- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Configuring Multicast Policies on Firewall Devices
The Multicast section contains pages for defining IP multicast routing on security devices. Multicast routing is supported in single-context, routed mode only.
Enabling multicast routing enables IGMP and PIM on all interfaces by default. Internet Group Management Protocol (IGMP) is used to learn whether members of a group are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages. Protocol Independent Multicast (PIM) is used to maintain forwarding tables for multicast datagrams.
Note
Only the UDP transport layer is supported for multicast routing.
Enabling PIM and IGMP
The Enable PIM and IGMP page lets you enable or disable Internet Group Management Protocol (IGMP) and Protocol Independent Multicast (PIM) on all interfaces on the security appliance. IGMP is used to learn whether members of a group are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages. PIM is used to maintain forwarding tables to forward multicast datagrams.
When Enable PIM and IGMP is checked on this page, PIM and IGMP are enabled on all interfaces on the security appliance. Deselect the option to disable PIM and IGMP on all interfaces.
Note You can disable PIM and IGMP on a per-interface basis; see IGMP Page - Protocol Tab and PIM Page - Protocol Tab for more information.
Configuring IGMP
Internet Protocol hosts use IGMP to report their group memberships to directly connected multicast routers. Internet Group Management Protocol (IGMP) uses group-address (Class D) IP addresses.
Host group addresses can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet.
The IGMP page provides four tabbed panels, used to configure and manage IGMP in Security Manager:
- IGMP Page - Protocol Tab – This panel displays interface-specific IGMP parameters; you can disable IGMP and change IGMP parameters.
- IGMP Page - Access Group Tab – Lets you manage access groups that restrict the multicast sources allowed on an interface.
- IGMP Page - Static Group Tab – Sometimes, hosts on a network may have a configuration that prevents them from answering IGMP queries; however, you still want multicast traffic to be forwarded to that network segment. There are two methods to pull multicast traffic down to a network segment:
– Use the Join Group tab to configure the interface as a member of the multicast group. With this method, the security appliance accepts the multicast packets in addition to forwarding them to the specified interface.
– Use the Static Group tab to configure the security appliance to be a statically connected member of a group. With this method, the security appliance does not accept the packets itself, but only forwards them. Therefore, this method allows fast switching. The outgoing interface appears in the IGMP cache, but itself is not a member of the multicast group.
Use this tab to statically assign a multicast group to an interface, or change existing static group assignments.
- IGMP Page - Join Group Tab – Use this tab to manage the multicast groups to which the security appliance belongs.
Note If you simply want to forward multicast packets for a specific group to an interface without the security appliance accepting those packets as part of the group, see IGMP Page - Static Group Tab.
- (Device view) Select Platform > Multicast > IGMP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Multicast > IGMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
IGMP Page - Protocol Tab
Use the Protocol tab to configure IGMP parameters for an interface on the security appliance.
You can access the Protocol tab from the IGMP page. For more information about the IGMP page, see Configuring IGMP.
- Configure IGMP Parameters Dialog Box
- Enabling PIM and IGMP
- Configuring PIM
- Configuring Multicast Routes
Configure IGMP Parameters Dialog Box
Use the Configure IGMP Parameters dialog box to configure IGMP parameters for an interface on the security appliance.
You can access the Configure IGMP Parameters dialog box from the IGMP Page - Protocol tab. For more information, see IGMP Page - Protocol Tab.
IGMP Page - Access Group Tab
Use the Access Group tab to control the multicast groups that are allowed on an interface.
The table on this page lists all currently defined multicast access groups, showing for each, the name of the interface or interface role for which the group is defined, the group network(s), and whether this group is permitted or denied. For a detailed explanation of these fields, see Configure IGMP Access Group Parameters Dialog Box.
- To add a multicast access group to the table, click the Add Row button.
- To edit the settings for a group, select it and click the Edit Row button.
- To delete a group, select it and click the Delete Row button.
You can access the Access Group tab from the Configuring IGMP.
Configure IGMP Access Group Parameters Dialog Box
Use the Configure IGMP Access Group Parameters dialog box to add or modify an access group entry.
You can access the Configure IGMP Access Group Parameters dialog box from the IGMP Page - Access Group Tab.
IGMP Page - Static Group Tab
Use the Static Group tab to statically assign a multicast group to an interface.
You can access the Static Group tab from the IGMP page. For more information about the IGMP page, see Configuring IGMP.
|
|
|
|---|---|
The name of the interface with which the static group is associated. |
|
Configure IGMP Static Group Parameters Dialog Box
Use the Configure IGMP Static Group Parameters dialog box to statically assign a multicast group to an interface or to change existing static group assignments.
You can access the Configure IGMP Static Group Parameters dialog box from the IGMP Page - Static Group tab. For more information, see IGMP Page - Static Group Tab.
IGMP Page - Join Group Tab
Use the Join Group tab to configure an interface to be a member of a multicast group.
You can access the Join Group tab from the IGMP page. For more information about the IGMP page, see Configuring IGMP.
|
|
|
|---|---|
The name of the interface for which you are configuring multicast group membership. |
|
Configure IGMP Join Group Parameters Dialog Box
Use the Configure IGMP Join Group Parameters dialog box to configure an interface to be a member of a multicast group or to change existing membership information.
You can access the Configure IGMP Join Group Parameters dialog box from the IGMP Page - Join Group tab. For more information, see IGMP Page - Join Group Tab.
Configuring Multicast Routes
Static multicast routes let you separate multicast traffic from unicast traffic. For example, when a path between a source and destination does not support multicast routing, the solution is to configure two multicast devices with a GRE tunnel between them, sending the multicast packets over the tunnel.
Static multicast routes are local to the security appliance and are not advertised or redistributed.
Use the Multicast Routes page to manage static multicast routes—currently defined routes are listed, and you can add, edit and delete static multicast routes.
See Add/Edit MRoute Configuration Dialog Box for more information about the fields displayed in the table on this page.
- (Device view) Select Platform > Multicast > Multicast Routes from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Routes from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
- Chapter 53, “Configuring Multicast Policies on Firewall Devices”
- Enabling PIM and IGMP
- Configuring IGMP
- Configuring PIM
Add/Edit MRoute Configuration Dialog Box
Use the Add/Edit MRoute Configuration dialog box to add a static multicast route to the security appliance, or to change an existing route.
You can access the Add/Edit MRoute Configuration dialog box from the Multicast Routing page. See Configuring Multicast Routes for more information.
Configuring Multicast Boundary Filters
On an ASA running version 7.2(1) or later, you can use the Multicast Boundary Filter page to configure the appliance to act as a boundary between multicast domains. The ASA compares multicast group addresses to an access list, blocking all multicast traffic except that specifically permitted by the list.
The Multicast Boundary Filter page lists all currently defined per-interface boundary filter lists; you can add, edit and delete filter lists from this page.
Refer to Add/Edit MBoundary Configuration Dialog Box for a description of the fields on this page.
- (Device view) Select Platform > Multicast > Multicast Boundary Filter from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast Boundary Filter from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Add/Edit MBoundary Configuration Dialog Box
Use the Add/Edit MBoundary Configuration dialog box to add, edit and delete multicast boundary filter lists for individual interfaces.
You can access the Add/Edit MBoundary Configuration dialog box from the Configuring Multicast Boundary Filters.
|
|
|
|---|---|
If you check this box, Auto-RP messages denied by the boundary access control list for this interface are dropped. This is referred to as AutoFiltering. |
|
Lists the multicast group addresses specifically permitted or denied for the specified interface. This list is managed with the Add/Edit MBoundary Interface Configuration Dialog Box (click Add Row or Edit Row). |
Add/Edit MBoundary Interface Configuration Dialog Box
Use this dialog box to define permit or deny multicast group entries for the list in the Add/Edit MBoundary Configuration dialog box.
You can access the Add/Edit MBoundary Interface Configuration dialog box from the Add/Edit MBoundary Configuration Dialog Box.
Configuring PIM
Protocol independent multicast (PIM) provides a scalable method for determining the best paths in a network for distributing a specific multicast transmission to each host that has registered using IGMP to receive the transmission. Routers and security devices use PIM to maintain tables for forwarding multicast datagrams.
With PIM sparse mode (PIM SM), which is the default for Cisco routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded from one multicast router to the next until the packets reach every registered host. If a more direct path to the traffic source exists, the last-hop router sends a join message to the source that causes the traffic to be rerouted along the better path.
Note PIM is not supported with PAT—the PIM protocol does not use ports and PAT only works with protocols that use ports.
When you enable multicast routing on a security appliance, PIM and IGMP are enabled on all interfaces by default. You can disable PIM on a per-interface basis.
The PIM page provides up to six tabbed panels:
- PIM Page - Protocol Tab – Lets you manage interface-specific PIM properties.
- PIM Page - Neighbor Filter Tab – Lets you manage neighbor filters for individual interfaces; available only on ASA 7.2(1)+ devices.
- PIM Page - Bidirectional Neighbor Filter Tab – Lets you manage bidirectional neighbor filters for individual interfaces; available only on ASA 7.2(1)+ devices.
- PIM Page - Rendezvous Points Tab – When you configure PIM, you must choose one or more devices to operate as the rendezvous point (RP). An RP is a single, common root of a shared distribution tree and is statically configured on each device. First-hop routers use the RP to send registration packets on behalf of the source multicast hosts.
- PIM Page - Route Tree Tab – By default, PIM leaf routers join the shortest-path tree immediately after the first packet arrives from a new source. This reduces delay, but requires more memory than shared tree. You can configure whether the security appliance should join shortest-path tree, or use a shared tree, either for all multicast groups or only for specific multicast addresses.
- PIM Page - Request Filter Tab – When the security appliance is acting as an RP, you can restrict specific multicast sources from registering. This prevents unauthorized sources from registering with the RP. The Request Filter panel lets you define the multicast sources from which the security appliance will accept PIM registration messages.
PIM Page - Protocol Tab
Use the Protocol tab to configure PIM properties for the interfaces on a security appliance (not available on PIX 6.3 devices). All currently configured interfaces are listed; you can add, edit and delete entries on this panel.
Refer to Add/Edit PIM Protocol Dialog Box for a description of the fields on this panel.
You access the Protocol tab from the PIM page. For more information, see Configuring PIM.
Add/Edit PIM Protocol Dialog Box
Use the Add/Edit PIM Protocol dialog box to configure PIM properties for an interface on a security appliance running PIX 7.x or later.
The DR is responsible for sending PIM register, join, and prune messaged to the Rendezvous Point (RP). When there is more than one multicast routing device on a network segment, there is an election process to select the Designated Router based on DR priority. If multiple devices have the same DR priority, then the device with the highest IP address becomes the DR. By default, security appliances have a DR priority of 1.
You can access the Add/Edit PIM Protocol dialog box from the PIM Page - Protocol Tab.
PIM Page - Neighbor Filter Tab
A PIM neighbor filter is an access control list (ACL) that defines the neighbor devices that can participate in PIM. If a neighbor filter is not configured for an interface, then there are no restrictions. If a PIM neighbor filter is configured, only those neighbors permitted by the filter list can participate in PIM with the security appliance.
On an ASA running version 7.2(1) or later, you can use the Neighbor Filter tab to control the devices that can become PIM neighbors. This panel is used to define and manage the per-interface neighbor filter list. Refer to Add/Edit PIM Neighbor Filter Dialog Box for a description of the fields on this panel.
You access the Protocol tab from the PIM page. For more information, see Configuring PIM.
Add/Edit PIM Neighbor Filter Dialog Box
Use the Add/Edit PIM Neighbor Filter dialog box to add and edit entries in the PIM neighbor filter ACL displayed on the Neighbor Filter panel of the PIM page.
You can access the Add/Edit PIM Neighbor Filter dialog box from the PIM Page - Neighbor Filter Tab.
PIM Page - Bidirectional Neighbor Filter Tab
A PIM bidirectional neighbor filter is an access control list (ACL) that defines the neighbor devices that can participate in the bidirectional trees and designated forwarder (DF) election. If a PIM bidirectional neighbor filter is not configured for an interface, then there are no restrictions. If a PIM bidirectional neighbor filter is configured, only those neighbors permitted by the ACL can participate in DF election process.
The PIM bidirectional neighbor filters enable the transition from a sparse-mode-only network to a “bidir” network by letting you specify the devices that should participate in DF election, while still allowing all devices to participate in the sparse-mode domain. The bidir-enabled devices can elect a DF from among themselves, even when there are non-bidir devices on the segment. Multicast boundaries on the non-bidir devices prevent PIM messages and data from the bidir groups from leaking in or out of the bidir subset cloud.
Bidirectional PIM allows multicast devices to maintain reduced state information. All of the multicast devices in a segment must be bidirectionally enabled for bidir to elect a DF.
When a PIM bidirectional neighbor filter is enabled, the routers and other devices that are permitted by the ACL are considered to be bidir-capable. Therefore:
- If a permitted neighbor does not support bidir, the DF election does not occur.
- If a denied neighbor supports bidir, then DF election does not occur.
- If a denied neighbor does not support bidir, the DF election can occur.
Managing the Bidirectional Neighbor Filter List
On an ASA running version 7.2(1) or later, you can use this panel to define and manage the per-interface bidirectional neighbor filter list, permitting or denying multicast source addresses for specific interfaces. Refer to Add/Edit PIM Bidirectional Neighbor Filter Dialog Box for a description of the fields on this panel.
You access the Bidirectional Neighbor Filter tab from the PIM page. For more information, see Configuring PIM.
Add/Edit PIM Bidirectional Neighbor Filter Dialog Box
Use the Add/Edit PIM Bidirectional Neighbor Filter dialog box to add or edit an entry in the bidirectional neighbor access control list displayed on the PIM Page - Bidirectional Neighbor Filter Tab.
You can access the Add/Edit PIM Bidirectional Neighbor Filter dialog box from the PIM Page - Bidirectional Neighbor Filter Tab.
PIM Page - Rendezvous Points Tab
When you configure PIM, you must choose one or more routers or routing devices to operate as the RP. An RP is a single, common root of a shared distribution tree and is statically configured on each device. First hop routers use the RP to send register packets on behalf of the source multicast hosts.
You can configure a single RP to serve more than one group. If a specific group is not specified, the RP for the group is applied to the entire IP multicast group range (224.0.0.0/4).
Use the Rendezvous Points panel to define rendezvous points. You can configure more than one RP, but you cannot have more than one entry with the same RP.
You access the Rendezvous Points tab from the PIM page. For more information, see Configuring PIM.
|
|
|
|---|---|
Check this box if your rendezvous point is a Cisco IOS router. The security appliance software accepts register messages with the checksum calculated on the PIM header and only the next 4 bytes, while Cisco IOS software accepts register messages with the checksum calculated on the entire PIM message for all PIM message types. |
|
Lists the rendezvous points currently configured on the security appliance. Use the Add Row, Edit Row and Delete Row buttons to manage this list; the Add Row and Edit Row buttons open the Add/Edit Rendezvous Point Dialog Box. |
Add/Edit Rendezvous Point Dialog Box
Use the Add/Edit Rendezvous Point dialog box to add an entry to the Rendezvous Points table, or to edit an existing rendezvous point entry. Please note the following:
- You cannot use the same rendezvous point address twice.
- You cannot specify “All Groups” for more than one rendezvous point.
You can access the Add/Edit Rendezvous Point dialog box from the PIM Page - Rendezvous Points Tab.
|
|
|
|---|---|
Enter the IP address of the rendezvous point. This is a unicast address. You also can click Select to select a Networks/Hosts object. When editing a rendezvous point entry, you cannot change this value. |
|
Check this box if you want the specified Multicast Groups to operate in bidirectional mode. In bidirectional mode, if the security appliance receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a Prune message back to the source. Deselect this option if you want the specified Multicast Groups to operate in Sparse Mode. Note The security appliance always advertises bidirectional capability in PIM hello messages regardless of the actual bidir configuration. |
|
Select this option to use the specified Rendezvous Point for all multicast groups on the interface. |
|
Select this option to define the multicast groups that are to use the specified Rendezvous Point; the Multicast Groups table is activated. |
|
The multicast groups currently associated with the specified Rendezvous Point are listed. Table entries are processed from the top down. For example, you can create an entry that includes a range of multicast groups, and then exclude specific groups within that range by placing deny rules for those specific groups at the top of the table. That is, the permit rule for the range of multicast groups follows the individual deny statements. Use the buttons at the bottom of the table to open the Add/Edit Multicast Group Rules Dialog Box to add or edit an entry; to delete an entry; and to move entries up or down in the table. |
Add/Edit Multicast Group Rules Dialog Box
Use the Add/Edit Multicast Group Rules dialog box to create a multicast group rule, or modify a multicast group rule, for the Multicast Groups table in the Add/Edit Rendezvous Point dialog box. This dialog box is also used to specify individual multicast groups that use Shared Tree route filtering on the Route Tree tab
When defining Rendezvous Points, you access the Add/Edit Multicast Group Rules dialog box from the Add/Edit Rendezvous Point Dialog Box. See PIM Page - Rendezvous Points Tab for more information.
When specifying how PIM register messages are filtered, you open this dialog box by clicking Add Row or Edit row buttons below the Multicast Groups table on the PIM Page - Route Tree Tab.
PIM Page - Route Tree Tab
If the security appliance is acting as a Rendezvous Point, use the Route Tree tab to specify how the PIM register messages from various sources are filtered: shortest-path tree or shared tree, either for all multicast groups or only for specific multicast addresses.
You can access the Route Tree tab from the PIM page. For more information, see Configuring PIM.
|
|
|
|---|---|
If.., specify how the PIM register messages from various sources are filtered |
|
The multicast groups using Shared Tree are listed. Table entries are processed from the top down. For example, you can create an entry that includes a range of multicast groups, and then exclude specific groups within that range by placing deny rules for those specific groups at the top of the table. That is, the permit rule for the range of multicast groups follows the individual deny statements. Use the buttons at the bottom of the table to open the Add/Edit Multicast Group Rules Dialog Box to add or edit an entry; to delete an entry; and to move entries up or down in the table. |
PIM Page - Request Filter Tab
When the security appliance acts as a rendezvous point, you can restrict specific multicast sources from registering with it. This prevents unauthorized sources from registering with the rendezvous point. You can use the Request Filter tab to define the multicast sources from which the security appliance accepts and denies PIM register messages.
You can access the Request Filter tab from the PIM page. For more information, see Configuring PIM.
|
|
|
|---|---|
Choose how PIM register messages are filtered for different multicast groups:
|
|
When route-map is the chosen filter, enter a route-map name. Use standard host ACLs in the referenced route map; extended ACLs are not supported. Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, “Managing FlexConfigs” for more information. |
|
Lists the currently defined multicast group Request Filter rules. Table entries are processed from the top down. For example, you can create an entry that includes a range of multicast groups, and then exclude specific groups within that range by placing deny rules for those specific groups at the top of the table. That is, the permit rule for the range of multicast groups follows the individual deny statements. Use the buttons at the bottom of the table to open the Add/Edit Multicast Group Rules Dialog Box to add or edit an entry; to delete an entry; and to move entries up or down in the table. |
Add/Edit Multicast Group Rules Dialog Box
Use the Add/Edit Multicast Group Rules dialog box to define the multicast sources that are denied or permitted to register with the security appliance when the appliance acts as a rendezvous point. You create the filter rules based on the source IP address and the destination multicast address.
You can access the Add/Edit Multicast Group Rules dialog box from the PIM Page - Request Filter Tab.
Feedback