- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Configuring Routing Policies on Firewall Devices
The Routing section in Security Manager contains pages for defining and managing routing settings for security appliances.
Configuring No Proxy ARP
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. Address Resolution Protocol (ARP) is a Layer 2 protocol that resolves an IP address to a MAC address: a host sends an ARP request asking “Who is this IP address?” The device owning the IP address replies, “I own that IP address; here is my MAC address.”
With Proxy ARP, a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. Serving as an ARP Proxy for another host effectively directs network traffic to the proxy, in this case your security appliance. Traffic that passes through the appliance is then routed to the appropriate destination.
For example, the security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the appliance interface. The only way traffic can reach the destination hosts is if the appliance claims and subsequently routes traffic to the destination global addresses.
By default, proxy ARP is enabled for all interfaces. Use the No Proxy ARP page to disable proxy ARP for global addresses:
- To disable proxy ARP for one or more interfaces, enter their names in the Interfaces field. Separate multiple interfaces with commas. You can click Select to choose the interfaces from a list of interfaces defined on the device, and interface roles defined in Security Manager.
Note
On ASA 8.4.2 and later devices operating in routed mode, you can disable Proxy ARP on the egress interface for a Manual NAT rule. See Do not proxy ARP on Destination Interface in Add and Edit NAT Rule Dialog Boxes for more information.
Configuring OSPF
The OSPF page provides nine tabbed panels for configuring OSPF (Open Shortest Path First) routing on a firewall device. The following topics provide detailed information about enabling and configuring OSPF:
- About OSPF
- General Tab
- Area Tab
- Range Tab
- Neighbors Tab
- Redistribution Tab
- Virtual Link Tab
- Filtering Tab
- Summary Address Tab
- Interface Tab
- (Device view) Select Platform > Routing > OSPF from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
About OSPF
Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. OSPF propagates link-state advertisements (LSAs) rather than routing table updates. Because only LSAs are exchanged, rather than entire routing tables, OSPF networks converge more quickly than RIP networks.
OSPF supports MD5 and clear-text neighbor authentication. Authentication should be used with all routing protocols whenever possible, because route redistribution between OSPF and other protocols (like RIP) can potentially be used by attackers to subvert routing information.
If NAT is used when OSPF is operating on public and private areas, and if address filtering is required, you need to run two OSPF processes—one process for the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR type 3 LSA filtering, you can have separate private and public areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area routes) can be filtered from one area to other. This lets you use NAT and OSPF together without advertising private networks.
Note Only type 3 LSAs can be filtered. If you configure the security appliance as an ASBR in a private network, it will send type 5 LSAs describing private networks, which will be broadcast to the entire autonomous system (AS) including public areas.
If NAT is employed but OSPF is only running in public areas, routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface.
General Tab
Use the General panel on the OSPF page to enable up to two OSPF process instances. Each OSPF process has its own associated areas and networks.
Note You cannot enable OSPF if you have RIP enabled.
You can access the General panel from the OSPF Page; see Configuring OSPF for more information.
- Area Tab
- Range Tab
- Neighbors Tab
- Redistribution Tab
- Virtual Link Tab
- Filtering Tab
- Summary Address Tab
- Interface Tab
|
|
|
|---|---|
| The General tab provides two identical sections; each is used to enable one OSPF process. The following options are available in each section. |
|
Check this box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this option to remove the OSPF process. |
|
Enter a unique numeric identifier for the OSPF process. This process ID is used internally and does not need to match the OSPF process ID on any other OSPF devices. Valid values are from 1 to 65535. |
|
Opens the OSPF Advanced Dialog Box, in which you can configure additional process-related parameters, such Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings. |
|
OSPF Advanced Dialog Box
Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.
You can access the OSPF Advanced dialog box from the General Tab.
|
|
|
|---|---|
Displays the ID of the OSPF process you are configuring. You cannot change this value in this dialog box. |
|
To use a fixed router ID, enter a router ID in IP address format in the Router ID field. If you leave this value blank, the highest-level IP address on the security appliance is used as the router ID. |
|
Select this option to suppress transmission of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets. |
|
Select this option to calculate summary route costs per RFC 1583. Deselect this option to calculate summary route costs per RFC 2328. To minimize the chance of routing loops, all OSPF devices in an OSPF routing domain should have RFC compatibility set identically. This option is selected by default. |
|
These options specify the syslog messages sent when adjacency changes occur.
|
|
Settings for the administrative route distances, according to the route type.
|
|
Settings used to configure LSA pacing and SPF calculation timers.
|
|
Settings used by an ASBR to generate a default external route into an OSPF routing domain.
– – – – Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, “Managing FlexConfigs” for more information. |
Area Tab
Use the Area tab on the OSPF page to configure OSPF areas and networks.
You can access the Area tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
- Add/Edit Area/Area Networks Dialog Box
- Configuring OSPF
- General Tab
- Range Tab
- Neighbors Tab
- Redistribution Tab
- Virtual Link Tab
- Filtering Tab
- Summary Address Tab
- Interface Tab
|
|
|
|---|---|
The type of authentication set for the area (None, Password, or MD5). |
|
Add/Edit Area/Area Networks Dialog Box
Use the Add/Edit Area/Area Networks dialog box to define area parameters, the networks contained by the area, and the OSPF process associated with the area.
You can access the Add/Edit Area/Area Networks dialog box from the Area Tab.
Range Tab
Use the Range tab to summarize routes between areas.
You can access the Range tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
Add/Edit Area Range Network Dialog Box
Use the Add/Edit Area Range Network dialog box to add a new entry to the Route Summarization table or to change an existing entry.
You can access the Add/Edit Area Range Network dialog box from the Range Tab.
Neighbors Tab
Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table.
You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
|
|
|
|---|---|
Add/Edit Static Neighbor Dialog Box
Use the Add/Edit Static Neighbor dialog box to define a static neighbor or change information for an existing static neighbor. You must define a static neighbor for each point-to-point, non-broadcast interface.
You can access the Add/Edit Static Neighbor dialog box from the Neighbors Tab.
Redistribution Tab
Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another.
You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
Redistribution Dialog Box
Use the Redistribution dialog box to add a redistribution rule or to edit an existing redistribution rule in the Redistribution table.
You can access the Redistribution dialog box from the Redistribution Tab.
Virtual Link Tab
Use the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.
You can access the Virtual Link tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
|
|
|
|---|---|
Displays the type of authentication used by the virtual link: |
Add/Edit OSPF Virtual Link Configuration Dialog Box
Use the Add/Edit OSPF Virtual Link Configuration dialog box to define virtual links or change the properties of existing virtual links.
You can access the Add/Edit OSPF Virtual Link Configuration dialog box from the Virtual Link Tab.
Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box
Use the Add/Edit OSPF Virtual Link MD5 Configuration dialog box to define MD5 keys for authentication of virtual links.
You can access the Add/Edit OSPF Virtual Link MD5 Configuration dialog box from the Add/Edit OSPF Virtual Link Configuration Dialog Box.
|
|
|
|---|---|
A numerical key identifier. Valid values range from 1 to 255. |
|
Filtering Tab
Use the Filtering tab to configure the ABR Type 3 LSA filters for each OSPF process. ABR Type 3 LSA filters allow only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.
OSPF ABR Type 3 LSA filtering improves your control of route distribution between OSPF areas.
Only type-3 LSAs that originate from an ABR are filtered.
You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
Add/Edit Filtering Dialog Box
Use the Add/Edit Filtering dialog box to add new filters to the Filter table or to modify an existing filter.
You can access the Add/Edit Filtering dialog box from the Filtering Tab.
Summary Address Tab
Use the Summary Address tab to configure summary addresses for each OSPF routing process.
Routes learned from other routing protocols can be summarized. The metric used to advertise the summary is the smallest metric of all the more specific routes. Summary routes help reduce the size of the routing table.
Using summary routes for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address. Only routes from other routing protocols that are being redistributed into OSPF can be summarized.
You can access the Summary Address tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
Add/Edit Summary Address Dialog Box
Use the Add/Edit Summary Address dialog box to add new entries or to modify existing entries in the Summary Address table.
You can access the Add/Edit Summary Address dialog box from the Summary Address Tab.
Interface Tab
Use the Interface tab to configure interface-specific OSPF authentication routing properties.
You can access the Interface tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF.
Add/Edit Interface Dialog Box
Use the Add/Edit Interface dialog box to add OSPF authentication routing properties for an interface or to change an existing entry.
You can access the Add/Edit Interface dialog box from the Interface Tab.
Configuring OSPFv3
The OSPFv3 page provides two tabbed panels for configuring OSPF (Open Shortest Path First) version 3 routing on a firewall device.
- (Device view) Select Platform > Routing > OSPFv3 from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPFv3 from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
This is the basic procedure for configuring an OSPFv3 process and assigning it to an interface on the OSPFv3 page:
1. On the Process Tab:
– Specify which of the two processes you are configuring by choosing Process 1 or Process 2 from the OSPFv3 Process drop-down list.
– Check Enable OSPFv3 Process.
– Assign a Process ID ; any positive integer between 1 and 65535.
– Use the following features as needed to define the process:
– Advanced button, opening the OSPFv3 Advanced Properties Dialog Box.
– Area Tab (OSPFv3), for managing area, range, and virtual-link definitions, by means of the Add/Edit Area Dialog Box (OSPFv3), Add/Edit Range Dialog Box (OSPFv3), and Add/Edit Virtual Link Dialog Box (OSPFv3).
– Redistribution panel, for managing route redistribution definitions by means of the Add/Edit Redistribution Dialog Box (OSPFv3).
– Summary Prefix panel, for managing summary-prefix definitions by means of the Add/Edit Summary Prefix Dialog Box (OSPFv3).
2. On the OSPFv3 Interface Tab:
a. Use the Interface and Neighbor panels to assign the process to a specific interface, using the Add/Edit Interface Dialog Box (OSPFv3) and the Add/Edit Neighbor Dialog Box (OSPFv3).
About OSPFv3
Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses link states rather than distance vectors for path selection. Version 3 is basically OSPFv2 enhanced for IPv6. It is similar to OSPFv2 (see About OSPF), but it is not backward compatible. To use OSPF to route both IPv4 and IPv6v packets, it will be necessary to run both OSPFv2 and OSPFv3 concurrently. They co-exist with each other, but do not interact.
Note OSPFv3 is supported on ASA 9.0+ devices operating in single-context, routed mode only. That is, multiple contexts and transparent mode are not supported.
Think of a link as being an interface on a networking device. A link-state protocol makes its routing decisions based on the states of the links that connect source and destination devices. The state of a link is a description of that interface and its relationship to its neighboring networking devices. This interface information includes the IPv6 prefix/length of the interface, the type of network it is connected to, the devices connected to that network, and so on. This information is propagated in various type of link-state advertisements (LSAs). Because only LSAs are exchanged, rather than entire routing tables, OSPF networks converge more quickly than RIP networks.
The ASA can run two processes of the OSPFv3 protocol simultaneously on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to co-exist, but OSPFv3 does not allow overlapping addresses). Or you might want to run one process on the inside interface and another on the outside, redistributing a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.
You can redistribute routes into an OSPFv3 routing process from another OSPFv3 routing process, a RIP routing process, or from static and connected routes configured on OSPFv3-enabled interfaces.
If NAT is employed but OSPFv3 is only running in public areas, routes to public networks can be redistributed inside the private network, either as default or type 5 AS External LSAs. However, you need to configure static routes for the private networks protected by the security appliance. Also, you should not mix public and private networks on the same security appliance interface.
Differences Between OSPFv2 and OSPFv3
The additional features provided by OSPFv3 over OSPFv2 include the following:
- Use of the IPv6 link-local address for neighbor discovery and other features.
- LSAs expressed as prefix and prefix length.
- Addition of two LSA types.
- Handling of unknown LSA types.
- Protocol processing per link.
- Removal of addressing semantics.
- Addition of flooding scope.
- Support for multiple instances per link.
- Authentication support using the IPSec ESP standard for OSPFv3 routing protocol traffic, as specified by RFC-4552.
The following are ASA OSPFv3 configuration restrictions:
- To enable OSPFv3 on a specific interface, IPv6 should be enabled on the interface and it must be named.
- Only one OSPFv3 process, with one area and one instance, can be assigned to an interface.
- The Interface neighbor entries take effect only when the OSPFv3 is enabled, and network type should be point-to-point on the specified interface.
- Interface neighbor address must be a link-local address.
- Range value in area Range table should be unique across the area.
- If the area is set to NSSA or stub, the same area cannot be set for virtual-link.
- OSPFv3 redistribution not applicable on the same OSPFv3 process.
- If used in an ASA cluster, OSPFv3 encryption should be disabled.
- The Layer 3 cluster pool is not shared between OSPFv3 and the interface.
Process Tab
Use the Process tab on the OSPFv3 page to enable and configure up to two OSPFv3 routing processes. Each OSPF process has its own associated areas and networks. For each, at minimum, create an area for OSPFv3, enable an interface for OSPFv3, then redistribute the route into the targeted OSPFv3 routing processes. Note that only single-context mode is supported.
The Process tab is on the OSPFv3 page.
- (Device view) Select Platform > Routing > OSPFv3 from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPFv3 from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
|
|---|---|
Identify which OSPFv3 process you are configuring: choose Process 1 or Process 2. You can enable one or both. |
|
Check this box to enable the chosen OSPFv3 process. Deselect this option to disable the OSPFv3 process; the process configuration information is retained should you wish to re-enable it later. |
|
Enter a unique numeric identifier for this process. The ID can be any positive integer between 1 and 65535. This process ID is used internally and does not need to match the OSPFv3 process ID on any other OSPFv3 devices. |
|
Opens the OSPFv3 Advanced Properties Dialog Box, in which you can configure additional process-related parameters, such Router ID, Adjacency Changes, Administrative Route Distances, Timers, Default Information Originate, and Passive Interface settings. |
|
Use the tabs and tables in this panel to manage area, range and virtual-link definitions. See Area Tab (OSPFv3) for more about these definitions. |
|
Use this panel to manage redistribution definitions. See Add/Edit Redistribution Dialog Box (OSPFv3) for more about these definitions. |
|
Use this panel to manage summary prefix definitions. See Add/Edit Summary Prefix Dialog Box (OSPFv3) for more about these definitions. |
OSPFv3 Advanced Properties Dialog Box
Use the OSPF Advanced dialog box to configure settings such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings for an OSPF process.
You can access the OSPF Advanced dialog box from the Process Tab.
|
|
|
|---|---|
This read-only field displays the ID of the OSPF process you are configuring. |
|
On a single device, choose Automatic or IP Address. (An address field appears when you choose IP Address.) If you choose Automatic, the highest-level IP address on the security appliance is used as the router ID. To use a fixed router ID, choose IP Address and enter an IPv4 address in the Router ID field. On a device cluster, choose Automatic or Cluster Pool. (An IPv4 Pool object ID field appears when you choose Cluster Pool.) If you choose Cluster Pool, enter or Select the name of the IPv4 Pool object that is to supply the Router ID address. For more information, see Add or Edit IPv4 Pool Dialog Box. |
|
Select this option to suppress transmission of syslog messages when the security appliance receives Type 6 (MOSPF) LSA packets. |
|
These options specify the syslog messages sent when adjacency changes occur:
|
|
Settings for the administrative route distances, according to the route type.
|
|
LSA and SPF throttling provide a dynamic mechanism to slow LSA updates in OSPFv3 during times of network instability, and allow faster OSPFv3 convergence by providing LSA rate limiting. The settings used to configure LSA pacing and SPF calculation timers are:
– –
– – Note Note For LSA throttling, if the minimum or maximum time is less than the first occurrence value, then OSPFv3 automatically corrects to the first occurrence value. Similarly, if the maximum delay specified is less than the minimum delay, then OSPFv3 automatically corrects to the minimum delay value. |
|
Settings used by an ASBR to generate a default external route into an OSPFv3 routing domain:
– – – – Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, “Managing FlexConfigs” for more information. |
|
Passive routing helps control the advertisement of OSPFv3 routing information, and disables sending and receiving OSPFv3 routing updates on an interface. Enter or Select one or more interfaces, or interface objects, to enable passive OSPFv3 routing on those interfaces. IPv4 and IPv6 addresses are supported. |
Area Tab (OSPFv3)
Use the Area panel on the Process Tab of the OSPFv3 page to configure OSPFv3 areas, ranges and virtual links. The Area panel consists of three definition tables—Area, Range, and Virtual Link:
- Refer to Add/Edit Area Dialog Box (OSPFv3) for information about adding and editing Area table entries.
- Refer to Add/Edit Range Dialog Box (OSPFv3) for information about adding and editing Range table entries.
- Refer to Add/Edit Virtual Link Dialog Box (OSPFv3) for information about adding and editing Virtual Link table entries.
Refer to Using Tables for basic information about working with Security Manager tables.
You can access the Area tab from the Process Tab of the OSPFv3 page. For more information about the OSPFv3 page, see Configuring OSPFv3.
Add/Edit Area Dialog Box (OSPFv3)
Use the Add/Edit Area dialog box to define parameters for the area.
You can access the Add/Edit Area dialog box from the Area Tab (OSPFv3).
Add/Edit Range Dialog Box (OSPFv3)
Use the Add/Edit Area Range Network dialog box to add a new range to the area selected in the Area table, or to change an existing entry.
You can access the Add/Edit Range dialog box from the Range panel under the Area Tab (OSPFv3).
Add/Edit Virtual Link Dialog Box (OSPFv3)
Use the Add/Edit Virtual Link dialog box to define virtual links for the area selected in the Area table, or change the properties of existing virtual links.
You can access the Add/Edit Virtual Link dialog box from the Virtual Link panel under the Area Tab (OSPFv3).
Add/Edit Redistribution Dialog Box (OSPFv3)
Use the Add/Edit Redistribution dialog box to add a redistribution rule to this process, or to edit an existing redistribution rule.
You can access the Redistribution dialog box from the Redistribution panel under the Process Tab.
|
|
|
|---|---|
Choose the source protocol for route redistribution:
|
|
The metric value for the routes being redistributed. Valid values range from 1 to 16777214; the default is 20. When redistributing from one OSPF process to another OSPF process on the same device, the metric will be carried through from one process to the other if no metric value is specified. |
|
The metric type is the external link type associated with the default route that is advertised into the OSPFv3 routing domain. Choose None, 1, or 2, where None indicates there is no default route, 1 indicates the metric is a Type 1 external route, and 2 is a Type 2 external route. |
|
The tag is a 32-bit decimal value attached to each external route. This is not used by OSPF itself. It may be used to communicate information between other border devices. Valid values range from 0 to 4294967295. |
|
The name of the route map to apply to the redistribution entry. Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, “Managing FlexConfigs” for more information. |
|
The ID of the process to which redistribution is directed. (The Process ID is defined on the Process Tab.) This option is enabled only when OSPF is chosen as the Source Protocol. |
|
Check this box to include connected routes in the redistribution. |
|
| The conditions used for redistributing routes from one routing protocol to another. The routes must match the selected condition to be redistributed. You can choose one or more of the following match conditions. These options are enabled only when OSPF is chosen as the Source Protocol. |
|
Routes that are external to the autonomous system, but are imported into OSPF as Type 1 external routes. |
|
Routes that are external to the autonomous system, but are imported into OSPF as Type 2 external routes. |
|
Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes. |
|
Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes. |
|
Add/Edit Summary Prefix Dialog Box (OSPFv3)
Use the Add/Edit Summary Prefix dialog box to add new route-summarization entries to the selected process, or to modify existing entries.
You can access the Add/Edit Summary Prefix dialog box from the Summary Prefix panel under the Process Tab.
OSPFv3 Interface Tab
Use the Interface panel to configure interface-and neighbor-specific OSPFv3 routing properties. The Interface panel consists of two definition tables, Interface and Neighbor:
- Refer to Add/Edit Interface Dialog Box (OSPFv3) for information about adding and editing Interface table entries.
- Refer to Add/Edit Neighbor Dialog Box (OSPFv3) for information about adding and editing Neighbor table entries.
Refer to Using Tables for basic information about working with Security Manager tables.
Click the Interface tab on the OSPFv3 page to display this panel. For more information about the OSPFv3 page, see Configuring OSPFv3.
Add/Edit Interface Dialog Box (OSPFv3)
Use the Add/Edit Interface dialog box to define OSPFv3 routing properties for an individual interface, or to change an existing entry.
You can access the Add/Edit Interface dialog box from the Interface panel under the OSPFv3 Interface Tab.
|
|
|
|---|---|
The name of the interface to which this routing configuration applies. |
|
Check this box to enable OSPFv3 on the specified interface, and activate the following fields:
This feature lets you have multiple OSPFv3 processes on a single link. Received packets with other instance IDs are then ignored by this process. |
|
|
|
|
Check this box to filter outgoing LSAs. All outgoing LSAs are flooded to the interface by default. |
|
Check this box to disable the OSPFv3 MTU mismatch detection when database description (DBD) packets are received. |
|
Check this box to suppress unnecessary flooding of LSAs in stable topologies. |
|
Check this box to define this as a link to a point-to-point network; that is, a network between two routing devices. All neighbors on a point-to-point network establish adjacency and there is no designated router. This option is unavailable when the Broadcast option is selected. |
|
Check this box to define this as a link to a network with multiple routing devices. Such networks establish a designated router (DR), as well as a backup designated router (BDR), that controls LSA flooding on the network. This option is unavailable when the Point-to-point Network option is selected. |
|
The cost of sending a packet through the interface. Link cost is an arbitrary number used in shortest path first calculations. If you do not assign a value, the configured reference bandwidth divided by the interface port speed is used. (The default reference bandwidth is 40 Gb/sec.) |
|
Assign an OSPFv3 priority to this interface. Valid values for this setting range from 0 to 255. Entering 0 for this setting makes the device ineligible to become the designated router or backup designated router. This setting does not apply to interfaces that are configured as point-to-point, non-broadcast interfaces. When two routing devices connect to a network, both attempt to become the designated router. The device with the higher priority becomes the designated router. If there is a tie, the router with the higher router ID becomes the designated router. |
|
If no hello packets are received from a neighbor within this interval, that device is designated as inactive. Valid values range from 1 to 65535. The default value for this setting is four times the hello interval. |
|
If a neighboring device is inactive, it may be necessary to continue sending hello packets to that neighbor. The hello packets are sent at this reduced interval, which should be larger than the hello interval. |
|
The time, in seconds, between LSA retransmissions for adjacent neighbors. When a router sends an LSA to a neighbor, it keeps the LSA until it receives an acknowledgment. If an acknowledgment is not received within this interval, it will resend the LSA. Be conservative when setting this value, or needless retransmission can result. The value should be larger for serial lines and virtual links. Valid values range from 1 to 65535 seconds. |
|
The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. The value assigned should take into account the transmission and propagation delays for the interface. This setting has more significance on very low-speed links. Valid values range from 1 to 65535 seconds. |
|
|
|
|
The type of authentication enabled on this interface. Choose one of the following:
|
|
Enter an IPSec identification tag used to distinguish this particular OSPFv3 interface; used in conjunction with the specified authentication and encryption rules. Valid values range from 256 to 4294967295. |
|
Enter an authentication key. The length of the key entered depends on the type of authentication chosen as the Authentication Algorithm, and whether the key is to be encrypted (when you check the Encrypt Authentication Key box): |
|
Check this box to require encryption of the specified Authentication Key for transmission. |
|
Check this box to require encryption of OSPFv3 packets. The following options are enabled. |
|
Choose the type of encryption to use:
The Key Type list is enabled only when you choose this encryption option. Choose one of these options: |
|
Enter an encryption key. The length of the key entered depends on the type of encryption chosen as the Encryption Algorithm, and whether the key is to be encrypted (when you check the Encrypt Key box):
|
|
Check this box to require encryption of the specified Encryption Key for transmission. |
|
Add/Edit Neighbor Dialog Box (OSPFv3)
You must define a static neighbor for each point-to-point, non-broadcast interface. This feature lets you broadcast OSPFv3 advertisements across an existing VPN connection without having to encapsulate the advertisements in a GRE tunnel. Note the following restrictions:
- You cannot define the same static neighbor for two different OSPFv3 processes.
- You must define a static route for each static neighbor.
Use the Add/Edit Neighbor dialog box to define a static neighbor for the interface selected in the Interface table, or to change information for an existing static neighbor.
You can access the Add/Edit Neighbor dialog box from the Neighbor panel under the OSPFv3 Interface Tab.
Configuring RIP
Routing Information Protocol (RIP) is a dynamic routing protocol, or more precisely, an interior gateway protocol that is based on distance vectors. RIP uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcast packets with neighboring devices to dynamically learn about and advertise routes. These RIP packets contain information about the destination networks that the gateways can reach, and the number of gateways that a packet must travel through to reach those destinations.
Cisco Security Manager supports both RIP version 1 and RIP version 2. Version 1 does not send the subnet mask with the routing update; RIP version 2 sends the subnet mask with the routing update, and supports variable-length subnet masks. Additionally, RIP version 2 supports neighbor authentication when routing updates are exchanged. This authentication ensures that the security appliance receives reliable routing information from a trusted source.
Note You cannot enable RIP if you have OSPF processes running.
RIP has the following limitations:
- Cisco Security Manager cannot pass RIP updates between interfaces.
- RIP Version 1 does not support variable-length subnet masks.
- RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered unreachable.
- RIP convergence is relatively slow compared to other routing protocols.
The following information applies to RIP Version 2 only:
- If using neighbor authentication, the authentication key and key ID must be the same on all neighbor devices that provide RIP version 2 updates to the interface.
- With RIP version 2, the security appliance transmits and receives default route updates using the multicast address 224.0.0.9. In passive mode, it receives route updates at that address.
- When RIP version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP version 2 configuration is removed from an interface, that multicast address is unregistered.
Using Security Manager to Configure RIP on Security Appliances
Use the RIP page to enable the Routing Information Protocol on an interface. The settings and features available when configuring RIP depend on the type of device and OS version that you are configuring:
- To configure RIP on a PIX Firewall or ASA running an OS version earlier than 7.2, or on any FWSM, see RIP Page for PIX/ASA 6.3–7.1 and FWSM.
- To configure RIP on a PIX Firewall or ASA running OS version 7.2 or later, see RIP Page for PIX/ASA 7.2 and Later.
- Configuring Static Routes
- Configuring OSPF
- Configuring No Proxy ARP
- Configuring Routing Information Protocol – a chapter from the “Cisco IOS IP Configuration Guide, Release 12.2,” providing additional detailed information about RIP
RIP Page for PIX/ASA 6.3–7.1 and FWSM
Use this RIP page to enable the Routing Information Protocol (RIP) on an interface in any FWSM, or in a PIX/ASA running a pre-7.2 version operating system.
The RIP table on this page lists all interfaces on which RIP is currently defined. Use the Add RIP Configuration and Edit RIP Configuration dialog boxes to create and maintain these entries. See RIP Page for PIX/ASA 6.3–7.1 and FWSM for more information.
- (Device view) Select Platform > Routing > RIP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
When creating a shared RIP policy, you must choose a Version in the Create a Policy dialog box, as follows:
When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.
- Configuring Static Routes
- Configuring OSPF
- Configuring No Proxy ARP
- RIP Page for PIX/ASA 7.2 and Later
- Standard rules table topics:
Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Boxes
Use the Add RIP Configuration and Edit RIP Configuration dialog boxes to add a RIP configuration to the security appliance, or to make changes to an existing RIP configuration. By adding a RIP configuration, you enable RIP on the specified interface. Except for their titles, the two dialog boxes are identical.
You can access the Add and Edit RIP Configuration dialog boxes from the RIP Page for PIX/ASA 6.3–7.1 and FWSM.
RIP Page for PIX/ASA 7.2 and Later
Use this RIP page to enable and configure the Routing Information Protocol (RIP) on PIX and ASA devices running operating system 7.2 or later. The RIP page consists of these tabbed panels:
- (Device view) Select Platform > Routing > RIP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
When creating a shared RIP policy, you must choose a Version in the Create a Policy dialog box, as follows:
When assigning a shared RIP policy, be sure to assign the appropriate RIP policy for the device. For example, you cannot assign a PIX/ASA 7.2+ RIP policy to an FWSM.
RIP - Setup Tab
Use the Setup panel to define RIP on the security appliance, and to configure global RIP protocol parameters. You can only enable a single RIP process on the security appliance.
You can access the Setup tab from the RIP Page for PIX/ASA 7.2 and Later.
- RIP - Redistribution Tab
- RIP - Filtering Tab
- RIP - Interface Tab
- Chapter 54, “Configuring Routing Policies on Firewall Devices”
|
|
|
|---|---|
Define one or more networks for RIP routing. Enter IP address(es), or enter or Select the desired Network/Hosts objects (see Understanding Networks/Hosts Objects); IP addresses must not contain any subnet information. There is no limit to the number of networks you can add to the security appliance configuration. The RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates. |
|
Use this option to specify passive interfaces on the security appliance, and by extension the active interfaces. The device listens for RIP routing broadcasts on passive interfaces, using that information to populate its routing tables, but does not broadcast routing updates on passive interfaces. Interfaces that are not designated as passive, receive and send updates. Choose one of these options: 1. 2. 3. |
|
Use this field to specify the interfaces excluded from the passive list, or those explicitly designated as passive, depending on your choice from the Passive Interface list above:
Note You cannot specify two different RIP configurations for the same interface. |
|
Choose the RIP versions for sending and receiving RIP updates: |
|
When selected, a default route is generated for distribution, based on the Route Map you specify. |
|
Specify the route map to use for generating default routes. Note This field contains only the Route Map name. The Route Map is created and contained within a FlexConfig; see Chapter 7, “Managing FlexConfigs” for more information. |
|
When Send and Receive Version 2 is the chosen RIP Version, this option is available. When checked, automatic route summarization is enabled. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised. Note RIP Version 1 always uses automatic summarization—you cannot disable it. |
RIP - Redistribution Tab
Use the Redistribution panel to manage redistribution routes. These are the routes that are being redistributed from other routing processes into the RIP routing process. See Add/Edit Redistribution Dialog Box for more information.
You can access the Redistribution tab from the RIP Page for PIX/ASA 7.2 and Later.
Add/Edit Redistribution Dialog Box
Use the Add Redistribution and Edit Redistribution dialog boxes to add and edit redistribution routes on the RIP - Redistribution Tab. These are the routes that are being redistributed from other routing processes into the RIP routing process. Except for their titles, these two dialog boxes are identical.
You can access the Add and Edit Redistribution dialog boxes from the Redistribution tab on the RIP Page for PIX/ASA 7.2 and Later.
|
|
|
|---|---|
Choose the routing protocol to redistribute into the RIP routing process:
If you choose OSPF, you must also enter the OSPF Process ID and, optionally, Match criteria. |
|
If you are redistributing OSPF routes into the RIP routing process, you can select specific types of OSPF routes to redistribute. Ctrl-click to select multiple types:
Match criteria are optional. The default is match Internal, External 1, and External 2. |
|
The RIP metric type to apply to the redistributed routes. The two choices are: |
|
The metric value to be assigned; enter a value from 0 to 16. |
|
The name of a route map that must be satisfied before the route can be redistributed into the RIP routing process. Note This field contains only the route Map name. The contents of the route map are created and contained within a FlexConfig. See Chapter 7, “Managing FlexConfigs” for more information. |
RIP - Filtering Tab
Use the Filtering panel to manage filters for the RIP policy. Filters are used to limit network information in incoming and outgoing RIP advertisements. See Add/Edit Filter Dialog Box for more information.
You can access the Filtering tab from the RIP Page for PIX/ASA 7.2 and Later.
Add/Edit Filter Dialog Box
Use the Add Filter and Edit Filter dialog boxes to add and edit RIP filters on the RIP - Filtering Tab. Filters are used to limit network information in incoming and outgoing RIP advertisements. Except for their titles, these two dialog boxes are identical.
You can access the Add and Edit Filter dialog boxes from the Filtering tab on the RIP Page for PIX/ASA 7.2 and Later.
RIP - Interface Tab
Use the Interface panel to manage the interfaces configured to send and receive RIP broadcasts. See Add/Edit Interface Dialog Box for more information.
You can access the Interface tab from the RIP Page for PIX/ASA 7.2 and Later.
Add/Edit Interface Dialog Box
Use the Add Interface and Edit Interface dialog boxes to add and edit RIP interface configurations on the RIP - Interface Tab. Except for their titles, these two dialog boxes are identical.
You can access the Add and Edit Interface dialog boxes from the Interface tab on the RIP Page for PIX/ASA 7.2 and Later.
|
|
|
|---|---|
These options let you override, for this interface, the global Send versions specified on the RIP - Setup Tab. Select the appropriate boxes to specify sending updates using RIP Version 1, Version 2, or both. |
|
These options let you override the global Receive versions. Select the appropriate boxes to specify accepting updates using RIP Version 1 only, Version 2 only, or both. |
|
Choose the authentication used on this interface for RIP broadcasts: If you choose MD5 or Clear Text, you must also provide the following authentication parameters: |
Configuring Static Routes
A static route is a specific path to a particular destination network that is manually defined on the current device. Static routes are used in a variety of situations, and can be a quick and effective way to route data from one network to another when there is no dynamic route to the destination, or when use of a dynamic routing protocol is not feasible.
All routes have a value or “metric” that represents its priority of use. (This metric is also referred to as “administrative distance.”) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use.
For static routes, the default metric value is one, which gives them precedence over routes from dynamic routing protocols. If you increase the metric to a value greater than that of a dynamic route, the static route operates as a back-up in the event that dynamic routing fails. For example, Open Shortest Path First (OSPF)-derived routes have a default administrative distance of 100. To configure a back-up static route that is overridden by an OSPF route, specify a metric value for the static route that is greater than 100. This is referred to as a “floating” static route.
There is a special kind of static route known as a default route, or a “zero-zero” route because all zeroes are used for both the destination address and subnet mask. The default static route serves as a catch-all gateway: if there are no matches for a particular destination in the device’s routing table, the default route is used. The default route generally includes a next-hop IP address or local exit interface.
Use the Static Route page to maintain manually defined static routes. The Static Route table on this page lists all currently defined static routes, showing for each, the name of the interface or interface role for which the route is defined, the destination network(s), the next hop gateway, the route metric, whether the route is tunneled, and whether there is service-level agreement tracking for the route. For a detailed explanation of these fields, see Add/Edit Static Route Dialog Box or Add/Edit IPv6 Static Route Dialog Box.
- (Device view) Select Platform > Routing > Static Route or Platform > Routing > IPv6 Static Route from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Routing > Static Route or PIX/ASA/FWSM Platform > Routing > IPv6 Static Route from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
- Chapter 54, “Configuring Routing Policies on Firewall Devices”
- Add/Edit Static Route Dialog Box
- Add/Edit IPv6 Static Route Dialog Box
- Monitoring Service Level Agreements (SLAs) To Maintain Connectivity
- Standard rules table topics:
– Table Columns and Column Heading Features
Add/Edit Static Route Dialog Box
The Add/Edit Static Route dialog box lets you add or edit a static route.
You can access the Add/Edit Static Route dialog box from the Static Routes page. Click the Add Row button to add a new static route; select an existing static route and click the Edit Row button to edit that route.
|
|
|
|---|---|
Enter or Select the interface to which this static route applies. |
|
Enter or Select the destination network(s). You can provide one or more IP address/netmask entries, one or more Networks/Hosts objects, or a combination of both; separate the entries with commas. |
|
Enter or Select the gateway router which is the next hop for this route. You can provide an IP address, or a Networks/Hosts object. Note If an IP address from one of the security appliance’s interfaces is used as the Gateway IP address, the security appliance will resolve the designated IP address in the packet instead of resolving the Gateway IP address. |
|
The Metric is a measurement of the “expense” of a route, based on the number of hops (hop count) to the network on which a specific host resides. Hop count is the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1. Enter the number of hops to the destination network. Valid values range from 1 to 255; the default value is 1. The maximum number of equal-cost (equal-metric) routes that can be defined per interface is three. You cannot add a route with the same metric on different interfaces that are on the same network. |
|
Select this option to make this a tunnel route; can be used only for a default route. You can configure only one default tunneled gateway per device. The Tunneled option is not supported in transparent mode. Available only on PIX/ASA 7.0+ devices. |
|
To monitor route availability, enter or Select name of an SLA (service level agreement) object that defines the monitoring policy. Available only on PIX/ASA 7.2+ devices. For more information on route tracking, see Monitoring Service Level Agreements (SLAs) To Maintain Connectivity. |
Add/Edit IPv6 Static Route Dialog Box
The Add/Edit IPv6 Static Route dialog box lets you add or edit an IPv6 static route. IPv6 static routes are only supported on the following devices:
- ASA 7.0 and later (Routed mode)
- ASA 8.2 and later (Transparent mode)
- FWSM 3.1 and later (Routed mode)
You can access the Add/Edit IPv6 Static Route dialog box from the IPv6 Static Route page. Click the Add Row button to add a new static route; select an existing static route and click the Edit Row button to edit that route.
Feedback