Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption –You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum Embryonic Connections—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. Step 11Click OK. Using NAT Exemption NAT exemption exempts addresses from translation and allows both real and remote hosts to originate connections. NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than dynamic identity NAT. However unlike policy NAT, NAT exemption does not consider the ports. Use static policy identity NAT to consider ports. For more information about NAT exemption, see the “Bypassing NAT When NAT Control is Enabled” section on page 6-10. Figure 6-23 shows a typical NAT exemption scenario. Figure 6-23 NAT Exemption To configure NAT exemption, perform the following steps: Step 1In the Configuration > Firewall > NAT Rules pane, choose Add > Add NAT Exempt Rule. The Add NAT Exempt Rule dialog box appears. Step 2Click Action: Exempt. 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 130036 Security Appliance
6-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using NAT Exemption Step 3In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to exempt. Step 4Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. NoteYou can later specify addresses that you do not want to exempt. For example, you can specify a subnet to exempt such as 10.1.1.0/24, but if you want to translate 10.1.1.50, then you can create a separate rule for that address that removes the exemption. Separate multiple real addresses by a comma. Step 5Enter the destination addresses in the Destination field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Separate multiple destination addresses by a comma. By default, the field shows any, which allows any destination address. Step 6In the NAT Exempt Direction area, choose whether you want to exempt traffic going to lower security interfaces (the default) or to higher security interfaces by clicking the appropriate radio button. Step 7(Optional) Enter a description in the Description field. Step 8Click OK. Step 9(Optional) If you do not want to exempt some addresses that were included in your NAT exempt rule, then create another rule to remove the exemption. Right-click the existing NAT Exempt rule, and choose Insert. The Add NAT Exempt Rule dialog box appears. a.Click Action: Do not exempt. b.Complete Steps 3 through 8 to complete the rule. The No Exempt rule is added before the Exempt rule. The order of Exempt and No Exempt rules is important. When the ASA decides whether to exempt a packet, the ASA tests the packet against each NAT exempt and No Exempt rule in the order in which the rules are listed. After a match is found, no more rules are checked.
CH A P T E R 7-1 Cisco ASA Series Firewall ASDM Configuration Guide 7 Configuring Access Rules This chapter describes how to control network access through the ASA using access rules and includes the following sections: Information About Access Rules, page 7-1 Licensing Requirements for Access Rules, page 7-7 Guidelines and Limitations, page 7-7 Default Settings, page 7-7 Configuring Access Rules, page 7-8 Feature History for Access Rules, page 7-14 NoteYou use access rules to control network access in both routed and transparent firewall modes. In transparent mode, you can use both access rules (for Layer 3 traffic) and EtherType rules (for Layer 2 traffic). To access the ASA interface for management access, you do not also need an access rule allowing the host IP address. You only need to configure management access according to Chapter 96, “Configuring Management Access,” in the general operations configuration guide. Information About Access Rules Your access policy is made up of one or more access rules and/or EtherType rules per interface or globally for all interfaces. You can use access rules in routed and transparent firewall mode to control IP traffic. An access rule permits or denies traffic based on the protocol, a source and destination IP address or network, and optionally the source and destination ports. For transparent mode only, an EtherType rule controls network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType. This section includes the following topics: General Information About Rules, page 7-2 Information About Access Rules, page 7-5 Information About EtherType Rules, page 7-6
7-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Configuring Access Rules Information About Access Rules General Information About Rules This section describes information for both access rules and EtherType rules, and it includes the following topics: Implicit Permits, page 7-2 Information About Interface Access Rules and Global Access Rules, page 7-2 Using Access Rules and EtherType Rules on the Same Interface, page 7-2 Rule Order, page 7-3 Implicit Deny, page 7-3 Using Remarks, page 7-3 NAT and Access Rules, page 7-3 Inbound and Outbound Rules, page 7-3 Transactional-Commit Model, page 7-4 Implicit Permits For routed mode, the following types of traffic are allowed through by default: Unicast IPv4 traffic from a higher security interface to a lower security interface. Unicast IPv6 traffic from a higher security interface to a lower security interface. For transparent mode, the following types of traffic are allowed through by default: Unicast IPv4 traffic from a higher security interface to a lower security interface. Unicast IPv6 traffic from a higher security interface to a lower security interface. ARPs in both directions. NoteARP traffic can be controlled by ARP inspection, but cannot be controlled by an access rule. BPDUs in both directions. For other traffic, you need to use either an access rule (IPv4 and IPv6) or an EtherType rule (non-IPv4/IPv6). Information About Interface Access Rules and Global Access Rules You can apply an access rule to a specific interface, or you can apply an access rule globally to all interfaces. You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules. NoteGlobal access rules apply only to inbound traffic. See the “Inbound and Outbound Rules” section on page 7-3. Using Access Rules and EtherType Rules on the Same Interface You can apply both access rules and EtherType rules to each direction of an interface.
7-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Configuring Access Rules Information About Access Rules Rule Order The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA tests the packet against each rule in the order in which the rules are listed. After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked. For more information, see the “Implicit Deny” section on page 7-3. You can disable a rule by making it inactive. Implicit Deny ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others. For EtherType ACLs, the implicit deny at the end of the ACL does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE, then IP and ARP traffic is denied. If you configure a global access rule, then the implicit deny comes after the global rule is processed. See the following order of operations: 1.Interface access rule. 2.Global access rule. 3.Implicit deny. Using Remarks In the ASDM access rule window, a remark that displays next to the rule is the one that was configured before the rule, so when you configure a remark from the CLI and then view it in an ASDM access rule window, the remark displays next to the rule that was configured after the remark in the CLI. However, the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI. NAT and Access Rules Access rules always use the real IP addresses when determining an access rule match, even if you configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside server needs to reference the server’s real IP address (10.1.1.5), and not the mapped address (209.165.201.5). Inbound and Outbound Rules The ASA supports two types of ACLs: Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are always inbound. Outbound—Outbound ACLs apply to traffic as it exits an interface.
7-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Configuring Access Rules Information About Access Rules Note“Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound. An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. (See Figure 7-1.) The outbound ACL prevents any other hosts from reaching the outside network. Figure 7-1 Outbound ACL Transactional-Commit Model The ASA rule-engine supports a new feature for rule updation called the Transactional-Commit Model. When this feature is enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance. With the legacy model, rule updates take effect immediately but rule matching slows down during the rule compilation period. This feature is useful to prevent potential packet drops during large compilation of rules under high traffic conditions. This feature is also useful to reduce the rule compilation time under two specific patterns of configurations: Preventing packet drops while compiling large rules during high traffic rates. Reducing rule compilation time while updating a large number of similar rules. Web Server: 209.165.200.225 Inside HREng Outside Static NAT 209.165.201.4 10.1.1.14 Static NAT209.165.201.6 10.1.2.67 Static NAT209.165.201.8 10.1.3.34 ACL Outbound Permit HTTP from 10.1.1.14, 10.1.2.67, and 10.1.3.34 to 209.165.200.225 Deny all others ACL Inbound Permit from any to anyACL Inbound Permit from any to anyACL Inbound Permit from any to any ASA 333823
7-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Configuring Access Rules Information About Access Rules Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines and Limitations Evaluate the following alternatives before using the transactional commit model: While using large rules, try to optimize the number of rules by using the Object Group Search setting in Advanced Access Rule Configuration settings. For more information see, Advanced Access Rule Configuration, page 7-11. Perform an incremental rule update instead of a bulk rule update. If a bulk update is necessary perform the bulk update during the maintenance window, when traffic is low. Information About Access Rules This section describes information about access rules and includes the following topics: Access Rules for Returning Traffic, page 7-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules, page 7-5 Management Access Rules, page 7-6 Access Rules for Returning Traffic For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through. NoteBecause these special types of traffic are connectionless, you need to apply an access rule to both interfaces, so returning traffic is allowed through.
7-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 7 Configuring Access Rules Information About Access Rules Ta b l e 7 - 1 lists common traffic types that you can allow through the transparent firewall. Management Access Rules You can configure access rules that control management traffic destined to the ASA. Access control rules for to-the-box management traffic (such as HTTP, Telnet, and SSH) have higher precedence than an management access rule. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL. Information About EtherType Rules This section describes EtherType rules and includes the following topics: Supported EtherTypes and Other Traffic, page 7-6 Access Rules for Returning Traffic, page 7-7 Allowing MPLS, page 7-7 Supported EtherTypes and Other Traffic An EtherType rule controls the following: EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS unicast or multicast. Ethernet V2 frames. BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed to specifically handle BPDUs. Trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload, so the ASA modifies the payload with the outgoing VLAN if you allow BPDUs. IS-IS. The following types of traffic are not supported: 802.3-formatted frames—These frames are not handled by the rule because they use a length field as opposed to a type field. Table 7-1 Transparent Firewall Special Traffic Traffic Type Protocol or Port Notes DHCP UDP ports 67 and 68 If you enable the DHCP server, then the ASA does not pass DHCP packets. EIGRP Protocol 88 — OSPF Protocol 89 — Multicast streams The UDP ports vary depending on the application.Multicast streams are always destined to a Class D address (224.0.0.0 to 239.x.x.x). RIP (v1 or v2) UDP port 520 —