- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Configuring Device Access Settings on Firewall Devices
The Device Access section, located under the Device Admin folder in the Policy selector, contains pages for defining access to firewall devices.
Configuring Console Timeout
Use the Console page to specify a timeout value for inactive console sessions. When the time limit you specify is reached, the console session is closed.
In the Console Timeout field, enter the number of minutes a console session can remain idle before the device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.
HTTP Page
Use the table on the HTTP page to manage the interfaces configured to access the HTTP server on a device, as well as HTTP redirect to HTTPS on those interfaces. You also can enable or disable the HTTP server on the device from this page. Administrative access by the specific device manager requires HTTPS access.
Note
To redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannot listen to port 80, or to any other port that you configure for HTTP.
- (Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage device interfaces on which HTTP-to-HTTPS redirect is configured. Add Row and Edit Row open the HTTP Configuration Dialog Box. |
|
Enables or disables the HTTP server on the device. When enabled, you can specify a communications Port for the server. The Port range is 1 to 65535; the default is 443. |
HTTP Configuration Dialog Box
Use the HTTP Configuration dialog box to add or edit a host or network that will be allowed to access the HTTP server on the device via a specific interface; you also can enable and disable HTTP redirect.
You can access the HTTP Configuration dialog box from the HTTP Page.
Configuring ICMP
Use the table on the ICMP page to manage Internet Control Message Protocol (ICMP) rules, which specify the addresses of all hosts or networks that are allowed or denied ICMP access to specific interfaces on the security device.
The ICMP rules control ICMP traffic that terminates on any device interface. If no ICMP control list is configured, the device accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the device does not respond to ICMP echo requests directed to a broadcast address.
It is recommended that permission is always granted for the ICMP Unreachable message (type 3). Denying ICMP Unreachable messages disables ICMP Path MTU discovery, which can halt IPsec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If an ICMP control list is configured, the device uses a first match to the ICMP traffic, followed by an implicit deny all. That is, if the first matched entry is a permit entry, the processing of the ICMP packet continues. If the first matched entry is a deny entry, or an entry is not matched, the device discards the ICMP packet and generates a syslog message. If an ICMP control list is not configured, a permit rule is assumed in all cases.
- (Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage ICMP rules. Add Row opens the Add ICMP dialog box, while Edit Row opens the Edit ICMP dialog box. See Add and Edit ICMP Dialog Boxes for information about these dialog boxes. |
|
|
|
|
For ICMP traffic that terminates at an interface on this device, the maximum number of ICMP Unreachable messages the device can transmit per second. This value can be between 1 and 100 messages per second; the default is 1 message per second. |
|
The burst size for ICMP Unreachable messages; this can be a value between 1 and 10. Note This parameter is not currently used by the system, so you can choose any value. |
|
Add and Edit ICMP Dialog Boxes
Use the Add ICMP dialog box to add an ICMP rule, which specifies a host/network that is allowed or denied the specified ICMP access on the specified device interface.
Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.
You can access the Add or Edit ICMP dialog boxes from the Configuring ICMP.
Configuring Management Access
Use the Management Access page to enable or disable access on a high-security interface so you can perform management functions on the device. You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time.
- (Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Enabling and Disabling Management Access
In the Management Access Interface field, enter the name of the device interface that is to permit management access connections. You can click Select to select the interface from a list of interface objects.
You can enable the Management Access feature on only one interface at a time.
Clear the Management Access Interface field to disable management access.
Configuring Secure Shell Access
Use the Secure Shell page to configure rules that permit administrative access to a security device using the SSH protocol. The rules restrict SSH access to a specific IP address and netmask. Any SSH connection attempts that comply with these rules must then be authenticated by an AAA server or Telnet password.
- (Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Specify the SSH version(s) accepted by the device: choose 1, 2, or 1 and 2. By default, SSH Version 1 and SSH Version 2 connections are accepted. |
|
Enter the number of minutes, 1 to 60, the Secure Shell session can remain idle before the device closes it. The default value is 5 minutes. |
|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage the hosts allowed to connect to the security device via SSH. Add Row opens the Add Host dialog box, while Edit Row opens the Edit Host dialog box. See Add and Edit SSH Host Dialog Boxes for information about these dialog boxes. |
|
Check this box to enable the secure copy (SCP) server on the security appliance. This allows the appliance to function as an SCP server for transferring files from/to the device. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection. This implementation of the secure copy server has the following limitations:
|
Add and Edit SSH Host Dialog Boxes
Use the Add Host dialog box to add an SSH access rule.
Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.
You can access the Add and Edit Host dialog boxes from the Configuring Secure Shell Access.
Configuring SNMP
Simple Network Management Protocol (SNMP) defines a standard way for network management stations running on PCs or workstations to monitor the health and status of many types of devices, including switches, routers and security appliances. You can use the SNMP page to configure a firewall device for monitoring by SNMP management stations.
The Simple Network Management Protocol (SNMP) enables monitoring of network devices from a central location. Cisco security appliances support network monitoring using SNMP versions 1 and 2c, as well as traps and SNMP read access; SNMP write access is not supported.
You can configure a security appliance to send “traps” (event notifications) to a network management station (NMS), or you can use the NMS to browse the management information bases (MIBs) on the security appliance. Use CiscoWorks for Windows or any other SNMP MIB-II-compliant browser to receive SNMP traps and browse a MIB.
The security appliance has an SNMP agent that notifies designated management stations if specified events occur, for example, when a link in the network goes up or down. The notification includes an SNMP system object ID (OID), identifying the device to the management stations. The security appliance SNMP agent also replies when a management station asks for information.
An SNMP trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in Management Information Bases (MIBs), which can be either standard or enterprise-specific.
Standard traps and MIBs are created by the Internet Engineering Task Force (IETF) and documented in various RFCs. Standard traps are compiled into the security appliance software. If needed, you can also download RFCs, standard MIBS, and standard traps from the IETF website: http://www.ietf.org/.
For Cisco MIB files and OIDs, refer to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. OIDs may be downloaded from this FTP site: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
This section contains the following topics:
SNMP Terminology
Here are definitions for some common SNMP terms:
- Agent – The SNMP server running on the security appliance. The agent responds to requests for information and action from the management station. The agent also controls access to its management information base (MIB), the collection of data objects that can be viewed or changed by the SNMP manager.
- Management stations – The PCs or workstations set up to monitor SNMP events and manage devices such as the security appliance. Management stations can also receive messages about events which require attention, such as hardware failures.
- MIBs – The agent maintains standardized data structures called Management Information Bases (MIBs), used to collect information, such as packet, connection and error counters, and buffer usage and failover status. A number of MIBs are defined for specific products, and for the common protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs, or request only specific fields. In some applications, MIB data can be modified for administrative purposes.
- OID – The SNMP standard assigns a system object ID (OID) so that a management station can uniquely identify network devices with SNMP agents, and indicate to users the source of information monitored and displayed.
- Traps – Specified events that generate a message from the SNMP agent to the management station. Events include alarm conditions such as linkup, linkdown, coldstart, authentication, or syslog events.
SNMP Page
Use the SNMP page to configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.
- (Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
When this option is selected, the security device provides SNMP information on the specified interface(s). You can deselect this option to disable SNMP monitoring while retaining the configuration information. |
|
Enter the password used by a SNMP management station when sending requests to this device. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security device uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive alphanumeric string of up to 32 characters; spaces are not permitted. Repeat the password in the Confirm field to ensure it was entered correctly. |
|
Enter the name of the device administrator or other contact person. This string is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. |
|
Describe the location of this security device (for example, Building 42, Sector 54). This string is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. |
|
Specify the port on which incoming requests will be accepted. The default is 161. |
|
Click this button to configure SNMP traps in the SNMP Trap Configuration Dialog Box. |
|
This table lists the SNMP management stations that can access the security appliance. This is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons, as described in Using Tables. The Add Row and Edit Row buttons open the Add SNMP Host Access Entry Dialog Box, used to add and edit management station host entries. |
SNMP Trap Configuration Dialog Box
Use the SNMP Trap Configuration dialog box to configure SNMP traps (event notifications) for the selected security device.
Traps are different than browsing; they are unsolicited “comments” from the managed device to the management station for certain events, such as linkup, linkdown, and syslog event generated.
An SNMP object ID (OID) for the device appears in SNMP event traps sent from the device. The SNMP service running on a security device performs two functions:
- Replies to SNMP requests from management stations.
- Sends traps to management stations or other devices that are registered to receive them from the security appliance.
Cisco security devices support three types of traps:
In the SNMP Trap Configuration dialog box, available traps are presented on four tabbed panels: Standard, Entity MIB, Resource, and Other.
You can access the SNMP Trap Configuration dialog box from the SNMP Page.
|
|
|
|---|---|
Check this box to quickly select all traps on all four tabbed panels. |
|
Check this box to enable transmission of trap-related syslog messages. The severity level for syslog messages trapped is set on the Logging Filters Page. |
|
| Select the desired event-notification traps on the following four tabbed panels. Note that only the traps applicable to the selected device are displayed in the dialog box. |
|
|
|
|
|
|
|
Percentage – Enter the desired upper limit of CPU resource usage as a percentage of total available. Value values range from 10 to 94; default is 70%. Period – Specify the length of time, in minutes, that the specified Percentage can be exceeded before notification is triggered. Value values range from 1 to 60.
Percentage – Enter the desired upper limit on interface usage as a percentage of total available bandwidth. Value values range from 30 to 99; default is 70%. |
|
Add SNMP Host Access Entry Dialog Box
Use the Add SNMP Host Access Entry dialog box to add and edit entries in the SNMP Hosts table on the SNMP page. These entries represent SNMP management stations allowed to access the security device.
You can access the Add SNMP Host Access Entry dialog box from the SNMP Page.
Telnet Page
Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.
The rules restrict administrative Telnet access through a firewall device interface to a specific IP address and netmask. Connection attempts that comply with the rules must then be authenticated by a preconfigured AAA server or the Telnet password. You can monitor Telnet sessions using Monitoring > Telnet Sessions.
Note Only five Telnet sessions can be active at the same time in single-context mode. In multiple-context mode on ASAs, there can be only five Telnet sessions active per context, 100 Telnet sessions active per blade. With resource class, the administrator can further tune this parameter.
- (Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.
Telnet Configuration Dialog Box
Use the Telnet Configuration dialog box to configure Telnet options for an interface.
You can access the Telnet Configuration dialog box from the Telnet Page.
Feedback