Device ID in System Log Messages
Generating System Log Messages in EMBLEM Format
Disabling a System Log Message
Changing the Severity Level of a System Log Message
Limiting the Rate of System Log Message Generation
Changing the Amount of Internal Flash Memory Available for Logs
Understanding System Log Messages
Monitoring the Security Appliance
This chapter describes how to monitor the adaptive security appliance, and includes the following sections:
•
Configuring and Managing Logs
Using SNMP
This section describes how to use SNMP, and includes the following topics:
SNMP Overview
The adaptive security appliance provides support for network monitoring using SNMP V1 and V2c. The adaptive security appliance supports traps and SNMP read access, but does not support SNMP write access.
You can configure the adaptive security appliance to send traps (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the adaptive security appliance. MIBs are a collection of definitions, and the adaptive security appliance maintains a database of values for each definition. Browsing a MIB entails issuing an SNMP get request from the NMS. Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps and browse a MIB.
Table 42-1 lists supported MIBs and traps for the adaptive security appliance and, in multiple mode, for each context. You can download Cisco MIBs from the following website.
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
After you download the MIBs, compile them for your NMS.
Note
Enabling SNMP
The SNMP agent that runs on the adaptive security appliance performs two functions:
•
•
To enable the SNMP agent and identify an NMS that can connect to the adaptive security appliance, perform the following steps:
Step 1
hostname(config)# snmp-server enableThe SNMP server is enabled by default.
Step 2
hostname(config)# snmp-server host interface_name ip_address [trap | poll] [community text] [version 1 | 2c] [udp-port port]Where interface_name is the name of the NMS and ip_address is the IP address of the NMS.
Specify trap or poll if you want to limit the NMS to receiving traps only or browsing (polling) only. By default, the NMS can use both functions.
SNMP traps are sent on UDP port 162 by default. You can change the port number using the udp-port keyword.
Step 3
hostname(config)# snmp-server community keyThe SNMP community string is a shared secret between the security appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted.
Step 4
hostname(config)# snmp-server {contact | location} textWhere text defines the SNMP server location or lists contact information.
Step 5
hostname(config)# snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]Enter this command for each feature type to enable individual traps or sets of traps, or enter the all keyword to enable all traps.
The default configuration has all SNMP traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, use the clear configure snmp-server command to restore the default enabling of SNMP traps.
If you enter this command and do not specify a trap type, then the default is the syslog trap. (The default SNMP traps continue to be enabled along with the syslog trap.)
SNMP traps include:
•
•
•
•
Entity traps include:
•
•
•
IPSec traps include:
•
•
Remote-access traps include:
•
Step 6
hostname(config)# logging history levelWhere level defines the logging severity level.
You must also enable syslog traps using the snmp-server enable traps command.
Step 7
hostname(config)# logging enableThe following example sets the adaptive security appliance to receive requests from host 192.168.3.2 on the inside interface:
hostname(config)# snmp-server host 192.168.3.2hostname(config)# snmp-server location building 42hostname(config)# snmp-server contact Pat leehostname(config)# snmp-server community ohwhatakeyistheeConfiguring and Managing Logs
This section describes the logging functionality and configuration, as well as the system log message format, options, and variables. It includes the following topics:
•
•
•
•
•
•
Logging Overview
The adaptive security appliance system logs provide you with information for monitoring and troubleshooting the adaptive security appliance. With the logging feature, you can do the following:
•
•
•
•
•
•
You can choose to send all system log messages, or subsets of system log messages, to any or all output locations. You can filter system log messages by locations, by the severity of the system log message, the class of the system log message, or by creating a custom system log message list.
Logging in Multiple Context Mode
Each security context includes its own logging configuration and generates its own messages. If you log in to the system or admin context, and then change to another context, messages you view in your session are only those that are related to the current context.
System log messages that are generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space.
You can configure the security appliance to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID. For more information about enabling logging device IDs, see the "Including the Device ID in System Log Messages" section.
Enabling and Disabling Logging
This section describes how to enable and disable logging on the adaptive security appliance and includes the following topics:
•
•
•
Enabling Logging to All Configured Output Destinations
The following command enables logging; however, you must also specify at least one output destination so that you can view or save the logged messages. If you do not specify an output destination, the adaptive security appliance does not save system log messages generated when events occur.
For more information about configuring log output destinations, see the "Configuring Log Output Destinations" section.
To enable logging, enter the following command:
hostname(config)# logging enableDisabling Logging to All Configured Output Destinations
To disable all logging to all configured log output destinations, enter the following command:
hostname(config)# no logging enableViewing the Log Configuration
To view the running log configuration, enter the following command:
hostname(config)# show loggingThe example output of the show logging command is similar to the following:
Syslog logging: enabledFacility: 16Timestamp logging: disabledStandby logging: disabledDeny Conn when Queue Full: disabledConsole logging: disabledMonitor logging: disabledBuffer logging: disabledTrap logging: level errors, facility 16, 3607 messages loggedLogging to infrastructure 10.1.2.3History logging: disabledDevice ID: 'inside' interface IP address "10.1.1.1"Mail logging: disabledASDM logging: disabledConfiguring Log Output Destinations
This section describes how to specify where the adaptive security appliance should save or send the log messages that are generated and includes the following topics:
•
•
•
•
•
•
Sending System Log Messages to a Syslog Server
This section describes how to configure the adaptive security appliance to send logs to a syslog server.
Configuring the adaptive security appliance to send logs to a syslog server enables you to archive logs, limited only by the available disk space on the server, and to manipulate log data after it is saved. For example, you could specify actions to be executed when certain types of system log messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.
To view logs generated by the adaptive security appliance, you must specify a log output destination. If you enable logging without specifying a log output destination, the adaptive security appliance generates messages, but does not save them to a location from which you can view them.
The syslog server must run a server program called "syslogd." Windows (except for Windows 95 and Windows 98) provides a syslog server as part of its operating system. For Windows 95 and Windows 98, you must obtain a syslogd server from another vendor.
Note
To configure the adaptive security appliance to send system log messages to a syslog server, perform the following steps:
Step 1
hostname(config)# logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]Where the format emblem keyword enables EMBLEM format logging for the syslog server (UDP only).
The interface_name argument specifies the interface through which you access the syslog server.
The ip_address argument specifies the IP address of the syslog server.
The tcp[/port] or udp[/port] argument specifies that the adaptive security appliance should use TCP or UDP to send system log messages to the syslog server. The default protocol is UDP. You can configure the adaptive security appliance to send data to a syslog server using either UDP or TCP, but not both. If you specify TCP, the adaptive security appliance discovers when the syslog server fails and discontinues sending logs. If you specify UDP, the adaptive security appliance continues to send logs regardless of whether the syslog server is operational. The port argument specifies the port that the syslog server listens to for system log messages. Valid port values are 1025 through 65535, for either protocol. The default UDP port is 514. The default TCP port is 1470.
For example:
hostname(config)# logging host dmz1 192.168.1.5If you want to designate more than one syslog server as an output destination, enter a new command for each syslog server.
Step 2
hostname(config)# logging trap {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to the syslog server. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the adaptive security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to the syslog server. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
The following example specifies that the adaptive security appliance should send to the syslog server all system log messages with a severity level of level 3 (errors) and higher. The adaptive security appliance will send messages with the severity of 3, 2, and 1.
hostname(config)# logging trap errorsStep 3
hostname(config)# logging host interface_name server_ip [tcp/port] [permit-hostdown]Step 4
hostname(config)# logging facility numberMost UNIX systems expect the system log messages to arrive at facility 20.
Sending System Log Messages to the Console Port
This section describes how to configure the adaptive security appliance to send logs to the console port.
Note
To specify which system log messages should be sent to the console port, enter the following command:
hostname(config)# logging console {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to the console port. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the adaptive security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to the console port. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
The following example specifies that the adaptive security appliance should send to the syslog server all system log messages with a severity level of level 3 (errors) and higher. The adaptive security appliance will send messages with the severity of 3, 2, and 1.
hostname(config)# logging console errorsSending System Log Messages to an E-mail Address
You can configure the adaptive security appliance to send some or all system log messages to an e-mail address. When sent by e-mail, a system log message appears in the subject line of the e-mail message. For this reason, we recommend configuring this option to notify administrators of system log messages with high severity levels, such as critical, alert, and emergency.
Note
To designate an e-mail address as an output destination, perform the following steps:
Step 1
hostname(config)# logging mail {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to the e-mail address. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to the e-mail address. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
The following example uses a message_list with the name "high-priority," previously set up with the logging list command:
hostname(config)# logging mail high-priorityStep 2
hostname(config)# logging from-address email_addressFor example:
hostname(config)# logging from-address xxx-001@example.comStep 3
To specify a recipient address, enter the following command:
hostname(config)# logging recipient-address e-mail_address [severity_level]If a severity level is not specified, the default severity level is used (error condition, severity level 3).
For example:
hostname(config)# logging recipient-address admin@example.comStep 4
hostname(config)# smtp-server ip_addressFor example:
hostname(config)# smtp-server 10.1.1.1
Sending System Log Messages to ASDM
You can configure the adaptive security appliance to send system log messages to ASDM. The adaptive security appliance sets aside a buffer area for system log messages waiting to be sent to ASDM and saves messages in the buffer as they occur. The ASDM log buffer is a different buffer than the internal log buffer. For information about the internal log buffer, see the "Sending System Log Messages to the Log Buffer" section.
When the ASDM log buffer is full, the adaptive security appliance deletes the oldest system log message to make room in the buffer for new system log messages. To control the number of system log messages retained in the ASDM log buffer, you can change the size of the buffer.
This section includes the following topics:
Configuring Logging for ASDM
Note
To specify ASDM as an output destination, perform the following steps:
Step 1
hostname(config)# logging asdm {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to ASDM. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the adaptive security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to ASDM. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
The following example shows how enable logging and send to the ASDM log buffer system log messages of severity levels 0, 1, and 2.
hostname(config)# logging asdm 2Step 2
hostname(config)# logging asdm-buffer-size num_of_msgsWhere num_of_msgs specifies the number of system log messages that the adaptive security appliance retains in the ASDM log buffer.
The following example shows how to set the ASDM log buffer size to 200 system log messages.
hostname(config)# logging asdm-buffer-size 200
Configuring Secure Logging
Note
To enable secure logging, enter the following command:
hostname(config)# logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure]
Where the interface_name argument specifies the interface on which the syslog server resides, the syslog_ip argument specifies the IP address of the syslog server, and the port argument specifies the port (TCP or UDP) that the syslog server listens to for messages.
The tcp keyword specifies that the adaptive security appliance should use TCP to send messages to the syslog server. The udp keyword specifies that the adaptive security appliance should use UDP to send messages to the syslog server. The format emblem keyword enables EMBLEM format logging for the syslog server. The secure keyword specifies that the connection to the remote logging host should use SSL/TLS for TCP only.
The following example shows how to set up secure logging:
hostname(config)# logging host inside 10.0.0.1 TCP/1500 secure
Clearing the ASDM Log Buffer
To erase the current contents of the ASDM log buffer, enter the following command:
hostname(config)# clear logging asdmSending System Log Messages to a Telnet or SSH Session
Viewing system log messages in a Telnet or SSH session requires two steps:
1.
2.
This section includes the following topics:
•
•
Configuring Logging for Telnet and SSH Sessions
Note
To specify which messages should be sent to Telnet or SSH sessions, enter the following command:
hostname(config)# logging monitor {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to the session. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to the session. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
Viewing System Log Messages in the Current Session
Step 1
hostname# terminal monitorThis command enables logging only for the current session. If you log out, and then log in again, you need to reenter this command.
Step 2
hostname(config)# terminal no monitor
Sending System Log Messages to the Log Buffer
If configured as an output destination, the log buffer serves as a temporary storage location for system log messages. New messages are appended to the end of the listing. When the buffer is full, that is, when the buffer wraps, old messages are overwritten as new messages are generated, unless you configure the adaptive security appliance to save the full buffer to another location.
This section includes the following topics:
•
•
•
•
•
Enabling the Log Buffer as an Output Destination
Note
To enable the log buffer as a log output destination, enter the following command:
hostname(config)# logging buffered {severity_level | message_list}Where the severity_level argument specifies the severity levels of messages to be sent to the buffer. You can specify the severity level number (0 through 7) or name. For severity level names, see the "Severity Levels" section. For example, if you set the level to 3, then the security appliance sends system log messages for level 3, 2, 1, and 0.
The message_list argument specifies a customized message list that identifies the system log messages to send to the buffer. For information about creating custom message lists, see the "Filtering System Log Messages with Custom Message Lists" section.
For example, to specify that messages with severity levels 1 and 2 should be saved in the log buffer, enter one of the following commands:
hostname(config)# logging buffered criticalor
hostname(config)# logging buffered level 2For the message_list option, specify the name of a message list containing criteria for selecting messages to be saved in the log buffer.
hostname(config)# logging buffered notif-listViewing the Log Buffer
To view the log buffer, enter the following command:
hostname(config)# show loggingChanging the Log Buffer Size
By default, the log buffer size is 4 KB. To change the size of the log buffer, enter the following command:
hostname(config)# logging buffer-size bytesWhere the bytes argument sets the amount of memory used for the log buffer, in bytes. For example, if you specify 8192, the adaptive security appliance uses 8 KB of memory for the log buffer.
The following example specifies that the adaptive security appliance uses 16 KB of memory for the log buffer:
hostname(config)# logging buffer-size 16384Automatically Saving the Full Log Buffer to Flash Memory
Unless configured otherwise, the adaptive security appliance address messages to the log buffer on a continuing basis, overwriting old messages when the buffer is full. If you want to keep a history of logs, you can configure the adaptive security appliance to send the buffer contents to another output location each time the buffer fills. Buffer contents can be saved either to internal Flash memory or to an FTP server.
When saving the buffer content to another location, the adaptive security appliance creates log files with names that use a default time-stamp format, as follows:
LOG-YYYY-MM-DD-HHMMSS.TXTwhere YYYY is the year, MM is the month, DD is the day of the month, and HHMMSS is the time in hours, minutes, and seconds.
While the adaptive security appliance writes the log buffer contents to internal Flash memory or an FTP server, the adaptive security appliance continues saving new messages to the log buffer.
To specify that messages in the log buffer should be saved to internal Flash memory each time the buffer wraps, enter the following command:
hostname(config)# logging flash-bufferwrapAutomatically Saving the Full Log Buffer to an FTP Server
See the "Saving the Current Contents of the Log Buffer to Internal Flash Memory" section for more information about saving the buffer.
To specify that messages in the log buffer should be saved to an FTP server each time the buffer wraps, perform the following steps.
Step 1
hostname(config)# logging ftp-bufferwrapStep 2
hostname(config)# logging ftp-server server path username passwordWhere the server argument specifies the IP address of the external FTP server
The path argument specifies the directory path on the FTP server where the log buffer data is to be saved. This path is relative to the FTP root directory.
The username argument specifies a username that is valid for logging into the FTP server.
The password argument specifies the password for the username specified.
For example:
hostname(config)# logging ftp-server 10.1.1.1 /syslogs logsupervisor 1luvMy10gs
Saving the Current Contents of the Log Buffer to Internal Flash Memory
At any time, you can save the contents of the buffer to internal Flash memory. To save the current contents of the log buffer to internal Flash memory, enter the following command:
hostname(config)# logging savelog [savefile]For example, the following example saves the contents of the log buffer to internal Flash memory using the file name latest-logfile.txt:
hostname(config)# logging savelog latest-logfile.txtClearing the Contents of the Log Buffer
To erase the contents of the log buffer, enter the following command:
hostname(config)# clear logging bufferFiltering System Log Messages
This section describes how to specify which system log messages should go to output destinations, and includes the following topics:
•
•
Message Filtering Overview
You can filter generated system log messages so that only certain system log messages are sent to a particular output destination. For example, you could configure the adaptive security appliance to send all system log messages to one output destination and to send a subset of those system log messages to a different output destination.
Specifically, you can configure the adaptive security appliance so that system log messages are directed to an output destination according to the following criteria:
•
•
•
You customize these criteria by creating a message list that you can specify when you set the output destination in the "Configuring Log Output Destinations" section. Alternatively, you can configure the adaptive security appliance to send a particular message class to each type of output destination independently of the message list.
For example, you could configure the security appliance to send to the internal log buffer all system log messages with severity levels of 1, 2 and 3, send all system log messages in the "ha" class to a particular syslog server, or create a list of messages that you name "high-priority" that are sent to an e-mail address to notify system administrators of a possible problem.
Filtering System Log Messages by Class
The system log message class provides a method of categorizing system log messages by type, equivalent to a feature or function of the adaptive security appliance. For example, the "vpnc" class denotes the VPN client.
This section includes the following topics:
•
Message Class Overview
With logging classes, you can specify an output location for an entire category of system log messages with a single command.
You can use system log message classes in two ways:
•
•
All system log messages in a particular class share the same initial three digits in their system log message ID numbers. For example, all system log message IDs that begin with the digits 611 are associated with the vpnc (VPN client) class. System log messages associated with the VPN client feature range from 611101 to 611323.
Sending All Messages in a Class to a Specified Output Destination
When you configure all messages in a class to go to a type of output destination, this configuration overrides the configuration in the specific output destination command. For example, if you specify that messages at level 7 should go to the log buffer, and you also specify that ha class messages at level 3 should go to the buffer, then the latter configuration takes precedence.
To configure the adaptive security appliance to send an entire system log message class to a configured output destination, enter the following command:
hostname(config)# logging class message_class {buffered | console | history | mail | monitor | trap} [severity_level]Where the message_class argument specifies a class of system log messages to be sent to the specified output destination. See Table 42-2 for a list of system log message classes.
The buffered, history, mail, monitor, and trap keywords specify the output destination to which system log messages in this class should be sent. The history keyword enables SNMP logging. The monitor keyword enables Telnet and SSH logging. The trap keyword enables syslog server logging. Select one destination per command line entry. If you want to specify that a class should go to more than one destination, enter a new command for each output destination.
The severity_level argument further restricts the system log messages to be sent to the output destination by specifying a severity level. For more information about message severity levels, see the "Severity Levels" section.
The following example specifies that all system log messages related to the class ha (high availability, also known as failover) with a severity level of 1 (alerts) should be sent to the internal logging buffer.
hostname(config)# logging class ha buffered alertsTable 42-2 lists the system log message classes and the ranges of system log message IDs associated with each class.
Filtering System Log Messages with Custom Message Lists
Creating a custom message list is a flexible way to exercise fine control over which system log messages are sent to which output destination. In a custom system log message list, you specify groups of system log messages using any or all of the following criteria: severity level, message IDs, ranges of system log message IDs, or by message class.
For example, message lists can be used to do the following:
•
•
A message list can include multiple criteria for selecting messages. However, you must add each message selection criteria with a new command entry. It is possible to create a message list containing overlapping message selection criteria. If two criteria in a message list select the same message, the message is logged only once.
To create a customized list that the adaptive security appliance can use to select messages to be saved in the log buffer, perform the following steps:
Step 1
hostname(config)# logging list name {level level [class message_class] | message start_id[-end_id]}
