Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco ASA Series Firewall ASDM Configuration Guide Software Version 7.1 For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module Released: December 3, 2012 Updated: March 31, 2014 Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco ASA Series Firewall ASDM Configuration Guide Copyright © 2012-2014 Cisco Systems, Inc. All rights reserved.
1 Cisco ASA Series Firewall ASDM Configuration Guide CONTENTS About This Guide21 Document Objectives21 Related Documentation21 Conventions22 Obtaining Documentation and Submitting a Service Request22 PART 1Configuring Service Policies CHAPTER 1Configuring a Service Policy1-1 Information About Service Policies1-1 Supported Features1-1 Feature Directionality1-2 Feature Matching Within a Service Policy1-3 Order in Which Multiple Feature Actions are Applied1-4 Incompatibility of Certain Feature Actions1-5 Feature Matching for Multiple Service Policies1-5 Licensing Requirements for Service Policies1-5 Guidelines and Limitations1-6 Default Settings1-7 Default Configuration1-7 Default Traffic Classes1-8 Task Flows for Configuring Service Policies1-8 Task Flow for Configuring a Service Policy Rule1-8 Adding a Service Policy Rule for Through Traffic1-8 Adding a Service Policy Rule for Management Traffic1-13 Configuring a Service Policy Rule for Management Traffic1-13 Managing the Order of Service Policy Rules1-15 Feature History for Service Policies1-17 CHAPTER 2Configuring Special Actions for Application Inspections (Inspection Policy Map)2-1 Information About Inspection Policy Maps2-1 Guidelines and Limitations2-2 Default Inspection Policy Maps2-2
Contents 2 Cisco ASA Series Firewall ASDM Configuration Guide Defining Actions in an Inspection Policy Map2-3 Identifying Traffic in an Inspection Class Map2-3 Where to Go Next2-4 Feature History for Inspection Policy Maps2-4 PART 2Configuring Network Address Translation CHAPTER 3Information About NAT (ASA 8.3 and Later)3-1 Why Use NAT?3-1 NAT Terminology3-2 NAT Types3-3 NAT Types Overview3-3 Static NAT3-3 Dynamic NAT3-8 Dynamic PAT3-10 Identity NAT3-12 NAT in Routed and Transparent Mode3-12 NAT in Routed Mode3-13 NAT in Transparent Mode3-13 NAT and IPv63-15 How NAT is Implemented3-15 Main Differences Between Network Object NAT and Twice NAT3-15 Information About Network Object NAT3-16 Information About Twice NAT3-16 NAT Rule Order3-20 NAT Interfaces3-21 Routing NAT Packets3-21 Mapped Addresses and Routing3-22 Transparent Mode Routing Requirements for Remote Networks3-24 Determining the Egress Interface3-24 NAT for VPN3-24 NAT and Remote Access VPN3-25 NAT and Site-to-Site VPN3-26 NAT and VPN Management Access3-28 Troubleshooting NAT and VPN3-30 DNS and NAT3-30 Where to Go Next3-35
Contents 3 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 4Configuring Network Object NAT (ASA 8.3 and Later)4-1 Information About Network Object NAT4-1 Licensing Requirements for Network Object NAT4-2 Prerequisites for Network Object NAT4-2 Guidelines and Limitations4-2 Default Settings4-3 Configuring Network Object NAT4-4 Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool4-4 Configuring Dynamic PAT (Hide)4-8 Configuring Static NAT or Static NAT-with-Port-Translation4-11 Configuring Identity NAT4-15 Configuring Per-Session PAT Rules4-18 Monitoring Network Object NAT4-19 Configuration Examples for Network Object NAT4-20 Providing Access to an Inside Web Server (Static NAT)4-21 NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)4-23 Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)4-28 Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)4-32 DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) 4-35 DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) 4-38 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) 4-40 Feature History for Network Object NAT4-45 CHAPTER 5Configuring Twice NAT (ASA 8.3 and Later)5-1 Information About Twice NAT5-1 Licensing Requirements for Twice NAT5-2 Prerequisites for Twice NAT5-2 Guidelines and Limitations5-2 Default Settings5-4 Configuring Twice NAT5-4 Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool5-4 Configuring Dynamic PAT (Hide)5-12 Configuring Static NAT or Static NAT-with-Port-Translation5-18 Configuring Identity NAT5-24 Configuring Per-Session PAT Rules5-29
Contents 4 Cisco ASA Series Firewall ASDM Configuration Guide Monitoring Twice NAT5-29 Configuration Examples for Twice NAT5-30 Different Translation Depending on the Destination (Dynamic PAT)5-30 Different Translation Depending on the Destination Address and Port (Dynamic PAT)5-39 Feature History for Twice NAT5-48 CHAPTER 6Configuring NAT (ASA 8.2 and Earlier)6-1 NAT Overview6-1 Introduction to NAT6-1 NAT in Routed Mode6-2 NAT in Transparent Mode6-3 NAT Control6-4 NAT Types6-6 Policy NAT6-11 NAT and Same Security Level Interfaces6-13 Order of NAT Rules Used to Match Real Addresses6-14 Mapped Address Guidelines6-14 DNS and NAT6-14 Configuring NAT Control6-16 Using Dynamic NAT 6-17 Dynamic NAT Implementation6-17 Managing Global Pools6-22 Configuring Dynamic NAT, PAT, or Identity NAT6-23 Configuring Dynamic Policy NAT or PAT6-25 Using Static NAT 6-27 Configuring Static NAT, PAT, or Identity NAT6-28 Configuring Static Policy NAT, PAT, or Identity NAT6-31 Using NAT Exemption 6-33 PART 3Configuring Access Control CHAPTER 7Configuring Access Rules7-1 Information About Access Rules7-1 General Information About Rules7-2 Information About Access Rules7-5 Information About EtherType Rules7-6 Licensing Requirements for Access Rules7-7 Guidelines and Limitations7-7
Contents 5 Cisco ASA Series Firewall ASDM Configuration Guide Default Settings7-7 Configuring Access Rules7-8 Adding an Access Rule7-8 Adding an EtherType Rule (Transparent Mode Only) 7-9 Configuring Management Access Rules 7-10 Advanced Access Rule Configuration7-11 Configuring HTTP Redirect7-12 Feature History for Access Rules7-14 CHAPTER 8Configuring AAA Rules for Network Access8-1 AAA Performance8-1 Licensing Requirements for AAA Rules8-1 Guidelines and Limitations8-2 Configuring Authentication for Network Access8-2 Information About Authentication8-2 Configuring Network Access Authentication8-6 Enabling the Redirection Method of Authentication for HTTP and HTTPS8-7 Enabling Secure Authentication of Web Clients8-8 Authenticating Directly with the ASA 8-9 Configuring the Authentication Proxy Limit8-11 Configuring Authorization for Network Access8-12 Configuring TACACS+ Authorization8-12 Configuring RADIUS Authorization8-13 Configuring Accounting for Network Access8-17 Using MAC Addresses to Exempt Traffic from Authentication and Authorization8-19 Feature History for AAA Rules8-20 CHAPTER 9Configuring Public Servers9-1 Information About Public Servers9-1 Licensing Requirements for Public Servers9-1 Guidelines and Limitations9-1 Adding a Public Server that Enables Static NAT9-2 Adding a Public Server that Enables Static NAT with PAT9-2 Editing Settings for a Public Server9-3 Feature History for Public Servers9-4 PART 4Configuring Application Inspection
Contents 6 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 10Getting Started with Application Layer Protocol Inspection10-1 Information about Application Layer Protocol Inspection 10-1 How Inspection Engines Work10-1 When to Use Application Protocol Inspection10-2 Guidelines and Limitations10-3 Default Settings and NAT Limitations10-4 Configuring Application Layer Protocol Inspection10-7 CHAPTER 11Configuring Inspection of Basic Internet Protocols11-1 DNS Inspection11-1 Information About DNS Inspection11-2 Default Settings for DNS Inspection11-2 (Optional) Configuring a DNS Inspection Policy Map and Class Map11-3 Configuring DNS Inspection11-16 FTP Inspection11-17 FTP Inspection Overview11-17 Using Strict FTP11-17 Select FTP Map11-18 FTP Class Map11-19 Add/Edit FTP Traffic Class Map11-19 Add/Edit FTP Match Criterion11-20 FTP Inspect Map11-21 File Type Filtering11-22 Add/Edit FTP Policy Map (Security Level)11-22 Add/Edit FTP Policy Map (Details)11-23 Add/Edit FTP Map11-24 Verifying and Monitoring FTP Inspection11-25 HTTP Inspection11-26 HTTP Inspection Overview11-26 Select HTTP Map11-26 HTTP Class Map11-27 Add/Edit HTTP Traffic Class Map11-27 Add/Edit HTTP Match Criterion11-28 HTTP Inspect Map11-32 URI Filtering11-33 Add/Edit HTTP Policy Map (Security Level)11-33 Add/Edit HTTP Policy Map (Details)11-34 Add/Edit HTTP Map11-35
Contents 7 Cisco ASA Series Firewall ASDM Configuration Guide ICMP Inspection11-39 ICMP Error Inspection11-39 Instant Messaging Inspection11-39 IM Inspection Overview11-40 Adding a Class Map for IM Inspection11-40 Select IM Map11-41 IP Options Inspection11-41 IP Options Inspection Overview11-41 Configuring IP Options Inspection11-42 Select IP Options Inspect Map11-43 IP Options Inspect Map11-44 Add/Edit IP Options Inspect Map11-44 IPsec Pass Through Inspection11-45 IPsec Pass Through Inspection Overview11-45 Select IPsec-Pass-Thru Map11-46 IPsec Pass Through Inspect Map11-46 Add/Edit IPsec Pass Thru Policy Map (Security Level)11-47 Add/Edit IPsec Pass Thru Policy Map (Details)11-47 IPv6 Inspection11-48 Information about IPv6 Inspection11-48 Default Settings for IPv6 Inspection11-48 (Optional) Configuring an IPv6 Inspection Policy Map 11-48 Configuring IPv6 Inspection11-49 NetBIOS Inspection11-50 NetBIOS Inspection Overview11-50 Select NETBIOS Map11-50 NetBIOS Inspect Map11-51 Add/Edit NetBIOS Policy Map11-51 PPTP Inspection11-51 SMTP and Extended SMTP Inspection11-52 SMTP and ESMTP Inspection Overview11-52 Select ESMTP Map11-53 ESMTP Inspect Map11-54 MIME File Type Filtering11-55 Add/Edit ESMTP Policy Map (Security Level)11-55 Add/Edit ESMTP Policy Map (Details)11-56 Add/Edit ESMTP Inspect 11-57 TFTP Inspection11-60
Contents 8 Cisco ASA Series Firewall ASDM Configuration Guide CHAPTER 12Configuring Inspection for Voice and Video Protocols12-1 CTIQBE Inspection12-1 CTIQBE Inspection Overview12-1 Limitations and Restrictions12-2 H.323 Inspection12-2 H.323 Inspection Overview12-3 How H.323 Works12-3 H.239 Support in H.245 Messages12-4 Limitations and Restrictions12-4 Select H.323 Map12-5 H.323 Class Map12-5 Add/Edit H.323 Traffic Class Map12-6 Add/Edit H.323 Match Criterion12-6 H.323 Inspect Map12-7 Phone Number Filtering12-8 Add/Edit H.323 Policy Map (Security Level)12-8 Add/Edit H.323 Policy Map (Details)12-9 Add/Edit HSI Group12-11 Add/Edit H.323 Map12-11 MGCP Inspection12-12 MGCP Inspection Overview12-12 Select MGCP Map12-14 MGCP Inspect Map12-14 Gateways and Call Agents12-15 Add/Edit MGCP Policy Map12-15 Add/Edit MGCP Group12-16 RTSP Inspection12-16 RTSP Inspection Overview12-17 Using RealPlayer12-17 Restrictions and Limitations12-18 Select RTSP Map12-18 RTSP Inspect Map12-18 Add/Edit RTSP Policy Map12-19 RTSP Class Map12-19 Add/Edit RTSP Traffic Class Map12-20 SIP Inspection12-20 SIP Inspection Overview12-21 SIP Instant Messaging12-22 Select SIP Map12-22