-
User Guide for Cisco Security Manager 3.3
-
Preface
-
Getting Started with Security Manager
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Policy Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Policy Object Manager User Interface Reference
Policy Object Manager Window Shortcut Menu
Policy Object Add or Edit Dialog Boxes
Add or Edit AAA Server Dialog Box
AAA Server Dialog Box—RADIUS Settings
AAA Server Dialog Box—TACACS+ Settings
AAA Server Dialog Box—Kerberos Settings
AAA Server Dialog Box—LDAP Settings
AAA Server Dialog Box—NT Settings
AAA Server Dialog Box—SDI Settings
AAA Server Dialog Box—HTTP-FORM Settings
Add or Edit Access List Dialog Boxes
Add and Edit Extended Access Control Entry Dialog Boxes
Add and Edit Standard Access Control Entry Dialog Boxes
Add and Edit Web Access Control Entry Dialog Boxes
ASA Group Policies Client Configuration Settings
ASA Group Policies Client Firewall Attributes
ASA Group Policies Hardware Client Attributes
ASA Group Policies IPSec Settings
ASA Group Policies SSL VPN Clientless Settings
ASA Group Policies SSL VPN Full Client Settings
ASA Group Policies SSL VPN Settings
ASA Group Policies DNS/WINS Settings
ASA Group Policies Split Tunneling Settings
ASA Group Policies Connection Settings
Add or Edit Secure Desktop Configuration Dialog Box
Add and Edit File Object Dialog Boxes
Add or Edit FlexConfig Dialog Box
FlexConfig Undefined Variables Dialog Box
Add or Edit IKE Proposal Dialog Box
Interface Name Conflict Dialog Box
Add or Edit IPSec Transform Set Dialog Box
Add and Edit LDAP Attribute Map Dialog Boxes
Add and Edit LDAP Attribute Map Value Dialog Boxes
Add and Edit Map Value Dialog Boxes
Add or Edit Class Maps Dialog Boxes
Zone-Based Firewall IM Application Class Maps Add or Edit Match Condition Dialog Boxes
Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes
H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes
HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes
SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes
SMTP Class Maps Add or Edit Match Criterion Dialog Boxes
Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes
N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes
Add or Edit Inspect Parameter Map Dialog Boxes
Add or Edit Protocol Info Parameter Map Dialog Boxes
Add or Edit DNS Server for Protocol Info Parameters Dialog Box
Add or Edit Local Web Filter Parameter Map Dialog Boxes
Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes
Add or Edit External Filter Dialog Box
Add or Edit Trend Parameter Map Dialog Boxes
Add or Edit URL Filter Parameter Map Dialog Boxes
Add or Edit URL Domain Name Dialog Box for URL Filter Parameters
Add or Edit URLF Glob Parameter Map Dialog Boxes
Add or Edit DCE/RPC Dialog Box
Add and Edit DNS Map Dialog Boxes
DNS Map Protocol Conformance Tab
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit ESMTP Map Dialog Boxes
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit FTP Map Dialog Boxes
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit GTP Map Dialog Boxes
Add and Edit Country Network Codes Dialog Boxes
Add and Edit Permit Response Dialog Boxes
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit H.323 Map Dialog Boxes
Add or Edit HSI Group Dialog Boxes
Add or Edit HSI Endpoint IP Address Dialog Boxes
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
HTTP Map RFC Request Method Tab
HTTP Map Extension Request Method Tab
HTTP Map Transfer Encoding Tab
Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+)
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit IM Map (IOS) Dialog Boxes
Add or Edit IPsec Pass Through Map Dialog Boxes
Add or Edit NetBIOS Map Dialog Boxes
Add or Edit SIP Map Dialog Boxes
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit Skinny Map Dialog Boxes
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit SNMP Map Dialog Boxes
Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies
Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter Policies
Add and Edit Web Filter Map Dialog Boxes
Add and Edit Regular Expression Group Dialog Boxes
Add and Edit Regular Expression Dialog Boxes
Add and Edit TCP Map Dialog Boxes
Add and Edit TCP Option Range Dialog Boxes
Add or Edit Network/Host Dialog Box
PKI Enrollment Dialog Box—CA Information Tab
PKI Enrollment Dialog Box—Enrollment Parameters Tab
PKI Enrollment Dialog Box—Certificate Subject Name Tab
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab
Add or Edit Port Forwarding List Dialog Boxes
Add or Edit A Port Forwarding Entry Dialog Box
Add or Edit Port List Dialog Box
Add and Edit Service Dialog Boxes
Add or Edit Single Sign On Server Dialog Boxes
Add or Edit SLA Monitor Dialog Box
Add or Edit Bookmarks Dialog Boxes
Add and Edit Bookmark Entry Dialog Boxes
Add and Edit Post Parameter Dialog Boxes
Add and Edit SSL VPN Customization Dialog Boxes
SSL VPN Customization Dialog Box—Title Panel
SSL VPN Customization Dialog Box—Language
SSL VPN Customization Dialog Box—Logon Form
SSL VPN Customization Dialog Box—Informational Panel
SSL VPN Customization Dialog Box—Copyright Panel
SSL VPN Customization Dialog Box—Full Customization
SSL VPN Customization Dialog Box—Toolbar
SSL VPN Customization Dialog Box—Applications
SSL VPN Customization Dialog Box—Custom Panes
SSL VPN Customization Dialog Box—Home Page
SSL VPN Customization Dialog Box—Logout Page
Add or Edit SSL VPN Gateway Dialog Box
Add and Edit Smart Tunnel List Dialog Boxes
Add and Edit A Smart Tunnel Entry Dialog Boxes
Add or Edit Text Object Dialog Box
Add or Edit Time Range Dialog Box
Add and Edit Traffic Flow Dialog Boxes
Add or Edit User Group Dialog Box
User Group Dialog Box—General Settings
User Group Dialog Box—DNS/WINS Settings
User Group Dialog Box—Split Tunneling
User Group Dialog Box—IOS Client Settings
User Group Dialog Box—IOS Xauth Options
User Group Dialog Box—IOS Client VPN Software Update
User Group Dialog Box—Advanced PIX Options
User Group Dialog Box—Clientless Settings
User Group Dialog Box—Thin Client Settings
User Group Dialog Box—SSL VPN Full Tunnel Settings
User Group Dialog Box—SSL VPN Split Tunneling
User Group Dialog Box—Browser Proxy Settings
User Group Dialog Box—SSL VPN Connection Settings
Add or Edit WINS Server List Dialog Box
Add or Edit WINS Server Dialog Box
Policy Object Overrides Window
Create Overrides for Device Dialog Box
Policy Object Manager User Interface Reference
The Policy Object Manager is used to create and globally manage all the policy objects configured with Cisco Security Manager. You use policy objects to simplify the creation of device-level and shared policies.
This chapter contains the following topics:
•
Policy Object Add or Edit Dialog Boxes
•
Policy Object Manager Window
Use the Policy Object Manager window to:
•
•
•
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
•
•
•
Field Reference
Table F-1 Policy Object Manager Window
Object Type selector or table of contents
(Left pane.)
Lists the object types available in Security Manager. When you select an object type, all existing objects of that type are listed in the table in the right pane.
The policy object table in the right pane lists existing objects of the type selected in the table of contents. Using this table, you create new objects and work with existing ones. You can use the buttons below the table, or right-click within the table to see additional commands (see Policy Object Manager Window Shortcut Menu).
Except for the Access Control Lists (ACL) object, there is one table per object type. For ACLs, there are tabs to separate Extended, Standard, and Web ACLs. Select the appropriate tab to work with the desired object type.
The columns in the table vary based on the type of object you select. You can alter the columns displayed in the table by right-clicking the table heading and selecting or deselecting columns in the Show Columns command. You can also sort the information by the contents in a column by clicking the column heading; click the heading to toggle between alphabetical and reverse alphabetical sorting.
For detailed information on the settings that are displayed in the table, click the Create or Edit buttons below the table and click Help in the dialog box that is opened. Following is a description of the columns that you typically see.
Icon (unlabeled field)
The icon displayed for a policy object type identifies objects of that type wherever they appear, such as in rules tables. If the icon includes the image of a pencil, you can edit it.
Name
The name of the policy object.
Content
A summary of the object definition that might not include all defined settings.
Permit
For ACL objects, if the Access Control Entry (ACE) allows traffic, a check mark appears in the Permit column. If the action is deny, a red circle with a slash appears.
Category
The category object that is assigned to the object, if any. Categories help you organize and identify rules and objects. For more information, see Using Category Objects, page 8-6.
Overridable
Whether a user can override the object properties at the device level. A check mark indicates that the object can be overridden. Not all object types are overridable.
For more information about device overrides, see Managing Object Overrides, page 8-9.
Description
If a paper icon appears in this column, there is a description for the object. Double-click the icon to view the description or mouse-over the icon.
Click the New Object button to create a new object. The same icon is used for any button that adds an item to a table.
Clicking this button opens a dialog box to create the object. Click the Help button in the dialog box for information on the selected object type. Also, see Creating Policy Objects, page 8-4.
Click the Edit Object button to edit the selected object. The same icon is used for editing any object in a table.
The dialog box used for editing the object is the same as the one used for creating the object. If you try to edit a system-defined default object, you are allowed only to view the object contents. Click the Help button in the dialog box for information on the settings. For more information, see Editing Objects, page 8-6.
Click the Delete Object button to delete the selected object. You can delete only user-defined objects that are not currently being used in a policy or another policy object. For more information, see Deleting Objects, page 8-8.
Policy Object Manager Window Shortcut Menu
Right-clicking inside the policy object table in the Policy Object Manager Window displays a shortcut menu for performing various functions on the selected object type.
Field Reference
Table F-2 Policy Object Manager Window Shortcut Menu
New Object
Select this command to create a new policy object. Click Help in the dialog box that is opened for information specific to the object type. Also, see Creating Policy Objects, page 8-4.
Edit Object
Select this command to edit the policy object selected in the table. If you select a system-defined default object, you are presented with a view-only look at the object definition. For more information, see Editing Objects, page 8-6.
Delete Object
Select this command to delete the policy object selected in the table. You can delete only user-defined objects that are not being used in a policy or in another policy object. For more information, see Deleting Objects, page 8-8.
Edit Device Overrides
Select this command to change the device-level overrides for this object using the Policy Object Overrides Window. You can create, edit, and delete overrides. For more information, see Managing Object Overrides, page 8-9.
Create Duplicate
Select this command to create a copy of the policy object. For more information, see Duplicating Objects, page 8-7.
Find Usage
Select this command to generate a usage report for the selected object using the Object Usage Dialog Box. The usage report tells you where the object is currently being used. for more information, see Generating Object Usage Reports, page 8-8.
View Object
Select this command to view the definition of the object using a read-only version of the edit dialog box for the object. For more information, see Viewing Object Details, page 8-8.
Policy Object Add or Edit Dialog Boxes
When you add or edit a policy object, a dialog box is opened that contains the settings for that type of policy object. Click Help in the dialog box for detailed information on the settings available for that type of object.
This section contains the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AAA Server Group Dialog Box
Use the AAA Server Group dialog box to create, copy, and edit AAA server groups. When defining a policy that uses a AAA server for authentication, authorization, or accounting, you select the server by selecting the server group to which the server belongs.
Navigation Path
Select Tools > Policy Object Manager, then select AAA Server Groups from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
•
Field Reference
Table F-3 AAA Server Group Dialog Box
Name
The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported.
Consider the following important points:
•
•
Description
An optional description of the object.
Protocol
The protocol used by the AAA servers in the group. For more information about these options, see Supported AAA Server Types, page 8-16 and Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.
AAA Servers
The AAA server policy objects that comprise the server group. Enter the names of the objects or click Select to select them from a list that is filtered to show only those AAA server objects that use the selected protocol. Separate multiple objects with commas. You can also create new objects from the selection list.
Make this Group the Default AAA Server Group (IOS)
(IOS devices only.)
Whether to designate this AAA server group as the default group for the RADIUS or TACACS+ protocol. Select this option if you intend to use a single global group for the selected protocol for all policies on a specific device requiring AAA.
Do not select this option if you intend to create multiple RADIUS or TACACS+ AAA server groups. Multiple groups can be used to separate different AAA functions (for example, use one group for authentication and a different group for authorization) or to separate different customers in a VRF environment.
Note
Max Failed Attempts
(PIX, ASA, FWSM devices only.)
The number of connection attempts that can fail before an unresponsive AAA server in the group is deactivated.
Values range from 1 to 5.
Reactivation Mode
(PIX, ASA, FWSM devices only.)
The method to use when reactivating failed AAA servers in the group:
•
•
Note
Reactivation Deadtime
(PIX, ASA, FWSM devices only.)
When you select Depletion as the reactivation mode, the number of minutes that should elapse between the deactivation of the last server in the group and the reactivation of all the servers in the group. Values range from 0 to 1440 minutes (24 hours).
Group Accounting Mode
(PIX, ASA, FWSM devices only.)
When using the RADIUS or TACACS+ protocols, the method for sending accounting messages to the AAA servers in the group:
•
Note
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit AAA Server Dialog Box
Use Add or Edit AAA Server dialog box to create, copy, and edit a AAA server object. These objects are collected into AAA server group objects, and identify the AAA servers that you want to use when defining various AAA policies.
For a description of the protocols you can use, see Supported AAA Server Types, page 8-16 and Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.
Note
Navigation Path
Select Tools > Policy Object Manager, then select AAA Servers from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-4 AAA Server Dialog Box—General Settings
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object.
Host
The address of the AAA server to which authentication requests will be sent. Specify one of the following:
•
•
Interface
The interface whose IP address should be used for all outgoing RADIUS or TACACS packets (known as the source interface). Enter the name of an interface or interface role, or click Select select it from a list or to create a new interface role.
If you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name.
If you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces.
Note
Timeout
The amount of time to wait until the AAA server is considered unresponsive:
•
•
•
Protocol
The protocol used by the AAA server. The fields to the right of the protocol list change depending on your selection.
For specific information about the fields, see the topics indicated.
•
–
–
•
–
–
–
–
–
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
AAA Server Dialog Box—RADIUS Settings
Use the RADIUS settings in the AAA Server dialog box to configure a RADIUS AAA server object.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select RADIUS in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—TACACS+ Settings
Use the TACACS+ settings in the AAA Server dialog box to configure a TACACS+ AAA server object.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select TACACS+ in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—Kerberos Settings
Use the Kerberos settings in the AAA Server dialog box to configure a Kerberos AAA server object.
Note
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select Kerberos in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—LDAP Settings
Use the LDAP settings in the AAA Server dialog box to configure an LDAP AAA server object.
Note
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select LDAP in the Protocol field.
Related Topics
•
•
Field Reference
Table F-8 AAA Server Dialog Box—LDAP Settings
Enable LDAP over SSL
Whether to establish a secure SSL connection between the ASA/PIX/FWSM device and the LDAP server.
TipServer Port
The port used for communicating with the AAA server. The default is 389.
LDAP Hierarchy Location
The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request. For example, OU=Cisco. The maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other special characters are allowed.
LDAP Scope
The scope of LDAP searches:
•
•
LDAP Distinguished Name
The DN and password that uniquely identify the ASA/PIX/FWSM device in the LDAP schema (maximum of 128 characters). The DN is similar to a unique key in a database or a fully qualified path for a file. These parameters are used only when the LDAP server requires them for authentication.
LDAP Login Directory
The name of the directory object in the LDAP hierarchy used for authenticated binding (maximum of 128 characters). Authenticated binding is required by some LDAP servers (including the Microsoft Active Directory server) before other LDAP operations can be performed.
This string is case-sensitive. Spaces are not permitted in the string, but other special characters are allowed.
LDAP Login Password
The case-sensitive, alphanumeric password for accessing the LDAP server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication
SASL Kerberos Authentication
Kerberos Server Group
These options establish a Simple Authentication and Security Layer (SASL) mechanism to authenticate an LDAP client (the ASA/PIX/FWSM device) with an LDAP server.
You can define one or both SASL authentication mechanisms. When negotiating SASL authentication, the ASA/PIX/FWSM device retrieves the list of SASL mechanisms configured on the LDAP server and selects the strongest mechanism configured on both devices.
•
•
If you select Kerberos, you must also enter the name of the Kerberos AAA server group used for SASL authentication. The maximum length is 16 characters.
LDAP Server Type
The type of LDAP server used for AAA:
•
•
Note
•
•
•
LDAP Attribute Map
The LDAP attribute configuration to bind to the LDAP server. Enter the name of an LDAP attribute map policy object or click Select to select it from a list or to create a new object.
LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. For more information, see Creating LDAP Attribute Map Objects, page 8-37.
AAA Server Dialog Box—NT Settings
Use the NT settings in the AAA Server dialog box to configure an NT AAA server object.
Note
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select NT in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—SDI Settings
Use the SDI settings in the AAA Server dialog box to configure an SDI AAA server object.
Note
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select SDI in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—HTTP-FORM Settings
Use the HTTP-FORM settings in the AAA Server dialog box to configure an HTTP-Form AAA server object for single sign-on authentication (SSO).
Note
Navigation Path
Go to the Add or Edit AAA Server Dialog Box and select HTTP-FORM in the Protocol field.
Related Topics
•
•
Field Reference
Add or Edit Access List Dialog Boxes
Use the Add and Edit Access List dialog boxes to define access control entries (ACEs) for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
The title of the dialog box indicates the type of ACL you are creating: Extended, Standard, or Web Type. The dialog boxes are essentially the same, the difference being the columns displayed in the ACE table.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Select the tab for the type of ACL object you want to create, and then right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
•
•
•
•
Field Reference
Table F-12 Add and Edit Access List Dialog Boxes
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object.
Access Control Entry table
The access control entries (ACEs) and ACL objects that are part of the ACL. The table displays the name of the entry or object, description, options, services, and other attributes of the entry.
In the Permit column, a green checkmark indicates that the entry permits traffic, whereas a red circle with a slash indicates that traffic is denied.
The source and, if applicable, destination addresses can be host IP addresses, network addresses, or network/host policy objects.
•
–
–
–
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit Extended Access Control Entry Dialog Boxes
Use the Add or Edit Extended Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to an Extended ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Extended ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
•
•
Field Reference
Table F-13 Add and Edit Extended Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Source
Destination
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
Services
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Description
An optional description of the object.
Advanced button
Click this button to define logging options for the entry:
•
–
–
•
Add and Edit Standard Access Control Entry Dialog Boxes
Use the Add or Edit Standard Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Standard ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Standard ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
•
•
Field Reference
Table F-14 Add and Edit Standard Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Source
The source of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
Description
An optional description of the object.
Log Option
Whether to create log entries when traffic meets the entry criteria. ACL logging generates syslog message 106023 for denied packets. Deny packets must be present to log denied packets.
Add and Edit Web Access Control Entry Dialog Boxes
Use the Add or Edit Web Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Web Type ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Web Type ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
•
•
Field Reference
Table F-15 Add and Edit Web Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Filter Destination
Whether the entry specifies a network filter (host or network address) or a URL filter (web site address). Your selection changes the fields on the dialog box. The fields are described below.
Destination
(Network Filter only.)
The destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
Ports
(Network Filter only.)
The port numbers or port list policy objects that define the port the traffic uses, if you want to use port identification. You can enter more than one value by separating the items with commas.
You can enter any combination of the following types:
•
•
•
URL Filter
(URL Filter only.)
The Universal Resource Locator (URL), or web address, of the traffic. You can use an asterisk as a match-all wildcard. For example, http://*.cisco.com matches all servers on the cisco.com network. You can specify any valid URL.
Logging
The type of logging to use for this entry:
•
•
•
Logging Interval
The interval of time, in seconds, used to generate logging messages, from 1 to 600. The default is 300. You can modify this field only if you select a logging level in the Logging field.
Time Range
The time range policy object that defines the time range associated with the entry. The time range defines the access to the device and relies on the device's system clock. For more information, see Creating Time Range Objects, page 8-92.
Enter the name of the object or click Select to select it from a list. You can also create new time range objects from the selection list.
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
An optional description of the object.
ASA Group Policies Dialog Box
Use the Add or Edit ASA Group Policies dialog box to create, copy, and edit an ASA user group policies object.
ASA group policies are configured on ASA security appliances in Easy VPN topologies, IPSec VPNs, and SSL VPNs. When you configure an Easy VPN, IPSec VPN or SSL VPN connection, you must create group policies to which remote clients will belong. A user group policy is a set of user-oriented attribute/value pairs for SSL VPN connections that are stored either internally (locally) on the device or externally on a AAA server. The tunnel group uses a user group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users rather than having to specify each attribute individually for each user.
Note
Navigation Path
Select ASA Group Policies in the Policy Object Manager Window. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip
Related Topics
•
•
Field Reference
Table F-16 Add or Edit ASA Group Policies Dialog Box, including Technology Settings
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object.
The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right.
You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents.
The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next.
Technology settings
These settings control what you can define in the group policy:
•
If you select External, the only attributes you can configure are the name of the AAA server group object that identifies the AAA server and its password.
•
•
After you select an external server group, the Password and Confirm fields become active. Enter the alphanumeric password to use for authenticating with the server in both fields. The password can be a maximum of 128 characters; spaces are not allowed.
DNS/WINS
The DNS and WINS servers and the domain name that should be pushed to clients associated with the group. See ASA Group Policies DNS/WINS Settings.
Split Tunneling
Settings to allow a remote client to conditionally direct encrypted packets through a secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through a network interface. See ASA Group Policies Split Tunneling Settings.
Easy VPN/IPSec VPN
Settings for Easy VPN and remote access IPSec VPNs:
•
•
•
•
SSL VPN
Settings for SSL VPN:
•
•
•
Connection Settings
The connection settings for the group, such as the session and idle timeouts, including the banner text. See ASA Group Policies Connection Settings.
ASA Group Policies Client Configuration Settings
Use the Client Configuration settings page to configure the Cisco client parameters for the ASA group policy for Easy VPN or remote access VPN.
Navigation Path
Select Easy VPN/IPSec VPN > Client Configuration from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies Client Firewall Attributes
Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA group policy for Easy VPN or IPSec VPN. Only VPN clients running Microsoft Windows can use these firewall settings.
Navigation Path
Select Easy VPN/IPSec VPN > Client Firewall Attributes from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA group policy in an Easy VPN or IPSec VPN.
Navigation Path
Select Easy VPN/IPSec VPN > Hardware Client Attributes from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies IPSec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA group policy for Easy VPN or IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.
Navigation Path
Select Easy VPN/IPSec VPN > IPsec from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Table F-20 ASA Group Policies IPSec Settings
Enable Re-Authentication on IKE Re-Key
Whether the security appliance should prompt the user to enter a username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security. Reauthentication fails if no user is at the other end of the connection.
Enable IPsec Compression
Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems.
Caution
Enable Perfect Forward Secrecy (PFS)
Whether to enable the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Tunnel Group Lock
Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting.
If you do not specify a tunnel name, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.
Client Access Rules table
The access rules for clients. These rules control which types of clients are denied access, if any. You can have up to 25 rules, and combined they are limited to 255 characters.
TipThe rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
•
•
•
Add or Edit Client Access Rules Dialog Box
Use the Client Access Rules dialog box to create or edit the priority, action, VPN client type and VPN client version for a client access rule.
Navigation Path
From ASA Group Policies IPSec Settings, click the Add Row button beneath the Client Access Rules table, or select a rule and click the Edit Row button.
Field Reference
ASA Group Policies SSL VPN Clientless Settings
Use the Clientless settings to configure the clientless mode of access to the corporate network in an SSL VPN for the ASA group policy object.
When a user connects to the SSL VPN in clientless mode, the user logs into the SSL VPN portal page. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers, depending on how you configure the portal.
Navigation Path
Select SSL VPN > Clientless from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Table F-22 ASA Group Policies SSL VPN Clientless Settings
Portal Page Websites
The name of the SSL VPN bookmarks policy object that includes the web site URLs to display on the portal page. These web sites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.
Allow Users to Enter Websites
Whether to allow the remote user to enter web site URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal.
Enable File Server Browsing
Whether to allow the remote user to browse for file shares on the CIFS file servers.
Enable File Server Entry
Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares.
Enable Hidden Shares
Whether to make hidden CIFS shares visible, and thus accessible, to users.
HTTP Proxy
The type of access you want to allow to the external HTTP proxy server to which the security appliance forwards HTTP connections. You can enable access, disable access, or select Auto Start, which starts the proxy automatically upon user login.
Filter ACL
The name of the web type access control list policy object to use to restrict user access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object.
Enable ActiveX Relay
Whether to enable ActiveX relay, which allows users to start ActiveX programs from the portal page. This allows users to start Microsoft Office applications from the web browser and upload and download Office documents.
UNIX Authentication Group ID
The UNIX authentication group ID.
UNIX Authentication User ID
The UNIX authentication user ID.
Smart Tunnel
The name of the smart tunnel list policy object assigned to this group. Click Select to select it from a list or to create a new object.
A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. Thus, smart tunnels do not require users to have administrator privileges. For more information, see Configuring SSL VPN Smart Tunnels for ASA Devices, page 8-87.
Auto Start Smart Tunnel
Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page.
Auto sign-on supports only applications that use HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows operating system. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
Port Forwarding List
The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object.
Auto Start Port Forwarding
Whether to start port forwarding automatically upon user login.
Port Forwarding Applet Name
The application name or short description to display on the Port Forwarding Java applet screen on the portal, up to 64 characters. This is the name of the applet users will download to act as a TCP proxy on the client machine for the services configured on the SSL VPN gateway.
ASA Group Policies SSL VPN Full Client Settings
Use the Full Client settings to configure the full client mode of access to the corporate network in an SSL VPN for the ASA group policy object.
Full client mode enables access to the corporate network completely over an SSL VPN tunnel. In full client access mode, the tunnel connection is determined by the group policy configuration. The full client software, SSL VPN Client (SVC) or AnyConnect, is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.
Tip
Navigation Path
Select SSL VPN > Full Client from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies SSL VPN Settings
Use the SSL VPN Settings to configure attributes that are required for clientless and port forwarding (thin client) access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules.
Navigation Path
Select SSL VPN > Settings from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Table F-24 ASA Group Policies SSL VPN Settings
Home Page
The URL of the SSL VPN home page. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed.
Authentication Failure Message
The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing. The default message is:
"Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."
Minimum Keepalive Object Size (kilobytes)
The minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance.
Single Sign On Server
The name of the single sign on (SSO) server policy object that identifies the server to use for this group, if any. An SSO server allows users to enter their username and password once and be able to access other server in the network without logging into each of them. If configure an SSO server, also configure the auto signon rules table.
Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring Single Sign-On Server Objects, page 8-77.
Enable HTTP Compression
Whether to allow an HTTP compressed object to be cached on the security appliance.
Auto Signon Rules table
If you configure a single sign on server, the auto signon rules table contains the rules that determine which internal servers are provided the user's credentials. Thus, you can provide single sign on for some servers in your network but not others.
Each rule is an allow rule, and indicates the IP address, subnet, or Universal Resource Identifier (URI) that identifies the server, and the type of authentication that will be sent to the server when the user tries to access it (either basic HTML, NTLM, FTP, or all of these). The rules are processed in order, top to bottom, and the first match is applied. Therefore, be sure to order the rules correctly using the up and down arrow buttons.
If the user accesses a server that is not identified in one of these rules, the user must log into the server to gain access.
•
•
•
Portal Page Customization
The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used.
Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79.
User Storage Location
The location where personalized user information is stored between clientless SSL VPN sessions. If you do not specify a location, information is not stored between sessions. Stored information is encrypted.
Enter a file system designation in the following format:
protocol://username:password@host:port/path
Where protocol is the protocol of the server, username and password are a valid user account on the server, and host is the name of the server. Also indicate the port number (if you do not use the default for the protocol) and directory path of the location on the server to use. For example:
cifs://newuser:12345678@anyfiler02a/new_share
Storage Key
The storage key used to protect data stored between sessions. Spaces are not supported.
Post Max Size
The maximum size allowed for a posted object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent posting.
Upload Max Size
The maximum size allowed for a uploaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent uploading.
Download Max Size
The maximum size allowed for a downloaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent downloads.
Add or Edit Auto Signon Rules Dialog Box
Use the Add or Edit Auto Signon Rules dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server.
Navigation Path
Open the ASA Group Policies SSL VPN Settings, then click Create, or select an item in the table and click Edit.
Related Topics
•
•
Field Reference
ASA Group Policies DNS/WINS Settings
Use the DNS/WINS settings to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA group policy. These settings apply to Easy VPN, remote access IPSec VPN, and SSL VPN configurations.
Navigation Path
Select DNS/WINS from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies Split Tunneling Settings
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. These settings apply to Easy VPN, remote access IPSec VPN, and SSL VPN configurations.
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.
Tip
Navigation Path
Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
ASA Group Policies Connection Settings
Use the Connection Settings to configure the connection characteristics for the ASA group policy, including access control and session timeouts. These settings are used for Easy VPN, remote access VPN, or SSL VPN sessions.
Navigation Path
Select Connection Settings from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Table F-28 ASA Group Policies Connection Settings
Filter ACL
The name of the extended access control list (ACL) policy object to use to restrict user access to the VPN. Enter the name of the object or click Select to select it from a list or to create a new object.
Banner Text
The banner, or welcome text, to display on remote clients when they connect to the VPN. You can enter up to 500 characters.
Access hours
The name of a time range policy object that specifies the times that users are allowed to access the VPN. If you do not specify a time range, users can access the VPN at all times. Specify a time range if you want to limit access to the network to certain hours, such as the typical work days and work hours for your organization.
Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Add or Edit Time Range Dialog Box.
Max Simultaneous Logins
The number of simultaneous logins a single user is allowed. Values are 0-2147483647. The default is 3. Specify 0 to disable logins and prevent user access.
Max Connection Time
The maximum amount of time a user is allowed to be connected to the VPN. Select one of the following:
•
•
Idle Timeout
The amount of time a user is allowed to be connected to the VPN while the connection is idle, that is, there is no communication activity. Select one of the following:
•
•
Category Editor Dialog Box
Use the Category Editor dialog box to edit the name or description of a category object. Category objects help you categorize and readily identify rules and other objects.
Navigation Path
Select Tools > Policy Object Manager, select Categories from the Object Type Selector, and click Edit Object.
Related Topics
•
Field Reference
Add or Edit Secure Desktop Configuration Dialog Box
Use the Add or Edit Cisco Secure Desktop Configuration dialog box to create, copy, and edit Cisco Secure Desktop Configuration objects for IOS routers. You can configure the settings required for Windows clients who are connecting from different location types, enable or restrict web browsing and file access for Windows CE clients, and configure the cache cleaner for Macintosh and Linux clients.
Cisco Secure Desktop (CSD) secures network endpoints by providing a reliable means of eliminating all traces of sensitive data by providing a single, secure location for session activity and removal on the client system.
This policy object uses the Secure Desktop Manager application to configure the settings. For an example of configuring settings, see Cisco Secure Desktop on IOS Configuration Example Using SDM at http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml. The first part of the configuration example explains setting up SDM, which you can ignore. Instead, look for the sections that describe setting up Windows locations midway through the example. The screen shots will help you identify when you are looking at CSD configuration.
Navigation Path
Select Tools > Policy Object Manager, then select Cisco Secure Desktop (Router) from the Object Type Selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
Field Reference
Table F-30 Add or Edit Secure Desktop Configuration Dialog Box
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object (up to 1024 characters).
Windows Locations
The names of the locations that you want to configure for Windows clients connecting from specific locations, such as Work, Home, or Insecure.
When you create a location, an item for the location is added to the table of contents, where you can select the settings folders related to the location and configure its properties. The settings include a definition of how to determine if a client is connecting from that particular location.
For each location you want to configure, enter its name in the Location to Add field and click Add to move it to the Locations list.
You can reorder the locations using the Move Up/Move Down buttons. CSD checks locations in the order listed in this dialog box, and grants privileges to client PCs based on the first location definition they match. You can create a default location, such as Insecure, as the final location and configure the strictest security for it. For more information, see Creating Cisco Secure Desktop Configuration Objects, page 8-73.
Close all open browser windows after installation
Whether to close all the open browser windows after installing the Secure Desktop application.
VPN Feature Policy
Select the check boxes to enable these features if installation or location matching fails:
•
•
•
•
VPN Feature Policy
The Windows CE options enable you to configure a VPN feature policy to enable or restrict web browsing and remote server file access for remote clients running Microsoft Windows CE. You cannot configure locations for these clients.
Launch Cleanup Upon Global Timeout
Whether to set a global timeout after which CSD launches the cache cleaner. Select a timeout (the default is 30 minutes), and select whether to allow the user to reset the timeout value.
Launch Cleanup Upon Exiting of Browser
Whether to start the cache cleaner when the user closes all web browser windows.
Enable Canceling of Cleaning
Whether to allow the remote user to cancel the cleaning of the cache.
Secure Delete
The number of passes for CSD to perform a secure cleanup. The default is 1 pass.
CSD encrypts and writes the cache to the remote client's disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the cache to all 0's, then to all 1's, and then to randomized 0's and 1's.
Enable Web Browsing if Mac or Linux Installation Fails
Whether to allow web browsing (but not other remote access features) if the cache cleaner installation fails.
VPN Feature Policy
Whether to allow web browsing, remote server file access, and port forwarding for Macintosh and Linux clients. Port forwarding permits the use of the Secure Desktop to connect a client application installed on the local PC to the TCP/IP port of a peer application on a remote server.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Credentials Dialog Box
Use the Credentials dialog box to create, copy and edit Credential objects.
Credential objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth) when authenticating user access to the network and network services. When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, Xauth identifies the user who requests the IPsec connection. If the VPN server is configured for Xauth, the client waits for a "username/password" challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. You can save the Xauth credentials (username and password) on the device itself so you do not need to enter them manually each time the Easy VPN tunnel is established.
Navigation Path
Select Tools > Policy Object Manager, then select Credentials from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-31 Credentials Dialog Box
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object (up to 1024 characters).
Username
The name that will be used to identify the user during Xauth authentication.
Password
Confirm
The password for the user, entered in both fields. The password must be alphanumeric and a maximum of 128 characters. Spaces are not allowed.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit File Object Dialog Boxes
Use the Add and Edit File Object dialog boxes to create, copy, and edit file objects. File objects represent files that are used in device configurations, typically for remote access VPN policies and policy objects. Such files include Anyconnect client profile and image files, image (graphic) files, plug-in jar files, and Cisco Secure Desktop package files.
Tip
When you create a file object, Security Manager makes a copy of the file in its storage system. These files are backed up whenever you create a backup of the Security Manager database, and they are restored if you restore the database. When you deploy configurations that specify a file object, the associated file is download to the device in the appropriate directory.
After you create a file object, you typically should not edit it. If you need to replace the file, edit the file object to select the new file, or create a new file object. If the file is editable, you can edit the file object to identify the file's location in the file repository, and use the desired editor to open and edit the file outside of Security Manager. The file repository is the CSCOpx\MDC\FileRepository folder in the installation directory (typically, C:\Program Files). The files are organized in subfolders named for the file type.
When you delete a file object, the associated file is not deleted from the file repository.
Navigation Path
Select Tools > Policy Object Manager, then select File Objects from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
Field Reference
Table F-32 Add and Edit File Object Dialog Boxes
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
If you do not enter a name, the name of the file is used for the object name.
Description
An optional description of the object.
File Type
The type of file. If you create the object while configuring a policy, the correct file type is pre-selected. Options are:
•
•
•
•
•
File
The name and full path of the file. The file must be on the Security Manager server. Click Browse to select the file.
For file objects that you are editing, the path indicates the location in the Security Manager file repository.
TipFile Name on Device
The file name you want to use when the file is downloaded to the device when you deploy policies. The default is to use the same file name as the original file.
If the object was created by discovering policies from the device, this field uses the original name of the file as it existed on the device. This might not be the same name as it exists on the Security Manager server if the original name duplicated existing file names on the server.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Add or Edit FlexConfig Dialog Box
Use the Add or Edit FlexConfig dialog box to create or edit FlexConfig policy objects. FlexConfig objects are small programs that allow you to add configuration commands before or after the configurations generated from Security Manager policies, so that you can extend the abilities of the product to configure your devices. You use these policy objects in FlexConfig device or shared policies.
Before creating FlexConfig policy objects, read the sections in Understanding FlexConfig Policies and Policy Objects, page 18-1.
Navigation Path
Select Tools > Policy Object Manager, then select FlexConfigs from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-33 FlexConfigs Editor Dialog Box
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object.
Group
The name of the group of FlexConfig objects to which this object belongs, if any. You can type in a name, or select an existing name from the list. This field is for informational purposes only, and can help you find a FlexConfig object in the FlexConfig Objects page in the Policy Object Manager.
Type
Whether the commands in the object are prepended (put at the beginning) or appended (put at the end) of configurations.
Negate For
The name of the FlexConfig object whose commands are undone in this FlexConfig object. This field is for informational purposes only and does not affect the processing of the object.
For example, if FlexConfig A has the command banner login, and FlexConfig B has the command no banner login, FlexConfig B negates the configuration for FlexConfig A.
Object Body edit box
The commands and instructions to produce the desired configuration file output. You can type in the following types of data:
•
•
•
Undo button
Deletes the previous action.
Redo button
Performs the previously undone action.
Cut button
Deletes the highlighted text and copies it to the clipboard.
Copy button
Copies the highlighted text to the clipboard.
Paste button
Pastes previously cut or copied text.
Find button
Locates the specified text string in the object body.
Validate FlexConfig button
Checks the integrity and deployability of the FlexConfig object.
This table lists the variables that are used in the FlexConfig object.
Name
The name of the variable. Click the cell to edit the name, which also changes the name in the FlexConfig object body.
Default Value
The value to use when one is not provided. Click the cell to edit the value for user-defined variables. You cannot edit system-defined variables.
Note
Object Property
The property of the object. The object property name is in the following format:
type.name.data.property
where
•
•
•
•
Dimension
The structure of the data in the variable. Possible values are:
•
•
•
Optional
Whether the variable is required to have a value.
Description
A description of the contents of the object. Click the cell to edit the description.
Create Text Object Dialog Box
Use the Create Text Object dialog box as a shortcut to create text objects of dimension 0, which are single-value variables, for use in FlexConfig policy objects. Enter the name of the variable and the value to assign to it. When you click OK, the variable is added to the FlexConfig object at the cursor location and it is added to the list of variables for the object.
Navigation Path
In the Add or Edit FlexConfig Dialog Box, right-click in the object body field and select Create Text Object.
Tip
FlexConfig Undefined Variables Dialog Box
Use the FlexConfig Undefined Variables dialog box to define variables used in the FlexConfig object that have not yet been defined. You can choose from a list of policy object types or add a new policy object to use.
Each row in the table represents a single undefined variable.
Tip
Navigation Path
In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when you click OK, Security Manager displays a warning and asks if you want to define the variables. If you click Yes, this dialog box is opened.
Field Reference
Table F-34 FlexConfig Undefined Variables Dialog Box
Variable Name
The name of the undefined variable that you used in the FlexConfig object.
Object Type
The type of policy object that contains the value you want to assign to the variable. For local variables, use the Undefined object type.
For variables you want to define, you must select the specific policy object and value within that object to assign to the selected variable.
You start by selecting the type of policy object from this list. You are then prompted to select the specific policy object. When you click OK, you are prompted to select the specific property within that object that contains the desired value (see Property Selector Dialog Box). When you select the value on the Property Selector dialog box and click OK, the value is assigned to the variable.
Object Property
The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box.
Optional
Whether the variable is required to have a value.
Property Selector Dialog Box
Use the Property Selector dialog box to select the specific property within a selected policy object that you want to assign to a variable within a FlexConfig policy object. The title of the dialog box indicates the type of policy object that you selected (for example, AAA Server Groups Property Selector).
For more information on variables, see Understanding FlexConfig Object Variables, page 18-5.
Navigation Path
•
•
Field Reference
Table F-35 Property Selector Dialog Box
Object Property
The property of the object that contains the value you want to assign to the variable. For specific information on the properties, see the explanation of the fields for the dialog box used for adding or editing objects of that type. You can find a list of links to the relevant topics at Policy Object Add or Edit Dialog Boxes.
Name
The name of variable. This field is not available when you are defining undefined variables.
Description
An optional description of the variable. This field is not available when you are defining undefined variables.
Add or Edit IKE Proposal Dialog Box
Use the IKE Proposal dialog box to create, copy, and edit an IKE proposal object.
Internet Key Exchange (IKE) proposal objects contain the parameters required for IKE proposals when defining remote access and site-to-site VPN policies. IKE is a key management protocol that facilitates the management of IPsec-based communications. It is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes security associations (SAs) for other applications, such as IPsec. Both phases use proposals when they negotiate a connection. For more information about IKE proposals, see the following topics:
•
•
•
•
Navigation Path
Select Tools > Policy Object Manager, then select IKE Proposals from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Tip
Related Topics
•
•
•
Field Reference
Table F-36 IKE Proposal Dialog Box
Name
The name of the policy object. A maximum of 128 characters is allowed.
Description
A description of the policy object. A maximum of 1024 characters is allowed.
Priority
The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Valid values range from 1 to 10000. The lower the number, the higher the priority. If you leave this field blank, Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations:
•
•
•
•
•
Hash Algorithm
The hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Options are:
•
•
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Options are:
•
•
•
•
•
•
•
Lifetime
The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.
You can specify a value from 60 to 86400 seconds.
Authentication Method
The method of authentication to use between the two peers:
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Interface Role Dialog Box
Use the Interface Role dialog box to create, copy, or edit an interface role object. Interface Role objects have the following uses:
•
•
Navigation Path
Select Tools > Policy Object Manager, then select Interface Roles from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
•
•
•
Field Reference
Table F-37 Interface Role Dialog Box
Name
The name of the policy object. A maximum of 128 characters is allowed.
Description
A description of the policy object. A maximum of 1024 characters is allowed.
Interface Name Patterns
The names to include in this interface role. The names are the complete or partial names of interfaces, subinterfaces, and other virtual interfaces. Separate multiple name patterns with commas.
You can use these wildcards to create name patterns that apply to multiple interfaces:
•
To use a period as part of the pattern itself (for example, when defining subinterfaces), enter a backslash (\) before the period.
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Interface Name Conflict Dialog Box
When defining a policy requiring an interface, you might enter a name that corresponds to both an interface role and an actual interface on the device. When you save or update the policy, the Interface Name Conflict dialog box opens automatically so that you can select whether you want to specify the interface or the interface role. The dialog box lists only those names for which there are conflicts.
For more information about the exact circumstances that lead to this conflict, see Exceptional Cases When Using Interface Roles, page 8-35.
Related Topics
•
•
Add or Edit IPSec Transform Set Dialog Box
Use the Add or Edit IPSec Transform Set dialog box to create, copy and edit IPSec transform set objects.
You can create IPSec transform set objects for use in IPSec proposals when defining IPSec-protected traffic in site-to-site and remote access VPNs. When you create an IPSec transform set object, you select the mode in which IPSec should operate, as well as define the required encryption and authentication types. Additionally, you can select whether to include compression in the transform set. During IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Two different security protocols are included within the IPSec standard:
•
•
Note
Navigation Path
Select Tools > Policy Object Manager, then select IPSec Transform Sets from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
•
Field Reference
Table F-38 IPSec Transform Set Dialog Box
Name
The name of the policy object. A maximum of 128 characters is allowed.
Description
A description of the policy object. A maximum of 1024 characters is allowed.
Mode
The mode in which the IPSec tunnel operates:
•
Use tunnel mode when the firewall is protecting traffic to and from hosts positioned behind the firewall. Tunnel mode is the normal way regular IPSec is implemented between two firewalls (or other security gateways) that are connected over an untrusted network, such as the Internet.
•
Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet. Transport mode is generally used only when protecting a Layer 2 or Layer 3 tunneling protocol such as GRE, L2TP, and DLSW.
ESP Encryption
The Encapsulating Security Protocol (ESP) encryption algorithm that the transform set should use:
•
•
•
•
•
•
•
ESP Hash Algorithm
AH Hash Algorithm
The ESP or AH hash algorithm to use in the transform set for authentication. The default is to use SHA for ESP authentication and to not use AH authentication.
•
•
•
Note
Compression
(IOS devices only.)
Whether to compress the data in the IPSec tunnel using the Lempel-Ziv-Stac (LZS) algorithm.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Add and Edit LDAP Attribute Map Dialog Boxes
Use the Add and Edit LDAP (Lightweight Directory Access Protocol) Attribute Map dialog boxes to populate the attribute map with name mappings that translate Cisco LDAP attribute names to custom, user-defined attribute names.
If you are introducing a security appliance to an existing LDAP directory, your existing custom LDAP attribute names and values are probably different from the Cisco attribute names and values. Rather than renaming your existing attributes, you can create LDAP attribute maps that map your custom attribute names and values to Cisco attribute names and values. By using simple string substitution, the security appliance then presents you with only your own custom names and values. You can then bind these attribute maps to LDAP servers or remove them as needed. You can also delete entire attribute maps or remove individual name and value entries.
For more information regarding LDAP support on ASA, PIX, and FWSM devices, see Additional AAA Support on ASA, PIX, and FWSM Devices, page 8-17.
Navigation Path
Select Tools > Policy Object Manager, then select LDAP Attribute Map from the Object Type selector. Right-click inside the table and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-39 Add and Edit LDAP Attribute Map Dialog Boxes
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 8-4.
Description
An optional description of the object.
Attribute Map table
The table shows the mapped values. Each entry shows the customer map name, Cisco map name, and the attribute mapping of customer name to Cisco name.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit LDAP Attribute Map Value Dialog Boxes
Use the Add and Edit LDAP Attribute Map Value dialog boxes to populate the attribute map with value mappings that apply user-defined attribute values to the custom attribute name and to the matching Cisco attribute name and value.
Navigation Path
From the Add and Edit LDAP Attribute Map Dialog Boxes, click the Add Row button to add a new mapping, or select a row and click the Edit Row button.
Field Reference
Table F-40 Add and Edit LDAP Attribute Map Value Dialog Boxes
Customer Map Name
The name of your attribute map that relates to the Cisco map.
Cisco Map Name
The Cisco attribute map name you want to map to the customer map name.
Customer to Cisco Map Value table
The mappings of customer names to Cisco names.
•
•
•
Add and Edit Map Value Dialog Boxes
Use the Add and Edit Map Value dialog boxes to map a customer LDAP attribute value to a Cisco map value. Enter the value from your LDAP map that you want to equate with a Cisco value.
Navigation Path
From the Add and Edit LDAP Attribute Map Value Dialog Boxes, click the Add Row button to add a new mapping, or select a row and click the Edit Row button.
Add or Edit Class Maps Dialog Boxes
Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same type. The name of the dialog box indicates the type of map you are creating.
A class map defines application traffic based on criteria specific to the application. You then select the class map in the corresponding policy map and configure the action to take for the selected traffic. Thus, each class map must contain traffic that you want to handle in the same way (for example, to allow it or to drop it).
You can create class maps for the following purposes:
•
You can also define class criteria in the related policy map. However, creating class maps allows you to reuse the map in multiple policy maps.
The following topics describe the available match criteria:
–
–
–
–
–
–
•
–
–
–
–
–
–
–
–
–
–
–
–
–
Navigation Path
Select Tools > Policy Object Manager, then select any item in the folders in the Maps > Class Maps folder in the table of contents. Right-click inside the work area, then select New Object, or right-click a row, then select Edit Object.
Related Topics
•
•
•
•
•
•
Field Reference
Table F-41 Add or Edit Class Maps Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Match table
Match Type
(Except for Trend Content Filter class maps.)
The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.
The name of the table indicates whether every one of the criteria must be met for the traffic to match the class (Match All), or whether matching any of the listed criteria is sufficient (Match Any). For the HTTP (IOS) and SMTP classes, you can choose whether to match all or any. When using a Match All table, if you add more than one criteria, ensure that you are not defining a set of characteristics that no traffic can match.
Tip•
•
•
Trend Content Filter Match Criteria
The match criteria for Trend Content Filter class maps differs from that of all other class maps. Instead of adding items to a table, you simply select the items you want from a list. Select the Enable checkbox for any of the Trend-Micro classifications on the following tabs. Traffic matches the class if it matches any of your selections.
•
•
See the Trend-Micro documentation for specific information on these categories or security classifications.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Zone-Based Firewall IM Application Class Maps Add or Edit Match Condition Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the various instant messenger (IM) application classes used with zone-based firewall policies to define a match criterion and value for the class map.
You can match the following types of services:
•
•
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for AOL, ICQ, MSN Messenger, Windows Messenger, or Yahoo Messenger classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the various person-to-person (P2P) application classes used with zone-based firewall policies to define a match criterion and value for the class map.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for eDonkey, FastTrack, Gnutella, or Kazaa2 classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Field Reference
Table F-42 Zone-Based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes
Criterion
Specifies which criterion of traffic to match:
•
•
•
Type
Specifies that the map includes traffic that matches the criterion.
File Name
The name of the file associated with the traffic. You can use regular expressions to specify a name pattern. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions, page 8-63.
Tip
H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the H.323 (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map. You can match traffic based on the H.323 protocol message type. Select the message that you want to match.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the H.323 (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the HTTP (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map.
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
•
•
•
•
•
•
•
•
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the HTTP (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
•
Field Reference
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Internet Message Access Protocol (IMAP) and Post Office Protocol 3 (POP3) classes used with zone-based firewall policies to define a match criterion and value for the class map.
You can select the following criteria to identify matching traffic:
•
•
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the IMAP or POP3 classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the SIP (IOS) class used with zone-based firewall policies to define a match criterion and value for the class map.
The fields on this dialog box change based on the criterion you select.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the SIP (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Field Reference
SMTP Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the SMTP classes used with zone-based firewall policies to define a match criterion and value for the class map.
Tip
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
•
•
•
•
•
•
•
•
•
•
•
•
•
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for SMTP classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Field Reference
Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Sun Remote Procedure Call (RPC) classes used with zone-based firewall policies to define a match criterion and value for the class map. You can enter the RPC protocol number that you want to match. See the Sun RPC documentation for information about protocol numbers.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for Sun RPC classes, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Local web filter class to define a match criterion and value for the class map.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the Local web filter class, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Field Reference
N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the N2H2 (SmartFilter) and Websense web filter classes to define a match criterion and value for the class map. The only match criterion available is to match any response from the SmartFilter or Websense server.
Navigation Path
From the Add or Edit Class Maps Dialog Boxes for the N2H2 or Websense web filter class, right-click inside the table and select Add Row or right-click a row and select Edit Row.
Related Topics
•
•
•
•
Add or Edit Inspect Parameter Map Dialog Boxes
Use the Add and Edit Inspect Parameter Map dialog boxes to define a parameter map for inspection for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Inspect or Content Filter, you can select an inspect parameter map to define connection, timeout, and other settings for the inspection action. If you do not select an inspect parameter map for a zone-based firewall rule, the system uses default values for these settings.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Inspect Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
•
Field Reference
Table F-47 Add or Edit Inspect Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
DNS Timeout
The length of time, in seconds, for which a DNS lookup session is managed while there is no activity.
ICMP Timeout
The length of time, in seconds, for which an inactive ICMP (Internet Control Message Protocol) session is maintained.
Max Incomplete Low
Max Incomplete High
The number of existing half-open sessions that will cause the software to start (at the high threshold) and stop (at the low threshold) deleting half-open sessions.
Ensure that you enter a lower number in the Low field than you enter in the High field, for example, 400 and 500. The default is unlimited half-open sessions.
One Minute Low
One Minute High
The number of new unestablished sessions that causes the system to start and stop deleting half-open sessions. Ensure that you enter a lower number in the Low field than you enter in the High field. The default is unlimited.
Max Sessions
The maximum number of inspection sessions on a zone pair, for example, 200. The default is unlimited.
TCP FINWAIT Timeout
How long to maintain TCP session state information after the firewall detects a FIN-exchange, in seconds. The FIN-exchange occurs when the TCP session is ready to close.
TCP SYNWAIT Timeout
How long to wait for a TCP session to reach the established state before dropping the session, in seconds.
TCP Idle Timeout
How long to maintain a TCP session while there is no activity in the session, in seconds.
TCP Max Incomplete Hosts
TCP Max Incomplete Block Time
The threshold and blocking time (in minutes) for TCP host-specific denial-of-service (DoS) detection and prevention.
The maximum incomplete hosts is the number of half-open TCP sessions with the same host destination address that can simultaneously exist before the software starts deleting half-open sessions to that host. An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host.
When the threshold is exceeded, half-open sessions are dropped based on the maximum incomplete block time:
•
•
The software sends syslog messages whenever the specified threshold is exceeded and when blocking of connection initiations to a host starts or ends.
UDP Idle Timeout
How long to maintain a UDP session while there is no activity in the session, in seconds.
When the software detects a valid UDP packet, the software establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.
Enable Alert
Whether to generate stateful packet inspection alert messages on the console.
Enable Audit Trail
Whether audit trail messages are logged to the syslog server or router.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit Protocol Info Parameter Map Dialog Boxes
Use the Add and Edit Protocol Info Parameter Map dialog boxes to define a parameter map for the inspection of Instant Messaging (IM) applications or the Stun-ice protocol for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Inspect, you must select a protocol info parameter map when you configure any of these applications: AOL, ICQ, MSN Messenger, Windows Messenger, Yahoo Messenger, Stun-ice. The protocol info parameter map defines the DNS servers that interact with these applications, which helps the instant messenger application engine to recognize the instant messenger traffic and to enforce the configured policy for that instant messenger application.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Protocol Info Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-48 Add or Edit Protocol Info Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
DNS Server Table
The DNS servers for which traffic will be permitted (and inspected) or denied.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit DNS Server for Protocol Info Parameters Dialog Box
Use the Add or Edit DNS Server dialog box to identify DNS servers for which traffic will be permitted (and inspected) or denied. These servers are defined in a Protocol Info parameter map for use with the inspection of protocols that require them in a zone-based firewall policy.
You can identify a server using any of these types:
•
•
•
Navigation Path
From the Add or Edit Protocol Info Parameter Map Dialog Boxes, click the Add button beneath the server table, or select a server and click the Edit button.
Add or Edit Local Web Filter Parameter Map Dialog Boxes
Use the Add and Edit Local Parameter Map dialog boxes to define a parameter map for local web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates a Local web filter parameter map (when you select Local for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Local in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-49 Add or Edit Local Web Filter Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Enable Alert
Whether to generate stateful packet inspection alert messages on the console.
Enable Allow Mode
Whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked.
Block Page
The web page you want to present to the user if the user attempts to access a page that you block. You can select from the following:
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes
Use the Add and Edit N2H2 or Websense Parameter Map dialog boxes to define a parameter map for Smartfilter (N2H2) or Websense web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates an N2H2 or Websense web filter parameter map (when you select N2H2 or Websense for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes.
Navigation Path
Select Tools > Policy Object Manager, then select N2H2 or WebSense from the Maps > Parameter Maps > Web Filter folder in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-50 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
URL Filtering Server Table
The list of URL filtering servers and their attributes.
•
•
•
Enable Alert
Whether to generate stateful packet inspection alert messages on the console.
Enable Allow Mode
Whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked.
Block Page
The web page you want to present to the user if the user attempts to access a page that you block. You can select from the following:
•
•
•
Source Interface
The interface whose IP address should be used as the source IP address when a TCP connection is established between the system and the URL filtering server.
Maximum Cache Entries
The maximum number of entries to store in the categorization cache. The default is 5000.
Cache Life Time
How long, in hours, an entry remains in the cache table. The default is 24.
Maximum Requests
The maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.
Maximum Responses
The maximum number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.
Truncate Hostname
Truncate Script Parameters
Whether to truncate the URLs:
•
•
•
TipEnable Server Log
Whether to send information about HTTP requests to the URL filtering server's log server. The information includes the URL, the hostname, the source IP address, and the destination IP address.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit External Filter Dialog Box
Use the Add or Edit External Filter dialog box to add a URL filtering server to an N2H2, Websense, or URL Filter parameter map policy object.
Navigation Path
Click the Add button beneath the server table, or select a server and click the Edit button, from any of the following dialog boxes:
•
•
Field Reference
Add or Edit Trend Parameter Map Dialog Boxes
Use the Add and Edit Trend Parameter Map dialog boxes to define a parameter map for Trend Micro web filtering for zone-based firewall policies on routers. If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a Web Filter policy map that incorporates a Trend web filter parameter map (when you select Trend for the parameter type on the Parameter tab). For more information about Web Filter policy maps, see Add and Edit Web Filter Map Dialog Boxes.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Trend in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-52 Add or Edit Trend Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Enable Allow Mode
Whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked.
Block Page
The web page you want to present to the user if the user attempts to access a page that you block. You can select from the following:
•
•
•
Maximum Requests
The maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.
Maximum Responses
The maximum number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.
Truncate Hostname
Whether to truncate URLs at the end of the domain name.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit URL Filter Parameter Map Dialog Boxes
Use the Add and Edit URL Filter Parameter Map dialog boxes to define the parameters and match criterion and values for an inspection map used in a zone-based firewall policy for a router.
If you configure the action of a zone-based firewall policy rule as Content Filter, you can select a URL Filter parameter map to define web filtering parameters and match criteria. However, if the router is running Cisco IOS Software release 12.4(20)T or higher, the recommended approach is to configure a Web Filter policy map along with parameter and class maps for the appropriate server type (local, N2H2, Trend, or Websense). For more information, see Add and Edit Web Filter Map Dialog Boxes.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URL Filter in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-53 Add or Edit URL Filter Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
The fields on this tab define the properties for local URL filtering.
Whitelisted and Blacklisted Domains tables
These tables define the domain names for which the software will not contact the external URL filtering server. Domain names on the whitelist are always allowed. Domain names on the blacklist are always blocked. Use these lists to identify entire domains that you want to allow without restriction (such as your company's web site) or block completely (such as pornography sites).
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either permitted or denied. You can also enter host IP addresses.
•
•
•
Enable Alert
Whether to generate stateful packet inspection alert messages on the console.
Enable Audit Trail
Whether to log URL information to the syslog server or router.
Enable Allow Mode
Whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked.
The fields on this tab define the properties for an external URL filtering server.
Server Type
Server Table
The type of external URL filtering server you are configuring, either SmartFilter (N2H2) or Websense.
•
•
•
Source Interface
The interface whose IP address should be used as the source IP address when a TCP connection is established between the system and the URL filtering server.
Maximum Cache Entries
The maximum number of entries to store in the categorization cache. The default is 5000.
Maximum Requests
The maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.
Maximum Responses
The maximum number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.
Truncate Hostname
Truncate Script Parameters
Whether to truncate the URLs:
•
•
•
Do not select any truncate options for devices running software releases lower than 12.4(15)T or you will receive a validation error.
TipEnable Server Log
Whether to send information about HTTP requests to the URL filtering server's log server. The information includes the URL, the hostname, the source IP address, and the destination IP address.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit URL Domain Name Dialog Box for URL Filter Parameters
Use the Add URL Domain Name dialog box to add web site domain names to the whitelisted (allowed) or blacklisted (not allowed) lists.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either permitted or denied. You can also enter host IP addresses.
Navigation Path
From the Add or Edit URL Filter Parameter Map Dialog Boxes, click the Add button beneath the whitelist or blacklist tables, or select a name and click the Edit button.
Add or Edit URLF Glob Parameter Map Dialog Boxes
Use the Add and Edit URLF Glob Parameter Map dialog boxes to define a parameter map for the inspection of URLs in a Local web filter class map.
A single URLF Glob should contain only segments of URLs that you want to block or allow. Your goal is to create class maps of white listed (allowed) or blacklisted (blocked) URLs. You can then define Local web filter policy maps to allow or block the identified URLs.
A single URLF Glob must also be limited to one of these types of URL segments:
•
•
You cannot use the characters /, {, }, and ? in a URLF glob.
To match a server name or URL keyword, the string in the URL must match exactly the string included in the URLF glob unless you use wildcard metacharacters to specify a variable string pattern. You can use the following metacharacters for pattern matching for either server names or URL keywords:
•
•
•
•
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URLF Glob Parameters in the table of contents. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
•
•
Field Reference
Table F-54 Add or Edit URLF Glob Parameter Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Value
The server domains or keywords for the URLs you are targeting. Enter only one type of glob: either all server domains, or all URL keywords, but not a mixture of both.
If you include more than one entry, separate the entries with new lines. For example, the following entries identify all government or education web servers:
*.gov*.eduCategory
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit DCE/RPC Dialog Box
Use the Add or Edit DCE/RPC Map dialog boxes to define a map for DCE/RPC inspection.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DCE/RPC from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-55 Add and Edit DCE/RPC Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Pinhole Timeout
The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.
Enforce Endpoint Mapper Service
Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.
Enable Endpoint Mapper Service Lookup
Service Lookup Timeout
Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit DNS Map Dialog Boxes
Use the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DNS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-56 Add and Edit DNS Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab.
Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab.
The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:
•
•
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 8-10 and Understanding Policy Object Overrides for Individual Devices, page 8-9.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
DNS Map Protocol Conformance Tab
Use the Protocol Conformance tab to define DNS security settings and actions for a DNS map.
Navigation Path
Click the Protocol Conformance tab on the Add and Edit DNS Map Dialog Boxes.
Related Topics
•
•
Field Reference
DNS Map Filtering Tab
Use the Filtering tab to define DNS filtering settings and actions for a DNS map.
Navigation Path
Click the Filtering tab on the Add and Edit DNS Map Dialog Boxes.
Related Topics
•
•
Field Reference
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for DNS policy maps) dialog boxes to do the following:
•
•
•
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
