Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Contents 19 Cisco ASA Series Firewall ASDM Configuration Guide Feature History for the ASA CX Module30-33 CHAPTER 31Configuring the ASA IPS Module31-1 Information About the ASA IPS Module31-1 How the ASA IPS Module Works with the ASA31-2 Operating Modes31-3 Using Virtual Sensors (ASA 5510 and Higher)31-3 Information About Management Access31-4 Licensing Requirements for the ASA IPS module31-5 Guidelines and Limitations31-5 Default Settings31-6 Configuring the ASA IPS module31-7 Task Flow for the ASA IPS Module31-7 Connecting the ASA IPS Management Interface31-8 Sessioning to the Module from the ASA (May Be Required)31-11 (ASA 5512-X through ASA 5555-X) Booting the Software Module31-12 Configuring Basic IPS Module Network Settings31-12 Configuring the Security Policy on the ASA IPS Module31-15 Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)31-17 Diverting Traffic to the ASA IPS module31-18 Managing the ASA IPS module31-19 Installing and Booting an Image on the Module31-20 Shutting Down the Module31-22 Uninstalling a Software Module Image31-22 Resetting the Password31-23 Reloading or Resetting the Module31-24 Monitoring the ASA IPS module31-24 Feature History for the ASA IPS module31-25 CHAPTER 32Configuring the ASA CSC Module32-1 Information About the CSC SSM32-1 Determining What Traffic to Scan32-3 Licensing Requirements for the CSC SSM32-5 Prerequisites for the CSC SSM32-5 Guidelines and Limitations32-6 Default Settings32-6 Configuring the CSC SSM32-7 Before Configuring the CSC SSM32-7
Contents 20 Cisco ASA Series Firewall ASDM Configuration Guide Connecting to the CSC SSM32-8 Determining Service Policy Rule Actions for CSC Scanning32-9 CSC SSM Setup Wizard32-10 Activation/License32-11 IP Configuration32-11 Host/Notification Settings32-12 Management Access Host/Networks32-13 Password32-13 Restoring the Default Password32-14 Wizard Setup32-15 Using the CSC SSM GUI32-20 Web32-20 Mail32-21 SMTP Tab32-21 POP3 Tab32-22 File Transfer32-22 Updates32-23 Monitoring the CSC SSM32-24 Threats32-24 Live Security Events32-25 Live Security Events Log32-25 Software Updates32-26 Resource Graphs32-27 Troubleshooting the CSC Module32-27 Additional References32-31 Feature History for the CSC SSM32-31 INDEX
3 Cisco ASA Series Firewall ASDM Configuration Guide About This Guide This preface introduces Cisco ASA Series Firewall ASDM Configuration Guide and includes the following sections: •Document Objectives, page 3 Related Documentation, page 3 Conventions, page 4 Obtaining Documentation and Submitting a Service Request, page 4 Document Objectives The purpose of this guide is to help you configure the firewall features for ASA using ASDM. This guide does not cover every feature, but describes only the most common configuration scenarios. This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise. NoteASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the feature history table for each chapter to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Series Compatibility. Related Documentation For more information, see Navigating the Cisco ASA Series Documentation at http://www.cisco.com/go/asadocs.
4
Cisco ASA Series Firewall ASDM Configuration Guide
Obtaining Documentation and Submitting a Service Request
Conventions
This document uses the following conventions:
NoteMeans reader take note.
TipMeans the following information will help you solve a problem.
CautionMeans reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to
the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service. Convention Indication
bold font Commands and keywords and user-entered text appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ] Elements in square brackets are optional.
{x | y | z } Required alternative keywords are grouped in braces and separated by
vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
courier bold font Commands and keywords and user-entered text appear in bold courier font.
courier italic font Arguments for which you supply values are in courier italic font.
< > Nonprinting characters such as passwords are in angle brackets.
[ ] Default responses to system prompts are in square brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
CH A P T E R 1-1 Cisco ASA Series Firewall ASDM Configuration Guide 1 Configuring a Service Policy Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple service policy rules applied to an interface or applied globally. This chapter includes the following sections: Information About Service Policies, page 1-1 Licensing Requirements for Service Policies, page 1-5 Guidelines and Limitations, page 1-6 Default Settings, page 1-7 Task Flows for Configuring Service Policies, page 1-8 Adding a Service Policy Rule for Through Traffic, page 1-8 Adding a Service Policy Rule for Management Traffic, page 1-13 Managing the Order of Service Policy Rules, page 1-15 Feature History for Service Policies, page 1-17 Information About Service Policies This section describes how service policies work and includes the following topics: Supported Features, page 1-1 Feature Directionality, page 1-2 Feature Matching Within a Service Policy, page 1-3 Order in Which Multiple Feature Actions are Applied, page 1-4 Incompatibility of Certain Feature Actions, page 1-5 Feature Matching for Multiple Service Policies, page 1-5 Supported Features Ta b l e 1 - 1 lists the features supported by service policy rules.
1-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configuring a Service Policy Information About Service Policies Feature Directionality Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions. Table 1-1 Service Policy Rule Features FeatureFor Through Traffic?For Management Traffic? See: Application inspection (multiple types) All except RADIUS accountingRADIUS accounting onlyChapter 10, “Getting Started with Application Layer Protocol Inspection.” Chapter 11, “Configuring Inspection of Basic Internet Protocols.” Chapter 12, “Configuring Inspection for Voice and Video Protocols.” Chapter 13, “Configuring Inspection of Database and Directory Protocols.” Chapter 14, “Configuring Inspection for Management Application Protocols.” Chapter 25, “Configuring the ASA for Cisco Cloud Web Security.” ASA CSC Ye sNoChapter 32, “Configuring the ASA CSC Module.” ASA IPS Ye sNoChapter 31, “Configuring the ASA IPS Module.” ASA CX Ye sNoChapter 30, “Configuring the ASA CX Module.” NetFlow Secure Event Logging filtering Ye sYe sChapter 94, “Configuring NetFlow Secure Event Logging (NSEL),” in the general operations configuration guide. QoS input and output policing Ye sNoChapter 23, “Configuring QoS.” QoS standard priority queue Ye sNoChapter 23, “Configuring QoS.” QoS traffic shaping, hierarchical priority queue Ye sYe sChapter 23, “Configuring QoS.” TCP and UDP connection limits and timeouts, and TCP sequence number randomization Ye sYe sChapter 22, “Configuring Connection Settings.” TCP normalization Ye sNoChapter 22, “Configuring Connection Settings.” TCP state bypass Ye sNoChapter 22, “Configuring Connection Settings.” User statistics for Identity Firewall Ye sYe sSee the user-statistics command in the command reference.
1-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configuring a Service Policy Information About Service Policies NoteWhen you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant. For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or exits, depending on the feature) the interface to which you apply the policy map is affected. See Ta b l e 1 - 2 for the directionality of each feature. Feature Matching Within a Service Policy See the following information for how a packet matches rules in a policy for a given interface: 1.A packet can match only one rule for an interface for each feature type. 2.When the packet matches a rule for a feature type, the ASA does not attempt to match it to any subsequent rules for that feature type. 3.If the packet matches a subsequent rule for a different feature type, however, then the ASA also applies the actions for the subsequent rule, if supported. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information about unsupported combinations. NoteApplication inspection includes multiple inspection types, and most are mutually exclusive. For inspections that can be combined, each inspection is considered to be a separate feature. Table 1-2 Feature Directionality Feature Single Interface Direction Global Direction Application inspection (multiple types) Bidirectional Ingress ASA CSC Bidirectional Ingress ASA CX Bidirectional Ingress ASA CX authentication proxy Ingress Ingress ASA IPS Bidirectional Ingress NetFlow Secure Event Logging filtering N/A Ingress QoS input policing Ingress Ingress QoS output policing Egress Egress QoS standard priority queue Egress Egress QoS traffic shaping, hierarchical priority queueEgress Egress TCP and UDP connection limits and timeouts, and TCP sequence number randomizationBidirectional Ingress TCP normalization Bidirectional Ingress TCP state bypass Bidirectional Ingress User statistics for Identity Firewall Bidirectional Ingress
1-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 1 Configuring a Service Policy Information About Service Policies For example, if a packet matches a rule for connection limits, and also matches a rule for an application inspection, then both actions are applied. If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP inspection, then the second rule actions are not applied. If a packet matches a rulefor HTTP inspection, but also matches another rule that includes FTP inspection, then the second rule actions are not applied because HTTP and FTP inspections cannpt be combined. If a packet matches a rule for HTTP inspection, but also matches another rule that includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection. Order in Which Multiple Feature Actions are Applied The order in which different types of actions in a service policy are performed is independent of the order in which the actions appear in the table. NoteNetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent. Actions are performed in the following order: 1.QoS input policing 2.TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number randomization, and TCP state bypass. NoteWhen a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service. 3.ASA CSC 4.Application inspections that can be combined with other inspections: a.IPv6 b.IP options c.WAAS 5.Application inspections that cannot be combined with other inspections. See the “Incompatibility of Certain Feature Actions” section on page 1-5 for more information. 6.ASA IPS 7.ASA CX 8.QoS output policing 9.QoS standard priority queue 10.QoS traffic shaping, hierarchical priority queue