Configure Basic Settings
Security Cloud Control Licenses
- Cloud-Delivered Firewall Management Center and Threat Defense Licenses
Security Cloud Control Platform Maintenance Schedule
Cloud-Delivered Firewall Management Center Maintenance Schedule
Introduction to Objects
Network Address Translation
Order of Processing NAT Rules
Network Address Translation Wizard
- Create a NAT Rule by using the NAT Wizard
Common Use Cases for NAT

Configure Basic Settings

Security Cloud Control provides a unique view of policy management through a clear and concise interface. Below are topics that cover the basics of using Security Cloud Control for the first time.

Security Cloud Control Licenses

Security Cloud Control requires a base subscription for organization entitlement and device licenses for managing devices. You can buy one or more Security Cloud Control base subscriptions based on the number of tenants you require and device licenses based on the device model number and the quantity. In other words, purchasing the base subscription gives you a Security Cloud Control organization, and for every device you choose to manage using Security Cloud Control, you need separate device licenses.

For the purposes of planning your deployment, note that each Security Cloud Control tenant can manage approximately 500 devices through the Secure Device Connector (SDC) and any number of devices using the cloud connector. See Secure Device Connector (SDC) for more information.

To onboard and manage devices from Security Cloud Control, you need to purchase a base subscription and device-specific, term-based subscriptions based on the devices you want to manage.

Subscriptions

Firewall in Security Cloud Control subscriptions are term-based:

Base - Offers subscriptions for one, three, and five years, and provides entitlement to access the Security Cloud Control organization and onboard adequately licensed devices.
Device License - Offers subscriptions for one, three, and five years for any supported device you choose to manage. For example, you can choose to manage a Cisco Firepower 1010 device using Security Cloud Control for three years, if you purchase a three-year software subscription to the Cisco Firepower 1010 device.

See Software and Hardware Supported by Security Cloud Control for more information on Cisco security devices that Security Cloud Control supports.

When managing your firewalls with CDO, you can combine Security Analytics and Logging with your Security Cloud Control subscription or you can obtain Security Analytics and Logging entitlement as a separate subscription. For more information about Security Analytics and Logging subscriptions, see Security Analytics and Logging Licenses.

Note

Catalyst SD-WAN doesn't require an additional license. Customers using DNA or WAN Essentials license will be able to integrate with Security Cloud Control.

Important

You do not require two separate device licenses to manage a high availability device pair in Security Cloud Control. If you have a Secure Firewall ASA (ASA) high availability pair, purchasing one ASA device license is sufficient, as Security Cloud Control considers the pair of high availability devices as one single device.

Note

You cannot manage Security Cloud Control licensing through the Cisco smart licensing portal.

Software Subscription Support

The Security Cloud Control base subscription includes software subscription support that is valid for the term of the subscription and provides access to software updates, major upgrades, and Cisco Technical Assistance Center (TAC), at no extra cost. While the software support is selected by default, you can also leverage the Security Cloud Control solution support based on your requirement.

Cloud-Delivered Firewall Management Center and Threat Defense Licenses

You do not have to purchase a separate license to use the Cloud-Delivered Firewall Management Center in Security Cloud Control; the base subscription for a Security Cloud Control tenant includes the cost for the Cloud-Delivered Firewall Management Center.

Cloud-delivered Firewall Management Center Evaluation License

The cloud-delivered Firewall Management Center comes provisioned with a 90-day evaluation license. After the evaluation period has elapsed, you can still onboard Firewall Threat Defense devices to the cloud-delivered Firewall Management Center. However, any manually triggered or scheduled deployments are blocked, until you register your cloud-delivered Firewall Management Center with the Cisco Smart Software Manager (CSSM). As your evaluation license approaches the expiry date, Security Cloud Control notifies you through alerts on the notifications window.

We also recommend that, after registering to CSSM, you purchase the required licenses for the features you want to use. Purchasing licenses keeps the cloud-delivered Firewall Management Center from going out of compliance.

To know more about how to register the cloud-delivered Firewall Management Center with CSSM, see Register the Management Center with the Smart Software Manager.

To learn how to get a cloud-delivered Firewall Management Center provisioned on your Security Cloud Control tenant, see Request a Cloud-delivered Firewall Management Center for your Security Cloud Control Tenant.

Note

The Cloud-Delivered Firewall Management Center does not support specific license reservation (SLR) for devices in air-gapped networks.

Threat Defense Licenses for Cloud-Delivered Firewall Management Center

You need individual licenses for each Secure Firewall Threat Defense device managed by the Cloud-Delivered Firewall Management Center. See Licensing in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Firewall in Security Cloud Control for information.

To know how Security Cloud Control handles licensing for the devices migrated to the Cloud-Delivered Firewall Management Center, see Migrate Threat Defense from Management Center to Cloud.

Note

The Talos certificate for Evaluation Mode in Secure Firewall version 7.6.0 is set to expire on March 31, 2025. After this date, access to Talos-hosted services in Evaluation Mode (specifically those related to web reputation / categorization lookups) will be discontinued.

Security Cloud Control Platform Maintenance Schedule

Security Cloud Control updates its platform every week with new features and quality improvements. Updates are made during a 3-hour period according to this schedule:


Day of the Week	Time of Day (24-hour time, UTC)
Thursday	09:00 UTC - 12:00 UTC

During this maintenance period, you can still access your organization and if you have a cloud-delivered Firewall Management Center or Multicloud Defense Controller, you can access those portals as well. Additionally, the devices that you have onboarded to Security Cloud Control continue to enforce their security policies.

Note

We advise against using Security Cloud Control to deploy configuration changes on the devices it manages during maintenance periods.
If there is any issue that stops Security Cloud Control from communicating, we address that failure on all affected tenants as quickly as possible, even if it is outside the maintenance window.

Cloud-Delivered Firewall Management Center Maintenance Schedule

Customers who have a cloud-delivered Firewall Management Center deployed on their tenant are notified approximately 1 week before Security Cloud Control updates the cloud-delivered Firewall Management Center environment. Super Admin and Admin users of the tenant are notified by email. Security Cloud Control also displays a banner on its home page notifying all users of upcoming updates.

Note

We advise you not to use Cloud-Delivered Firewall Management Center to deploy configuration changes on the devices it manages during maintenance periods.
If there is any issue that stops Security Cloud Control or cloud-delivered Firewall Management Center from communicating, that failure is addressed on all affected tenants as quickly as possible, even if it is outside the maintenance window.

Introduction to Objects

An object is a container of information that you can use in one or more security policies. Objects make it easy to maintain policy consistency. You can create a single object, use it different policies, modify the object, and that change is propagated to every policy that uses the object. Without objects, you would need to modify all the policies, individually, that require the same change.

When you onboard a device, Security Cloud Control recognizes all the objects used by that device, saves them, and lists them on the Objects page. From the Objects page, you can edit existing objects and create new ones to use in your security policies.

Security Cloud Control calls an object used on multiple devices a shared object and identifies them in the Objects page with this badge .

Sometimes a shared object develops some "issue" and is no longer perfectly shared across multiple policies or devices:

Duplicate objects are two or more objects on the same device with different names but the same values. These objects usually serve similar purposes and are used by different policies. Duplicate objects are identified by this issue icon:
Inconsistent objects are objects on two or more devices with the same name but different values. Sometimes users create objects in different configurations with same name and content but over time the values of these objects diverge which creates the inconsistency. Inconsistent objects are identified by this issue icon:
Unused objects are objects that exist in a device configuration but are not referenced by another object, an access-list, or a NAT rule. Unused objects are identified by this issue icon:

You can also create objects for immediate use in rules or policies. You can create an object that is unassociated with any rule or policy. When you use that unassociated object in a rule or policy, Security Cloud Control creates a copy of it and uses the copy.

You can view the objects managed by Security Cloud Control by navigating to the Objects menu or by viewing them in the details of a network policy.

Security Cloud Control allows you to manage network and service objects across supported devices from one location. With Security Cloud Control, you can manage objects in these ways:

Search for and filter all your objects based on a variety of criteria.
Find duplicate, unused, and inconsistent objects on your devices and consolidate, delete, or resolve those object issues.
Find unassociated objects and delete them if they are unused.
Discover shared objects that are common across devices.
Evaluate the impact of changes to an object on a set of policies and devices before committing the change.
Compare a set of objects and their relationships with different policies and devices.
Capture objects in use by a device after it has been on-boarded to Security Cloud Control.

If you have issues with creating, editing, or reading objects from an onboarded device, see Troubleshoot Security Cloud Control for more information.

Object Types

The following table describes the objects that you can create for your devices and manage using Security Cloud Control.

Table 1. Adaptive Security Appliance (ASA) Object Types
Object	Description
Address Pool	Address pool objects can be configured to match against an individual IPv4 or IPv6 address or an IP address range.
AnyConnect Client Profile	AnyConnect Client Profile objects are file objects and represent files used in configurations, typically for remote access VPN policies. They can contain an AnyConnect Client Profile and AnyConnect Client Image files.
Network	Network groups and network objects (collectively referred to as network objects) define the addresses of hosts or networks.
Service	Service objects, service groups, and port groups are reusable components that contain protocols or ports considered part of the TCP/IP protocol suite.
Time Range	A time range object defines a specific time consisting of a start time, an end time, and optional recurring entries. You use these objects in network policies to provide time-based access to certain features or assets.
Trustpoints	Trustpoints let you manage and track digital certificates in ASA.

Shared Objects

Security Cloud Control calls objects on multiple devices with the same name and same contents, shared objects. Shared objects are identified by this icon

on the Objects page. Shared objects make it easy to maintain policies because you can modify an object in one place and that change affects all the other policies that use that object. Without shared objects, you would need to modify all the policies individually that require the same change.

When looking at a shared object, Security Cloud Control shows you the contents of the object in the object table. Shared objects have exactly the same contents. Security Cloud Control shows you a combined or "flattened" view of the elements of the object in the details pane. Notice that in the details pane, the network elements are flattened into a simple list and not directly associated with a named object.

Object Overrides

An object override allows you to override the value of a shared network object on specific devices. Security Cloud Control uses the corresponding value for the devices that you specify when configuring the override. Although the objects are on two or more devices with the same name but different values, Security Cloud Control doesn't identify them as Inconsistent objects only because these values are added as overrides.

You can create an object whose definition works for most devices, and then use overrides to specify modifications to the object for the few devices that need different definitions. You can also create an object that needs to be overridden for all devices, but its use allows you to create a single policy for all devices. Object overrides allow you to create a smaller set of shared policies for use across devices without giving up the ability to alter policies when needed for individual devices.

For example, consider a scenario where you have a printer server in each of your offices, and you have created a printer server object print-server. You have a rule in your ACL to deny printer servers from accessing the internet. The printer server object has a default value that you want to change from one office to another. You can do this by using object overrides and maintain rule and "printer-server" object consistent across all locations, although their values may be different.

Note

If there are inconsistent objects, you can combine them into a single shared object with overrides. For more information, see Resolve Inconsistent Object Issues.

Unassociated Objects

You can create objects for immediate use in rules or policies. You can also create an object that is unassociated with any rule or policy. When you use that unassociated object in a rule or policy, Security Cloud Control creates a copy of it and uses the copy. The original unassociated object remains among the list of available objects until it is either deleted by a nightly maintenance job, or you delete it.

Unassociated objects remain in Security Cloud Control as a copy to ensure that not all configurations are lost if the rule or policy associated with the object is deleted accidentally.

In the left pane, click Objects > and check the Unassociated checkbox.

Compare Objects

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Objects and choose an option.
Step 3	Filter the objects on the page to find the objects you want to compare.
Step 4	Click the Compare button .
Step 5	Select up to three objects to compare.
Step 6	View the objects, side-by-side, at the bottom of the screen. Click the up and down arrows in the Object Details title bar to see more or less of the Object Details. Expand or collapse the Details and Relationships boxes to see more or less information.
Step 7	(Optional) The Relationships box shows how an object is used. It may be associated with a device or a policy. If the object is associated with a device, you can click the device name and then click View Configuration to see the configuration of the device. Security Cloud Control shows you the device's configuration file and highlights the entry for that object.

Filters

You can use many different filters on the Security Devices and Objects pages to find the devices and objects you are looking for.

To filter, click in the left-hand pane of the Security Devices, Policies, and Objects tabs:

The Security Devices filter allows you to filter by device type, hardware and software versions, snort version, configuration status, connection states, conflict detection, and secure device connectors, and labels. You can apply filters to find devices within a selected device type tab. You can use filters to find devices within the selected device type tab.

The object filter allows you to filter by device, issue type, shared objects, unassociated objects, and object type. You can include system objects in your results or not. You can also use the search field to search for objects in the filter results that contain a certain name, IP address, or port number.

The object type filter allows you to filter objects by type, such as network object, network group, URL object, URL group, service object, and service group. The shared objects filter allows filtering objects having default values or override values.

When filtering devices and objects, you can combine your search terms to create several potential search strategies to find relevant results.

In the following example, filters are applied to search for objects that are "Issues (Unused OR Inconsistent) AND Shared Objects (with Default Values OR Additional Values) AND Unassociated Objects."

Object Filters

To filter, click in the left-hand pane of the Objects tab:

Filter by Device: Lets you pick a specific device so that you can see objects found on the selected device.
Issues: Lets you pick unused, duplicate, and inconsistent objects to view.
Ignored Issues: Lets you view all the objects whose inconsistencies you had ignored.
Shared Objects: Lets you view all the objects that Security Cloud Control has found to be shared on more than one device. You can choose to see shared objects with only default values or override values, or both.
Unassociated Objects: Lets you view all the objects that are not associated with any rule or policy.
Object Type: Lets you select an object type to see only those type of objects that you have selected, such as network objects, network groups, URL objects, URL groups, service objects, and service groups.

Sub filters – Within each main filter, there are sub-filters you can apply to further narrow down your selection. These sub-filters are based on Object Type – Network, Service, Protocol, etc.

The selected filters in this filter bar would return objects that match the following criteria:

* Objects that are on one of two devices. (Click Filter by Device to specify the devices.) AND are

* Inconsistent objects AND are

* Network objects OR Service objects AND

* Have the word "group" in their object naming convention

Because Show System Objects is checked, the result would include both system objects and user-defined objects.

Show System-Defined Objects Filter

Some devices come with predefined objects for common services. These system objects are convenient because they are already made for you and you can use them in your rules and policies. There can be many system objects in the objects table. System objects cannot be edited or deleted.

Show System-Defined Objects is off by default. To display system objects in the object table, check Show System-Defined Objects in the filter bar. To hide system objects in the object table, leave Show System Objects unchecked in the filter bar.

If you hide system objects, they will not be included in your search and filtering results. If you show system objects, they will be included in your object search and filtering results.

Configure Object Filters

You can filter on as few or as many criteria as you want. The more categories you filter by, the fewer results you should expect.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Objects.
Step 3	Open the filter panel by clicking the filter icon at the top of the page. Uncheck any filters that have been checked to make sure no objects are inadvertently filtered out. Additionally, look at the search field and delete any text that may have been entered in the search field.
Step 4	If you want to restrict your results to those found on particular devices: Click Filter By Device. Search all the devices or click a device tab to search for only devices of a certain kind. Check the device you want to include in your filter criteria. Click OK.
Step 5	Check Show System Objects to include system objects in your search results. Uncheck Show System Objects to exclude system objects from your search results.
Step 6	Check the object Issues you want to filter by. If you check more than one issue, objects in any of the categories you check are included in your filter results.
Step 7	Check Ignored issues if you want to see the object that had issues but was ignored by the administrator.
Step 8	Check the required filter in Shared Objects if you are filtering for objects shared between two or more devices. Default Values: Filters objects having only the default values. Override Values: Filters objects having overridden values. Additional Values: Filters objects having additional values.
Step 9	Check Unassociated if you are filtering for objects that are not part of any rule or policy.
Step 10	Check the Object Types you want to filter by.
Step 11	You can also add an object name, IP address, or port number to the Objects search field to find objects with your search criteria among the filtered results.

When to Exclude a Device from Filter Criteria

When adding a device to filtering criteria, the results show you the objects on a device but not the relationships of those objects to other devices. For example, assume ObjectA is shared between ASA1 and ASA2. If you were to filter objects to find shared objects on ASA1, you would find ObjectA but the Relationships pane would only show you that the object is on ASA1.

To see all the devices to which an object is related, don't specify a device in your search criteria. Filter by the other criteria and add search criteria if you choose to. Select an object that Security Cloud Control identifies and then look in the Relationships pane. You will see all the devices and policies the object is related to.

Unignore Objects

One way to resolve unused, duplicate, or inconsistent objects is to ignore them. You may decide that though an object is unused, a duplicate, or inconsistent, there are valid reasons for that state and you choose to leave the object issue unresolved. At some point in the future, you may want to resolve those ignored objects. As Security Cloud Control does not display ignored objects when you search for object issues, you will need to filter the object list for ignored objects and then act on the results.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Objects and choose an option.
Step 3	Filter and search for ignored objects.
Step 4	In the Object table, select the object you want to unignore. You can unignore one object at a time.
Step 5	Click Unignore in the details pane.
Step 6	Confirm your request. Now, when you filter your objects by issue, you should find the object that was previously ignored.

Deleting Objects

You can delete a single object or mulitple objects.

Delete a Single Object

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Changes you make to the ASA, FDM, and FTD network objects and groups are reflected in the corresponding Cloud-Delivered Firewall Management Center network object or group. In addition, an entry is created in the Devices with Pending Changes page for each on-premises management center with Discover & Manage Network Objects enabled, from which you can choose and deploy the changes to the on-premises management center on which you have these objects.

Deleting a network object or group from either page deletes the object or group from both pages.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Objects.
Step 3	Locate the object you want to delete by using object filters and the search field, and select it.
Step 4	Review the Relationships pane. If the object is used in a policy or in an object group, you cannot delete the object until you remove it from that policy or group.
Step 5	In the Actions pane, click the Remove icon .
Step 6	Confirm that you want to delete the object by clicking OK.
Step 7	Review and deploy the changes you made, or wait and deploy multiple changes at once.

Delete a Group of Unused Objects

As you onboard devices and start resolving object issues, you find many unused objects. You can delete up to 50 unused objects at a time.

Procedure

Step 1	Use the Issues filter to find unused objects. You can also use the Device filter to find objects that are not associated with a device by selecting No Device. Once you have filtered the object list, the object checkboxes appear.
Step 2	Check the Select all checkbox in the object table header to select all the objects found by the filter that appear in the object table; or, check individual checkboxes for individual objects you want to delete.
Step 3	In the Actions pane, click the Remove icon .
Step 4	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Network Objects

A network object can contain a host name, a network IP address, a range of IP addresses, a fully qualified domain name (FQDN), or a subnetwork expressed in CIDR notation. Network groups are collections of network objects and other individual addresses or subnetworks that you add to the group. Network objects and network groups are used in access rules, network policies, and NAT rules. You can create, update, and delete network objects and network groups using Security Cloud Control.

Note that not all platforms support network objects, such as Cisco Meraki and Multicloud Defense; when you share dynamic objects, Security Cloud Control automatically translates the appropriate information from the originating platform or device into a set of usable information that Security Cloud Control can use.

Table 2. Permitted Values of Network Objects
Device type	IPv4 / IPv6	Single Address	Range of addresses	Fully Qualified Domain Name	Subnet using CIDR Notation
ASA	IPv4 and IPv6	Yes	Yes	Yes	Yes
Multicloud Defense	IPv4 and IPv6	Yes	Yes	Yes	Yes

Table 3. Permitted Contents of a Network Group
Device type	IP Value	Network Object	Network Groups
ASA	Yes	Yes	Yes
Multicloud Defense	Yes	Yes	Yes

Reusing Network Objects Across Products

If you have a Security Cloud Control tenant with a Cloud-Delivered Firewall Management Center and one or more on-premises management centers onboarded to your tenant:

When you create a Secure Firewall Threat Defense, FDM-managed Firewall Threat Defense, ASA, or Meraki network object or group, a copy of the object is also added to the objects list on the Objects page used when configuring Cloud-Delivered Firewall Management Center, and vice versa.
When you create a Secure Firewall Threat Defense, FDM-managed Firewall Threat Defense, or ASA network object or group, an entry is created in the Devices with Pending Changes page for each On-Premises Firewall Management Center for which Discover & Manage Network Objects is enabled. From this list, you can choose and deploy the object to the on-premises management center on which you want to use the object and discard the ones that you do not want. Navigate , Administration > Firewall Management Center select the on-premises management center, and click Objects to see your objects in the On-Premises Firewall Management Center user interface and assign them to policies.

Changes you make to network objects or groups on either page apply to the object or group instance on both pages. Deleting an object from one page also deletes the corresponding copy of the object from the other page.

Exceptions:

If a network object of the same name already exists for Cloud-Delivered Firewall Management Center, the new Secure Firewall Threat Defense, FDM-managed Firewall Threat Defense, ASA, or Meraki network object will not be replicated on the Objects page of Security Cloud Control.
Network objects and groups in onboarded Firewall Threat Defense devices that are managed by on-premises Secure Firewall Management Center are not replicated and cannot be used in Cloud-Delivered Firewall Management Center.

Note that for on-premises Secure Firewall Management Center instances that have been migrated to Cloud-Delivered Firewall Management Center, network objects and groups are replicated to the Security Cloud Control objects page if they are used in policies that were deployed to FTD devices.
Sharing Network Objects between Security Cloud Control and Cloud-Delivered Firewall Management Center is automatically enabled on new tenants but must be requested for existing tenants. If your network objects are not being shared with Cloud-Delivered Firewall Management Center, contact TAC to have the features enabled on your tenant.
Sharing network objects between Security Cloud Control and On-Premises Management Center is not automatically enabled on Security Cloud Control for new on-premises management centers onboarded to Security Cloud Control. If your network objects are not being shared with On-Premises Management Center, ensure the Discover & Manage Network Objects toggle button is enabled for the on-premises management center in Settings or contact TAC to have the features enabled on your tenant.

Viewing Network Objects

Network objects you create using Security Cloud Control and those Security Cloud Control recognizes in an onboarded device's configuration are displayed on the Objects page. They are labeled with their object type. This allows you to filter by object type to quickly find the object you are looking for.

When you select a network object on the Objects page, you see the object's values in the Details pane. The Relationships pane shows you if the object is used in a policy and on what device the object is stored.

When you click on a network group, you see the contents of that group. The network group is a conglomerate of all the values given to it by the network objects.

Create or Edit ASA Network Objects and Network Groups

An ASA network object can contain a hostname, an IP address, or a subnet address expressed in CIDR notation. Network groups are conglomerates of network objects, network groups, and IP addresses that are used in access rules, network policies, and NAT rules. You can create, read, update, and delete network objects and network groups using Security Cloud Control.

Table 4. Permitted Values of ASA Network Objects and Groups
Device type	IPv4 / IPv6	Single Address	Range of addresses	Partially Qualified Domain Name (PQDN)	Subnet using CIDR Notation
ASA	IPv4 / IPv6	Yes	Yes	Yes	Yes

Note

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

When you create an FTD, FDM, or ASA network object or group on the Objects page, a copy of the object is automatically added to the Cloud-Delivered Firewall Management Center and vice-versa. In addition, an entry is created in the Devices with Pending Changes page for each on-premises management center with Discover & Manage Network Objects enabled, from which you can choose and deploy the objects to the on-premises management center on which you want these objects.

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from either page deletes the object or group from both pages.

Create an ASA Network Object

A network object can contain a host name, a network IP address, a range of IP addresses, a fully qualified domain name (FQDN), or a subnetwork expressed in CIDR notation. Network objects are used in access rules, network policies, and NAT rules. You can create, update, and delete network objects and network groups using Security Cloud Control.

Note

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Click the blue plus button to create an object.

Step 4

Click ASA > Network.

Step 5

Enter an object name.

Step 6

Select Create a network object.

Step 7

(optional) Enter an object description.

Step 8

In the Value section, add the IP address information in one of these ways:

Select eq and then enter a single IP address, a subnet address using CIDR notation, or a Partially Qualified Domain Name (PQDN).
Select range and then enter a range of IP addresses. Enter the range with the beginning and ending address in the range separated by a space. For example, 10.1.1.1 10.1.1.255 or 2001:DB8:1::1 2001:DB8:1::3

Step 9

Click Add.

Important

The newly created network objects aren't associated with any ASA device as they aren't part of any rule or policy. To see these objects, select the Unassociated objects category in object filters.

For more information, see Object Filters. Once you use the unassociated objects in a device's rule or policy, such objects are associated with that device.

Create an ASA Network Group

A network group can contain IP address values, network objects, and network groups. When you are creating a new network group, you can search for existing objects by their name, IP addresses, IP address range, or FQDN and add them to the network group. If the object isn't present, you can instantly create that object in the same interface and add it to the network group. Network groups can contain both IPv4 and IPv6 addresses.

Note

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Click the blue plus button to create an object.

Step 4

Click ASA > Network.

Step 5

Enter an Object Name.

Step 6

Select Create a network group.

Step 7

(optional) Enter an object description.

Step 8

In the Values field, enter a value or object name. When you start typing, Security Cloud Control provides object names or values that match your entry.

Step 9

You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.

Step 10

If Security Cloud Control finds a match, to choose an existing object, click Add to add the network object or network group to the new network group.

Step 11

If you have entered a value or object that is not present, you can perform one of the following:

Click Add as New Object With This Name to create a new object with that name. Enter a value and click the check mark to save it.
Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the check mark to save it.
Click Add Value to create an inline value without using an object. Enter a value and click the check mark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

Note

You can click the edit icon to modify the details. Clicking the delete button doesn't delete the object itself; instead, it removes it from the network group.

Step 12

After adding the required objects, click Add to create a new network group.

Step 13

Preview and Deploy Configuration Changes for All Devices.

Edit an ASA Network Object

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from either page deletes the object or group from both pages.

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Locate the object you want to edit by using object filters and search field.

Step 4

Select the network object and click the edit icon in the Actions pane.

Step 5

Edit the values in the dialog box in the same fashion that you created in the procedures above.

Note

Click the delete icon next to remove the object from the network group.

Step 6

Click Save. Security Cloud Control displays the devices that will be affected by the change.

Step 7

Click Confirm to finalize the change to the object and any devices affected by it.

Edit an ASA Network Group

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from either page deletes the object or group from both pages.

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Locate the network group you want to edit by using object filters and search field.

Step 4

Select the network group and click the edit icon in the Actions pane.

Step 5

If you want to change the objects or network groups that are already added to the network group, perform the following steps:

Click the edit icon appearing beside the object name or network group to modify them.
Click the checkmark to save your changes.

Note

You can click the remove icon to delete the value from a network group.

Step 6

If you want to add new network objects or network groups to this network group, you have to perform the following steps:

In the Values field, enter a new value or the name of an existing network object. When you start typing, Security Cloud Control provides object names or values that match your entry. You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.
If Security Cloud Control finds a match, to choose an existing object, click Add to add the network object, or network group to the new network group.
If you have entered a value or object that is not present, you can perform one of the following:
- Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it.
- Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it.
- Click Add Value to create an inline value without using an object. Enter a value and click the checkmark to save it.

It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.

Step 7

Click Save. Security Cloud Control displays the policies that will be affected by the change.

Step 8

Click Confirm to finalize the change to the object and any devices affected by it.

Step 9

Preview and Deploy Configuration Changes for All Devices.

Add Additional Values to a Shared Network Group in Security Cloud Control

The values in a shared network group that are present on all devices associated with it are called "default values." Security Cloud Control allows you to add "additional values" to the shared network group and assign those values to some devices associated with that shared network group. When Security Cloud Control deploys the changes to the devices, it determines the contents and pushes the "default values" to all devices associated with the shared network group and the "additional values" only to the specified devices.

For example, consider a scenario where you have four AD main servers in your head office that should be accessible from all your sites. Therefore, you have created an object group named "Active-Directory" to use it in all your sites. Now you want to add two more AD servers to one of your branch offices. You can do this by adding their details as additional values specific to that branch office on the object group "Active-Directory." These two servers do not participate in determining whether the object "Active-Directory" is consistent or shared. Therefore, the four AD main servers are accessible from all your sites, but the branch office (with two additional servers) can access two AD servers and four AD main servers.

Note

If there are inconsistent shared network groups, you can combine them into a single shared network group with additional values. See Resolve Inconsistent Object Issues for more information.

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from either page deletes the object or group from both pages.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Locate the shared network group that you want to edit by using object filters and search field.
Step 4	Click the edit icon in the Actions pane. The Devices field shows the devices that the shared network group is present. The Usage field shows the rulesets associated with the shared network group. The Default Values field specifies the default network objects and their values associated with the shared network group that was provided during their creation. Next to this field, you can see the number of devices that contain this default value, and you can click to see their names and device types. You can also see the rulesets associated with this value.
Step 5	In the Additional Values field, enter a value or name. When you start typing, Security Cloud Control provides object names or values that match your entry.
Step 6	You can choose one of the existing objects shown or create a new one based on the name or value that you have entered.
Step 7	If Security Cloud Control finds a match, to choose an existing object, click Add to add the network object or network group to the new network group.
Step 8	If you have entered a value or object that is not present, you can perform one of the following: Click Add as New Object With This Name to create a new object with that name. Enter a value and click the checkmark to save it. Click Add as New Object to create a new object. The object name and value are the same. Enter a name and click the checkmark to save it. Click Add Value to create an inline value without using an object. Enter a value and click the checkmark to save it. It is possible to create a new object even though the value is already present. You can make changes to those objects and save them.
Step 9	In the Devices column, click the cell associated with the newly added object and click Add Devices.
Step 10	Select the devices that you want and click OK.
Step 11	Click Save. Security Cloud Control displays the devices that will be affected by the change.
Step 12	Click Confirm to finalize the change to the object and any devices affected by it.
Step 13	Preview and Deploy Configuration Changes for All Devices.

Edit Additional Values in a Shared Network Group in Security Cloud Control

Caution

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from either page deletes the object or group from both pages.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Locate the object having the override you want to edit by using object filters and search field.
Step 4	Click the edit icon in the Actions pane.
Step 5	Modify the override value: Click the edit icon to modify the value. Click the cell in the Devices column to assign new devices. You can select an already assigned device and click Remove Overrides to remove overrides on that device. Click arrow in Default Values to push and make it an additional value of the shared network group. All devices associated with the shared network group are automatically assigned to it. Click arrow in Override Values to push and make it as default objects of the shared network group. Click the delete icon next to remove the object from the network group.
Step 6	Click Save. Security Cloud Control displays the devices that will be affected by the change.
Step 7	Click Confirm to finalize the change to the object and any devices affected by it.
Step 8	Preview and Deploy Configuration Changes for All Devices.

Deleting Network Objects and Groups in Security Cloud Control

If Cloud-Delivered Firewall Management Center is deployed on your tenant:

Deleting a network object or group from the Manage > Objects page deletes the replicated network object or group from the Manage > Objects page on the Cloud-Delivered Firewall Management Center and vice-versa.

Trustpoint Objects

Security Cloud Control allows you to add digital certificates as trustpoint objects and then install them on one or multiple managed ASA devices. A single trustpoint object is a container that holds an identity pair (identity certificate and issuer's CA certificate), identity certificate only, or CA certificate only.

You can configure many trustpoints in an ASA device. The supported certificate formats are PKCS12, PEM, and DER.

Adding an Identity Certificate Object Using PKCS12

This procedure creates an internal certificate identity or internal identity certificate by uploading a certificate file or pasting existing certificate text into a text box. You can generate as many identity certificates as you want.

You can upload a file encoded in PKCS12 format. A PKCS12 is a single file that holds the CA server certificate, any intermediate certificates, and the private key in one encrypted file. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Click and select ASA > Trustpoints.
Step 4	Enter an Object Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.
Step 5	In the Certificate Type step, select Identity Certificate.
Step 6	In the Import Type step, select Upload to upload the certificate file. The Enrollment step is set to Terminal.
Step 7	In the Certificate Contents step, enter the PKCS12 format details. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.
Step 8	Click Continue.
Step 9	In the Advanced Options step, you can configure the following: In the Revocation tab, you can configure the following: Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking. By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate. Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1-1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available. Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking. OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with `http://`. Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension. Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP. Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable. For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document. Click the Others tab: Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA. IPSec Client — Validates certificate presented by remote SSL servers. SSL Client — Validates certificates presented by incoming SSL connections. SSL Server — Validates certificates presented by incoming IPSec connections. Use Identity Certificate for — Specify how the enrolled ID certificate can be used. SSL & IPSec — Use for authenticating SSL & IPSec connections Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin. Other Options: Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA. Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.
Step 10	Click Add.

Create a Self-Signed Identity Certificate Object

This procedure describes steps for generating a self-signed certificate for your ASA by entering the appropriate certificate field values in a wizard. You can generate as many self-signed certificates as you want.

To create a Self-Signed identity certificate object, perform these steps:

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Click and select ASA > Trustpoints.
Step 4	Enter an Object Name for the certificate. The name is used in the configuration as an object name only; it does not become part of the certificate itself.
Step 5	In the Identity Certificate step, select Identity Certificate.
Step 6	In the Import Type step, select New to upload the certificate file and click Continue.
Step 7	In the Enrollment step, select Self-Signed and click Continue. The Certificates Content step appears. Read Self-Signed and CSR Certificate Generation Based on Certificate Contents to understand the CN and SANS content in the Self-Signed certificate that is being generated.
Step 8	In the Certificate Contents step, configure the following: Country (C)— Select the country code from the drop-down list. State or Province (ST)—The state or province to include in the certificate. Locality or City (L)—The locality to include in the certificate, such as the name of the city. Organization (O)—The organization or company name to include in the certificate. Organizational Unit (Department) (OU)—The name of the organization unit (for example, a department name) to include in the certificate. Common Name (CN)—The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN. Email Address (EA)— The e-mail address associated with the identity certificate. IP Address— The ASA IP address on the network in four-part dotted-decimal notation. Device's FQDN— An unambiguous domain name, to indicate the position of the node in the DNS tree hierarchy. Include Device's Serial Number— Select the check box if you want to add the ASA serial number to the certificate parameters. Click the Key tab. Choose the RSA or ECDSA key type. Key Size: If the key pair does not exist, defines the desired key size (modulus), in bits. The recommended key size for RSA is 1024 and for ECDSA is 348. The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged. Click Continue.
Step 9	In the Advanced Options step, you can configure the following: In the Revocation tab, you can configure the following: Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking. By default the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate. Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1 to 1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available. Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking. OCSP Server URL — The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with `http://`. Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension. Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP. Consider the certificate valid if revocation information cannot be reached — Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable. For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document. Click the Others tab: Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA. IPSec Client — Validates certificate presented by remote SSL servers. SSL Client — Validates certificates presented by incoming SSL connections. SSL Server — Validates certificates presented by incoming IPSec connections. Use Identity Certificate for — Specify how the enrolled ID certificate can be used. SSL & IPSec — Use for authenticating SSL & IPSec connections Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin. Other Options: Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate i Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA. Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.
Step 10	Click Add.

Add an Identity Certificate Object for Certificate Signing Request (CSR)

The Certification Authority (CA) server information and enrollment parameters are required to generate Certificate Signing Requests (CSRs) and obtain Identity Certificates from the specified CA. You need to select either Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) key type to generate the request.

Create a trustpoint object by providing identification information and optionally uploading a CA certificate obtained from a CA.

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Click and select ASA > Trustpoints.

Step 4

Enter an Object Name for the certificate.

The name is used in the configuration as an object name only; it does not become part of the certificate itself.

Step 5

In the Identity Certificate step, select Identity Certificate.

Step 6

In the Import Type step, select New to upload the certificate file and click Continue.

Step 7

In the Enrollment step, select Manual.

Step 8

(optional) You can paste or upload the CA certificate obtained from your CA. You can leave the field empty.

Step 9

Click Continue.

The Certificates Content step appears. Read Self-Signed and CSR Certificate Generation Based on Certificate Contents to understand the CN and SANS content in the Signed certificate that is being generated.

Step 10

In the Certificate Contents step, configure the following:

Country (C)— Select the country code from the drop-down list.
State or Province (ST)—The state or province to include in the certificate.
Locality or City (L)—The locality to include in the certificate, such as the name of the city.
Organization (O)—The organization or company name to include in the certificate.
Organizational Unit (Department) (OU)—The name of the organization unit (for example, a department name) to include in the certificate.
Common Name (CN)—The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN.
Email Address (EA)— The e-mail address associated with the identity certificate.
IP Address— The ASA IP address on the network in four-part dotted-decimal notation.

Subject Alternative Name (SAN)— This field will be part of Certificate Subject DN as 'unstructuredName' as well. We recommend you use this field if the certificate is used for multiple domains or IP addresses.

Use Device Host Name: Host name of the device is used.

Custom: Device's FQDN— An unambiguous domain name, to indicate the position of the node in the DNS tree hierarchy.

Note

We recommend the values specified in CN and Custom FQDN are the same.

Include Device's Serial Number— Select the check box if you want to include the serial number of ASA in the certificate. The CA uses the serial number to either authenticate certificates or to later associate a certificate with a particular device. If you are in doubt, include the serial number, as it is useful for debugging purposes.

Click the Key tab.
- Choose the RSA or ECDSA key type.
- Key Size: If the key pair does not exist, defines the desired key size (modulus), in bits. The recommended key size for RSA is 1024 and for ECDSA is 348. The larger the modulus size, the more secure the key. However, keys with larger modulus sizes take longer to generate (a minute or more when larger than 512 bits) and longer to process when exchanged.
- Click Continue.

Step 11

In the Advanced Options step, you can configure the following:

In the Revocation tab, you can configure the following:

Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking.

By default, the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate.

Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1 to 1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available.
Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking.

OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with http://.

Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension.

Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP.
Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable.

For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document.

Click the Others tab:

Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA.
- IPSec Client — Validates certificate presented by remote SSL servers.
- SSL Client — Validates certificates presented by incoming SSL connections.
- SSL Server — Validates certificates presented by incoming IPSec connections.
Use Identity Certificate for — Specify how the enrolled ID certificate can be used.
- SSL & IPSec — Use for authenticating SSL & IPSec connections
- Code Signer — Code signer certificates are special certificates whose associated private keys are used to create digital signatures. The certificates used to sign code are obtained from a CA, with the signed code itself revealing the certificate origin.
Other Options:
- Enable CA flag in basic constraints extension — Select this option if this certificate should be able to sign other certificates. The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate i
- Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA.
- Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.

Step 12

Click Add.

This creates a trustpoint certificate object.

Add a Trusted CA Certificate Object

Obtain a trusted CA certificate from an external certificate authority, or create one using your own internal CA, for example, with OpenSSL tools. You can upload a file encoded in one of the following supported formats:

Distinguished Encoding Rules (DER)
Privacy-enhanced Electronic Mail (PEM)

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Click and select ASA > Trustpoints.
Step 4	Enter an Object Name for the certificate. The name is used in the configuration as an object name only; it does not become part of the certificate itself.
Step 5	In the Certificate Type step, select Trusted CA Certificate.
Step 6	In the Certificate Contents step, paste the certificate contents in the text box or upload the CA certificate file as explained in the wizard.
Step 7	Click Continue. The wizard advances to step 4. The certificate must follow these guidelines: The name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails. The certificate must be an X509 certificate in PEM or DER format. The certificate you paste must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example: -----BEGIN CERTIFICATE----- MIIFgTCCA2mgAwIBAgIJANvdcLnabFGYMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV BAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGYXVzdGluMRQwEgYDVQQKDAsx OTIuMTY4LjEuMTEUMBIGA1UEAwwLMTkyLjE2OC4xLjEwHhcNMTYxMDI3MjIzNDE3 WhcNMTcxMDI3MjIzNDE3WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzAN BgNVBAcMBmF1c3RpbjEUMBIGA1UECgwLMTkyLjE2OC4xLjExFDASBgNVBAMMCzE5 Mi4xNjguMS4xMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5NceYwtP ES6Ve+S9z7WLKGX5JlF58AvH82GPkOQdrixn3FZeWLQapTpJZt/vgtAI2FZIK31h (...20 lines removed...) hbr6HOgKlOwXbRvOdksTzTEzVUqbgxt5Lwupg3b2ebQhWJz4BZvMsZX9etveEXDh PY184V3yeSeYjbSCF5rP71fObG9Iu6+u4EfHp/NQv9s9dN5PMffXKieqpuN20Ojv 2b1sfOydf4GMUKLBUMkhQnip6+3W -----END CERTIFICATE-----
Step 8	In the Advanced Options step, you can configure the following: In the Revocation tab, you can configure the following: Enable Certificate Revocation Lists (CRL) — Check to enable CRL checking. By default, the Use CRL distribution point from the certificate check box is selected to obtain the revocation lists distribution URL from the certificate. Cache Refresh Time (in minutes) — Enter the number of minutes between cache refreshes. The default is 60 minutes. The range is 1 to 1440 minutes. To avoid having to retrieve the same CRL from a CA repeatedly, the ASA can store retrieved CRLs locally, which is called CRL caching. The CRL cache capacity varies by platform and is cumulative across all contexts. If an attempt to cache a newly retrieved CRL would exceed its storage limits, the ASA removes the least recently used CRL until more space becomes available. Enable Online Certificate Status Protocol (OCSP) — Check to enable OCSP checking. OCSP Server URL—The URL of the OCSP server checking for revocation if you require OCSP checks. This URL must start with `http://`. Disable Nonce Extension — Enable the check box which cryptographically binds requests with responses to avoid replay attacks. This process works by matching the extension in the request to that in the response, ensuring that they are the same. Uncheck the Disable Nonce Extension check box if the OCSP server you are using sends pregenerated responses that do not include this matching nonce extension. Evaluation Priority — Specify whether to evaluate the revocation status of a certificate first in CRL or OSCP. Consider the certificate valid if revocation information cannot be reached— Select this check box to consider the certificate to be a valid certificate if revocation information is unreachable. For more information on revocation check, see the "Digital Certificates" chapter in the "Basic Settings" book of the Cisco ASA Series General Operations ASDM Configuration, X.Y document. Click the Others tab: Use CA Certificate for the Validation of — Specify the type of connections that can be validated by this CA. IPSec Client — Validates certificate presented by remote SSL servers. SSL Client — Validates certificates presented by incoming SSL connections. SSL Server — Validates certificates presented by incoming IPSec connections. Other Options: Enable CA flag in basic constraints extension — Select this option if you want to validate if the subject of the certificate is a CA using the basic constraints extension. Accept certificates issued by this CA — Select this option to indicate that the ASA should accept certificates from the specified CA. Accept certificates issued by the subordinates CAs of this CA — Select this option to indicate that the ASA should accept certificates from the subordinate CA. Ignore IPSec Key Usage — Select this option if you do not want to validate values in the key usage and extended key usage extensions of IPsec remote client certificates. You can suppress key usage checking on IPsec client certificates. By default, this option is not enabled.
Step 9	Click Add. This creates a trustpoint certificate object.

Self-Signed and CSR Certificate Generation Based on Certificate Contents

You need to have an idea of the CN and SANS content in the Self-Signed and CSR certificates. The content is based on the parameters you specify during their creation. You need to configure the parameters precisely for the AnyConnect clients to connect to the intended VPN headends of your organization.

This section provides different use cases with examples to give you an idea of the content of Self-Signed and CSR certificates based on the parameters specified.

Usecase 1: Different CN and FQDN values

Example:

Common Name (CN): mywebsite.com
FQDN: mysan.com

Table 5. Example: Different CN and FQDN values
	Common Name	unstructuredName	SANS
Self-Signed	mywebsite.com	mysan.com	mysan.com
CSR	mywebsite.com	mysan.com	-

Usecase 2: FQDN field set to None

Example:

Common Name (CN): mywebsite.com
FQDN: None

Table 6. Example: FQDN field set to None
	Common Name	SANS
Self-Signed	Host Name	-
CSR	mywebsite.com	-

Usecase 3: No FQDN (Default FQDN)

Example:

Common Name (CN): mywebsite.com

Table 7. Example: No FQDN (Default FQDN)
	Common Name	unstructuredName	SANS
Self-Signed	mywebsite.com	Host Name	-
CSR	mywebsite.com	Host Name	Host Name

Usecase 4: IP Address is specified in FQDN

Example:

Common Name (CN): mywebsite.com
FQDN: 4.5.6.7

Table 8. Example: IP Address is specified in FQDN
	Common Name	unstructuredName	SANS
Self-Signed	mywebsite.com	4.5.6.7	-
CSR	mywebsite.com	4.5.6.7	4.5.6.7

Usecase 5: IP Address is Specified

Example:

IP Address: 4.5.6.7
Common Name (CN): mywebsite.com
FQDN: fqdn.com

Table 9. Example: IP Address is specified
	Common Name	unstructuredAddress	unstructuredName	SANS
Self-Signed	mywebsite.com	4.5.6.7	fqdn.com	-
CSR	mywebsite.com	4.5.6.7	fqdn.com	fqdn.com

Usecase 6: Serial Number Check box is Selected

Example:

Serial Number: 9AQXMWOKDT9

Table 10. Example: IP Serial Number Check box is Selected
	serialNumber	SANS
Self-Signed	9AQXMWOKDT9	-
CSR	9AQXMWOKDT9	fqdn.com

Usecase 7: Email Address is Specified

Example:

EA: abc@xyz.com

Table 11. Example: Email Address is Specified
	unstructredName	emailAddress	SANS
Self-Signed	Host Name	abc@xyz.com	Host Name
CSR	Host Name	abc@xyz.com	-

RA VPN Objects

Service Objects

ASA Service Objects

ASA service objects, service groups, and port groups are reusable components that contain protocols or ports considered part of the IP protocol suite. In a service object you can specify a single protocol and assign it to a source port, destination port, or both source and destination ports. A service group contains many service objects and can include a mix of protocols.

A port group is a kind of ASA service object. Port groups contain port objects that pair a service type, such as TCP or UDP, and a port number or a range of port numbers. You can then use the objects in security policies for the purposes of defining traffic matching criteria. For example, you can use them in access control rules to allow traffic to a specific range of TCP ports.

See Create and Edit ASA Service Objects for more information.

Protocol Objects

Protocol objects are a type of service object that contain less-commonly used or legacy protocols. Protocol objects are identified by a name and protocol number. Security Cloud Control recognizes these objects in ASA and Firepower (FDM-managed device) configurations and gives them their own filter of "Protocols" so you can find them easily.

ICMP Objects

An Internet Control Message Protocol (ICMP) object is a service object specifically for ICMP and IPv6-ICMP messages. Security Cloud Control recognizes these objects in ASA and Firepower configurations when those devices are onboarded and Security Cloud Control gives them their own filter of "ICMP" so you can find the objects easily.

Using Security Cloud Control, you can rename or remove ICMP objects from an ASA configuration. You can use Security Cloud Control to create, update, and delete ICMP and ICMPv6 objects in a Firepower configuration.

Note

For the ICMPv6 protocol, AWS does not support choosing specific arguments. Only rules that allow all ICMPv6 messages are supported.

Create and Edit ASA Service Objects

In a service object, you can specify a single protocol and assign it to a source port, destination port, or both source and destination ports.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Click Create Object > ASA > Service.
Step 4	Enter an object name.
Step 5	Select Create a service object
Step 6	Click the Service Type button and select the protocol for which you want to make an object. For TCP, UDP, and TCP-UDP service types, enter a source port, destination port, or both: The source port identifier allows you to match traffic originating from a particular numbered port. In the source port identifier, select an operator: equal to, range, less than, greater than, or not equal to and provide the appropriate port number or range. The destination port identifier allows you to match traffic arriving at a particular numbered port. In the destination port identifier, select an operator: equal to, range, less than, greater than, or not equal to and provide the appropriate port number or range. For Protocol service types, enter a protocol number between 0-255, or a well-known name, such as ip, tcp, udp, gre, and so forth.
Step 7	Click Add.

Examples

A service object that identifies incoming FTP traffic would be one with a TCP Service type and a destination port range of 21.
A service object that identifies outgoing DNS and DNS over TCP traffic would be one with a tcp-udb service type and a source port equal to 53.

Create an ASA Service Group

A service group can be made up of one or more service objects representing one or more protocols.

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Click Create Object > ASA > Service.
Step 4	Enter an object name.
Step 5	Select Create a service group.
Step 6	Add an existing object by clicking Add Object, selecting an object, and clicking Select. Repeat this step to add more objects.
Step 7	If needed, add an extra individual service type value to the service group For TCP, UDP, and TCP-UDP service types, enter a source port, destination port, or both: The source port identifier allows you to match traffic originating from a particular numbered port. In the source port identifier, select an operator: equal to, range, less than, greater than, or not equal to and provide the appropriate port number or range. The destination port identifier allows you to match traffic arriving at a particular numbered port. In the destination port identifier, select an operator: equal to, range, less than, greater than, or not equal to and provide the appropriate port number or range. For Protocol service types, enter a protocol number between 0-255, or a well-known name, such as ip, tcp, udp, gre, and so forth.
Step 8	To add more individual port values, click Add Another Value and repeat step 6.
Step 9	Click Add when you are done adding service objects and service values to the service group.

Edit an ASA Service Object or Service Group

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Filter the objects to find the object you want to edit and then select the object in the object table.
Step 4	In the details pane, click edit .
Step 5	Edit the values in the dialog box in the same fashion that you created them in the procedures above.
Step 6	Click Save.
Step 7	Security Cloud Control displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.

ASA Time Range Objects

What is a Time Range Object?

A time range object defines a specific time consisting of a start time, an end time, and optional recurring entries. You use these objects in network policies to provide time-based access to certain features or assets. For example, you could create an access rule that allows access to a particular server during working hours only. Creating a time range does not restrict access to the device. Note that the times configured for these objects are local to the device.

You can add an absolute or recurring time ranges to this object. Recurring ranges are considered to be periodic time ranges.

Note

If a time range has both absolute and periodic values specified, then the periodic values are evaluated only after the absolute start time is reached and they are not further evaluated after the absolute end time is reached.

Create an ASA Time Range Object

Use the following procedure to create a time range object for an ASA device:

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Firewall.

Step 2

In the left pane, click Manage > Objects.

Step 3

Click > ASA > Time Range.

Step 4

Enter an object name.

Step 5

Define a time range.

Absolute Time Range - Enter a Start Time and an End Time for the desired time range; you can choose to execute this object over a matter of minutes, hours, days, or weeks. A time range object can only have one absolute time range.
Recurring Time Ranges - click the to add a periodic time range that will repeat throughout the week. Select the Frequency from the drop-down menu, the Days of the week the time range should go into effect, and the Start and End times. A time range object can have multiple periodic ranges.

Note

The start and end times for a time range object are optional. If an object has no start time established, the time range goes into effect immediately. If an object has no end time established, the time range lasts indefinitely.

Step 6

Click Add to create the object.

Edit an ASA Time Range Object

Use the following procedure to edit a time range object for an ASA device:

Procedure

Step 1	In the Security Cloud Control platform menu, choose Products > Firewall.
Step 2	In the left pane, click Manage > Objects.
Step 3	Filter the objects to find the object you want to edit and then select the object in the object table.
Step 4	In the details pane, click edit .
Step 5	Edit the values as needed and click Save.
Step 6	If the object is currently used by any policies, Security Cloud Control displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
Step 7	If the object is used in a policy on a device, review and deploy now the changes you made, or wait and deploy multiple changes at once.

Network Address Translation

Each computer and device within an IP network is assigned a unique IP address that identifies the host. Because of a shortage of public IPv4 addresses, most of these IP addresses are private and not routable anywhere outside of the private company network. RFC 1918 defines the private IP addresses you can use internally that should not be advertised:

10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255

One of the main functions of Network Address Translation (NAT) is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world.

Other functions of NAT include:

Security-Keeping internal IP addresses hidden discourages direct attacks.
IP routing solutions-Overlapping IP addresses are not a problem when you use NAT.
Flexibility-You can change internal IP addressing schemes without affecting the public addresses available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP address for Internet use, but internally, you can change the server address.
Translating between IPv4 and IPv6 (Routed mode only)-If you want to connect an IPv6 network to an IPv4 network, NAT lets you translate between the two types of addresses.

You can use Security Cloud Control to create NAT rules for many different use cases. Use the NAT rule wizard or these topics to create different NAT rules:

Order of Processing NAT Rules

Network Object NAT and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. The following table shows the order of rules within each section.

Table 12. NAT Rule Table
Table Section	Rule Type	Order of Rules within the Section
Section 1	Twice NAT (ASA) Manual NAT (FTD)	Applied on a first match basis, in the order they appear in the configuration. Because the first match is applied, you must ensure that specific rules come before more general rules, or the specific rules might not be applied as desired. By default, twice NAT rules are added to section 1.
Section 2	Network Object NAT (ASA) Auto NAT (FTD)	If a match in section 1 is not found, section 2 rules are applied in the following order: Static rules. Dynamic rules. Within each rule type, the following ordering guidelines are used: Quantity of real IP addressesâ€”From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, object "Arlington" is assessed before object "Detroit."
Section 3	Twice NAT (ASA) Manual NAT (FTD)	If a match is still not found, section 3 rules are applied on a first match basis, in the order they appear in the configuration. This section should contain your most general rules. You must also ensure that any specific rules in this section come before general rules that would otherwise apply.

For section 2 rules, for example, you have the following IP addresses defined within network objects:

192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object Detroit)
172.16.1.0/24 (dynamic) (object Arlington)

The resultant ordering would be:

192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)
172.16.1.0/24 (dynamic) (object Arlington)
172.16.1.0/24 (dynamic) (object Detroit)
192.168.1.0/24 (dynamic)

Network Address Translation Wizard

The Network Address Translation (NAT) wizard helps you create NAT rules on your devices for these types of access:

Enable Internet Access for Internal Users. You may use this NAT rule to allow users on an internal network to reach the internet.
Expose an Internal Server to the Internet. You may use this NAT rule to allow people outside your network to reach an internal web or email server.

Prerequisites to "Enable Internet Access for Internal Users"

Before you create your NAT rule, gather this information:

The interface that is closest to your users; this is usually called the "inside" interface.
The interface closest to your Internet connection; this is usually called the "outside" interface.
If you want to allow only specific users to reach the internet, you need the subnet addresses for those users.

Prerequisites to "Expose an Internal Server to the Internet"

Before you create your NAT rule, gather this information:

The interface that is closest to your users; this is usually called the "inside" interface.
The interface closest to your Internet connection; this is usually called the "outside" interface.
The IP address of the server inside your network that you would like to translate to an internet-facing IP address.
The public IP address you want the server to use.

What to do Next

See Create a NAT Rule by using the NAT Wizard.

Create a NAT Rule by using the NAT Wizard

Before you begin

See Network Address Translation Wizard for the prerequisites needed to create NAT rules using the NAT wizard.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Use the filter (filter) and search (search) fields to find the device for which you want to create the NAT rule.
Step 5	In the Management area of the details panel, click NAT .
Step 6	Click > NAT Wizard.
Step 7	Respond to the NAT Wizard questions and follow the on-screen instructions. The NAT Wizard creates rules with Network Objects. Either select an existing object from the drop-down menu, or create a new object with the create button . Before you can save the NAT rule, all IP addresses need to be defined as network objects.
Step 8	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Common Use Cases for NAT

Twice NAT and Manual NAT

Here are some common tasks that can be achieved using "Network Object NAT", also known as "Auto NAT":

Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
Translate a Range of Private IP Addresses to a Range of Public IP Addresses

Network Object NAT and Auto NAT

Here is a common task that can be achieved using "Twice NAT", also know as "Manual NAT":

Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface

Enable a Server on the Inside Network to Reach the Internet Using a Public IP address

Use Case

Use this NAT strategy when you have a server with a private IP address that needs to be accessed from the internet and you have enough public IP addresses to NAT one public IP address to the private IP address. If you have a limited number of public IP addresses, see Make a server on the inside network available to users on a specific port of a public IP address (that solution may be more suitable).

Strategy

Your server has a static, private IP address, and users outside your network have to be able to reach your server. Create a network object NAT rule that translates the static private IP address to a static public IP address. After that, create an access policy that allows traffic from that public IP address to reach the private IP address. Finally, deploy these changes to your device.

Before you begin

Before you begin, create two network objects. Name one object servername_inside and the other object servername_outside. The servername_inside network object should contain the private IP address of your server. The servername_outside network object should contain the public IP address of your server.

See Create Network Objects for instructions.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Network Object NAT.
Step 7	In section 1, Type, select Static. Click Continue.
Step 8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, perform these actions: Expand the Original Address menu, click Choose, and select the servername_inside object. Expand the Translated Address menu, click Choose, and select the servername_outside object.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save.
Step 13	For ASA, deploy a Network Policy rule or for FDM-managed device, deploy an access control policy rule to allow the traffic to flow from servername_inside to servername_outside.
Step 14	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Objects created by this procedure:

object network servername_outside
host 209.165.1.29
object network servername_inside
host 10.1.2.29

NAT rules created by this procedure:

object network servername_inside
 nat (inside,outside) static servername_outside

Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address

Use Case

Allow users and computers in your private network to connect to the internet by sharing the public address of your outside interface.

Strategy

Create a port address translation (PAT) rule that allows all the users on your private network to share the outside interface public IP address of your device.

After the private address is mapped to the public address and port number, the device records that mapping. When incoming traffic bound for that public IP address and port is received, the device sends it back to the private IP address that requested it.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click Network Object NAT.
Step 7	In section 1, Type, select Dynamic. Click Continue.
Step 8	In section 2, Interfaces, choose any for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, perform these actions : Expand the Original Address menu, click Choose and select the any-ipv4 or any-ipv6 object depending on your network configuration. Expand the Translated Address menu, and select interface from the available list. Interface indicates to use the public address of the outside interface.
Step 10	For an FDM-managed device, in section 5, Name, enter a name for the NAT rule.
Step 11	Click Save.
Step 12	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Objects created by this procedure:

object network any_network
subnet 0.0.0.0 0.0.0.0

NAT rules created by this procedure:

object network any_network
nat (any,outside) dynamic interface

Make a Server on the Inside Network Available on a Specific Port of a Public IP Address

Use Case

If you only have one public IP address, or a very limited number, you can create a network object NAT rule that translates inbound traffic, bound for a static IP address and port, to an internal address. We have provided procedures for specific cases, but you can use them as a model for other supported applications.

Prerequisites

Before you begin, create three separate network objects, one each for an FTP, HTTP, and SMTP server. For the sake of the following procedures, we call these objects ftp-server-object, http-server-object, and smtp-server-object.

See Create Network Objects for instructions.

NAT Incoming FTP Traffic to an FTP Server

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Network Object NAT.
Step 7	In section 1, Type, select Static. Click Continue.
Step 8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, perform these actions: Expand the Original Address menu, click Choose, and select the ftp-server-object. Expand the Translated Address menu, click Choose, and select the Interface. Check Use Port Translation. Select tcp, ftp, ftp.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save. The new rule is created in section 2 of the NAT table.
Step 13	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

Here is the entry that is created and appears in the ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Object created by this procedure

object network ftp-object
host 10.1.2.27

NAT rule created by this procedure

object network ftp-object
nat (inside,outside) static interface service tcp ftp ftp

NAT Incoming HTTP Traffic to an HTTP Server

Before you begin

Before you begin, create a network object for the http server. For the sake of this procedure, we will call the object, http-object.

See Create Network Objects for instructions.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Network Object NAT.
Step 7	In section 1, Type, select Static. Click Continue.
Step 8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, perform these actions: Expand the Original Address menu, click Choose, and select the http-object. Expand the Translated Address menu, click Choose, and select the Interface. Check Use Port Translation. Select tcp, http, http.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save. The new rule is created in section 2 of the NAT table.
Step 13	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Object created by this procedure


object network http-object
host 10.1.2.28

NAT rule created by this procedure

object network http-object
nat (inside,outside) static interface service tcp www www

NAT Incoming SMTP Traffic to an SMTP Server

Before you begin

Before you begin, create a network object for the smtp server. For the sake of this procedure, we will call the object, smtp-object.

See Create Network Objects for instructions.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Network Object NAT.
Step 7	In section 1, Type, select Static. Click Continue.
Step 8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, perform these actions: Expand the Original Address menu, click Choose, and select the smtp-server-object. Expand the Translated Address menu, click Choose, and select the Interface. Check Use Port Translation. Select tcp, smtp, smtp.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save. The new rule is created in section 2 of the NAT table.
Step 13	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

Here are the entries that are created and appear in an ASA's saved configuration file as a result of this procedure.

Note

This does not apply to FDM-managed devices.

Object created by this procedure

object network smtp-object
host 10.1.2.29

NAT rule created by this procedure

object network smtp-object
nat (inside,outside) static interface service tcp smtp smtp

Translate a Range of Private IP Addresses to a Range of Public IP Addresses

Use Case

Use this approach if you have a group of specific device types, or user types, that need to have their IP addresses translated to a specific range so that the receiving devices (the devices on the other end of the transaction) allow the traffic in.

Translate a Pool of Inside Addresses to a Pool of Outside Addresses

Before you begin

Create a network object for the pool of private IP addresses you want to translate and create a network object for the pool of public addresses you want to translate those private IP addresses into.

For the ASA, the "original address" pool, (the pool of private IP addresses you want to translate) can be a network object with a range of addresses, a network object that defines a subnet, or a network group that includes all the addresses in the pool. For the FTD, the "original address" pool can be a network object that defines a subnet or a network group that includes all the addresses in the pool.

Note

For the ASA , the network group that defines the pool of "translated address" cannot be a network object that defines a subnet.

When creating these address pools, use Create or Edit ASA Network Objects and Network Groups for instructions.

For the sake of the following procedure, we named the pool of private addresses, inside_pool and name the pool of public addresses, outside_pool.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Network Object NAT.
Step 7	In section 1, Type, select Dynamic and click Continue.
Step 8	In section 2, Interfaces, set the source interface to inside and the destination interface to outside. Click Continue.
Step 9	In section 3, Packets, perform these tasks: For the Original Address, click Choose and then select the inside_pool network object (or network group) you made in the prerequisites section above. For the Translated Address, click Choose and then select the outside_pool network object (or network group) you made in the prerequisites section above.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save.
Step 13	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

These are the entries that would appear in an ASA's saved configuration file as a result of these procedures.

Note

This does not apply to FDM-managed devices.

Objects created by this procedure

object network outside_pool
    range 209.165.1.1 209.165.1.255
object network inside_pool
    range 10.1.1.1 10.1.1.255

NAT rules created by this procedure

object network inside_pool
nat (inside,outside) dynamic outside_pool

Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface

Use Case

Use this Twice NAT use case to enable site-to-site VPN.

Strategy

You are translating a pool of IP addresses to itself so that the IP addresses in one location on the network arrives unchanged in another.

Create a Twice NAT Rule

Before you begin

Create a network object or network group that defines the pool of IP addresses you are going to translate to itself. For the ASA, the range of addresses can be defined by a network object that uses an IP address range, a network object that defines a subnet, or a network group object that includes all the addresses in the range.

When creating the network objects or network groups, use Create or Edit ASA Network Objects and Network Groups for instructions.

For the sake of the following procedure, we are going call the network object or network group, Site-to-Site-PC-Pool.

Procedure

Step 1	In the left pane, click Manage > Security Devices.
Step 2	Click the Devices tab to locate the device or the Templates tab to locate the model device.
Step 3	Click the appropriate device type tab.
Step 4	Select the device you want to create the NAT rule for.
Step 5	Click NAT in the Management pane at the right.
Step 6	Click > Twice NAT..
Step 7	In section 1, Type, select Static. Click Continue.
Step 8	In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
Step 9	In section 3, Packets, make these changes: Expand the Original Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. Expand the Translated Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section.
Step 10	Skip section 4, Advanced.
Step 11	For an FDM-managed device, in section 5, Name, give the NAT rule a name.
Step 12	Click Save.
Step 13	For an ASA, create a crypto map. See CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide and review the chapter on LAN-to-LAN IPsec VPNs for more information on creating a crypto map.
Step 14	Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Entries in the ASA's Saved Configuration File

These are the entries that would appear in an ASA's saved configuration file as a result of these procedures.

Note

This does not apply to FDM-managed devices.

Objects created by this procedure

object network Site-to-Site-PC-Pool
range 10.10.2.0 10.10.2.255

NAT rules created by this procedure

nat (inside,outside) source static Site-to-Site-PC-Pool Site-to-Site-PC-Pool

Cisco Security Cloud Control Management: Secure Firewall ASA

Bias-Free Language

Results

Chapter: Configure Basic Settings

Configure Basic Settings

Security Cloud Control Licenses

Subscriptions

Software Subscription Support

Cloud-Delivered Firewall Management Center and Threat Defense Licenses

Cloud-delivered Firewall Management Center Evaluation License

Threat Defense Licenses for Cloud-Delivered Firewall Management Center

Security Cloud Control Platform Maintenance Schedule

Cloud-Delivered Firewall Management Center Maintenance Schedule

Introduction to Objects

Object Types

Shared Objects

Object Overrides

Unassociated Objects

Compare Objects

Procedure

Filters

Object Filters

Show System-Defined Objects Filter

Configure Object Filters

Procedure

When to Exclude a Device from Filter Criteria

Unignore Objects

Procedure

Deleting Objects

Delete a Single Object

Procedure

Delete a Group of Unused Objects

Procedure

Network Objects

Reusing Network Objects Across Products

Viewing Network Objects

Create or Edit ASA Network Objects and Network Groups

Create an ASA Network Object

Procedure

Create an ASA Network Group

Procedure

Edit an ASA Network Object

Procedure

Edit an ASA Network Group

Procedure

Add Additional Values to a Shared Network Group in Security Cloud Control

Procedure

Edit Additional Values in a Shared Network Group in Security Cloud Control

Procedure

Deleting Network Objects and Groups in Security Cloud Control

Trustpoint Objects

Adding an Identity Certificate Object Using PKCS12

Procedure

Create a Self-Signed Identity Certificate Object

Procedure

Add an Identity Certificate Object for Certificate Signing Request (CSR)

Procedure

Add a Trusted CA Certificate Object

Procedure

Self-Signed and CSR Certificate Generation Based on Certificate Contents

Usecase 1: Different CN and FQDN values

Usecase 2: FQDN field set to None

Usecase 3: No FQDN (Default FQDN)

Usecase 4: IP Address is specified in FQDN

Usecase 5: IP Address is Specified

Usecase 6: Serial Number Check box is Selected

Usecase 7: Email Address is Specified

RA VPN Objects

Service Objects

ASA Service Objects

Protocol Objects

ICMP Objects

Create and Edit ASA Service Objects

Procedure

Create an ASA Service Group

Procedure

Edit an ASA Service Object or Service Group

Procedure

ASA Time Range Objects

What is a Time Range Object?