Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
14-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspection for Management Application Protocols RSH Inspection Fields Name—Shows the name of the previously configured RADIUS accounting map. Description—Enter the description of the RADIUS accounting map, up to 200 characters in length. Host Parameters—Lets you configure host parameters. –Host IP Address—Specify the IP address of the host that is sending the RADIUS messages. –Key: (optional)—Specify the key. Add—Adds the host entry to the Host table. Delete—Deletes the host entry from the Host table. RADIUS Inspect Map Other The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map. Fields Name—Shows the name of the previously configured RADIUS accounting map. Description—Enter the description of the RADIUS accounting map, up to 200 characters in length. Other Parameters—Lets you configure additional parameters. –Send response to the originator of the RADIUS message—Sends a message back to the host from which the RADIUS message was sent. –Enforce timeout—Enables the timeout for users. Users Timeout—Timeout for the users in the database (hh:mm:ss). –Enable detection of GPRS accounting—Enables detection of GPRS accounting. This option is only available when GTP/GPRS license is enabled. –Validate Attribute—Attribute information. Attribute Number—Specify the attribute number to validate when an Accounting Start is received. Add—Adds the entry to the Attribute table. Delete—Deletes the entry from the Attribute table. RSH Inspection RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if necessary. SNMP Inspection This section describes the IM inspection engine. This section includes the following topics: SNMP Inspection Overview, page 14-14
14-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspection for Management Application Protocols SNMP Inspection “Select SNMP Map” section on page 14-14 “SNMP Inspect Map” section on page 14-14 SNMP Inspection Overview SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by creating an SNMP map. You then apply the SNMP map when you enable SNMP inspection according to the “Configuring Application Layer Protocol Inspection” section on page 10-7. Select SNMP Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SNMP Map The Select SNMP Map dialog box lets you select or create a new SNMP map. An SNMP map lets you change the configuration values used for SNMP application inspection. The Select SNMP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default SNMP inspection map—Specifies to use the default SNMP map. Select an SNMP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. SNMP Inspect Map Configuration > Global Objects > Inspect Maps > SNMP The SNMP pane lets you view previously configured SNMP application inspection maps. An SNMP map lets you change the default configuration values used for SNMP application inspection. Fields Map Name—Lists previously configured application inspection maps. Select a map and click Edit to view or change an existing map. Add—Configures a new SNMP inspect map. Edit—Edits the selected SNMP entry in the SNMP Inspect Maps table. Delete—Deletes the inspect map selected in the SNMP Inspect Maps table. Add/Edit SNMP Map Configuration > Global Objects > Inspect Maps> SNMP > Add/Edit SNMP Map (You can get to this dialog box through various paths.)
14-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspection for Management Application Protocols XDMCP Inspection The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection. Fields SNMP Map Name—Defines the name of the application inspection map. SNMP version 1—Enables application inspection for SNMP version 1. SNMP version 2 (party based)—Enables application inspection for SNMP version 2. SNMP version 2c (community based)—Enables application inspection for SNMP version 2c. SNMP version 3—Enables application inspection for SNMP version 3. XDMCP Inspection XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon proper configuration of the established command. XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established. For successful negotiation and start of an XWindows session, the ASA must allow the TCP back connection from the Xhosted computer. To permit the back connection, use the established command on the ASA. Once XDMCP negotiates the port to send the display, The established command is consulted to verify if this back connection should be permitted. During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 | n. Each display has a separate connection to the Xserver, as a result of the following terminal setting. setenv DISPLAY Xserver:n where n is the display number. When XDMCP is used, the display is negotiated using IP addresses, which the ASA can NAT if needed. XDCMP inspection does not support PAT.
14-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspection for Management Application Protocols XDMCP Inspection
CH A P T E R 15-1 Cisco ASA Series Firewall ASDM Configuration Guide 15 Information About Cisco Unified Communications Proxy Features This chapter describes how to configure the adaptive security appliance for Cisco Unified Communications Proxy features. This chapter includes the following sections: Information About the Adaptive Security Appliance in Cisco Unified Communications, page 15-1 TLS Proxy Applications in Cisco Unified Communications, page 15-3 Licensing for Cisco Unified Communications Proxy Features, page 15-4 Information About the Adaptive Security Appliance in Cisco Unified Communications This section describes the Cisco UC Proxy features on the Cisco ASA 5500 series appliances. The purpose of a proxy is to terminate and reoriginate connections between a client and server. The proxy delivers a range of security functions such as traffic inspection, protocol conformance, and policy control to ensure security for the internal network. An increasingly popular function of a proxy is to terminate encrypted connections in order to apply security policies while maintaining confidentiality of connections. The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified communications deployments. The Cisco UC Proxy includes the following solutions: Phone Proxy: Secure remote access for Cisco encrypted endpoints, and VLAN traversal for Cisco softphones The phone proxy feature enables termination of Cisco SRTP/TLS-encrypted endpoints for secure remote access. The phone proxy allows large scale deployments of secure phones without a large scale VPN remote access hardware deployment. End-user infrastructure is limited to just the IP endpoint, without VPN tunnels or hardware. The Cisco adaptive security appliance phone proxy is the replacement product for the Cisco Unified Phone Proxy. Additionally, the phone proxy can be deployed for voice/data VLAN traversal for softphone applications. Cisco IP Communicator (CIPC) traffic (both media and signaling) can be proxied through the ASA, thus traversing calls securely between voice and data VLANs. For information about the differences between the TLS proxy and phone proxy, go to the following URL for Unified Communications content, including TLS Proxy vs. Phone Proxy white paper: http://www.cisco.com/go/secureuc
15-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information About Cisco Unified Communications Proxy Features Information About the Adaptive Security Appliance in Cisco Unified Communications TLS Proxy: Decryption and inspection of Cisco Unified Communications encrypted signaling End-to-end encryption often leaves network security appliances “blind” to media and signaling traffic, which can compromise access control and threat prevention security functions. This lack of visibility can result in a lack of interoperability between the firewall functions and the encrypted voice, leaving businesses unable to satisfy both of their key security requirements. The ASA is able to intercept and decrypt encrypted signaling from Cisco encrypted endpoints to the Cisco Unified Communications Manager (Cisco UCM), and apply the required threat protection and access control. It can also ensure confidentiality by re-encrypting the traffic onto the Cisco UCM servers. Typically, the ASA TLS Proxy functionality is deployed in campus unified communications network. This solution is ideal for deployments that utilize end to end encryption and firewalls to protect Unified Communications Manager servers. Mobility Proxy: Secure connectivity between Cisco Unified Mobility Advantage server and Cisco Unified Mobile Communicator clients Cisco Unified Mobility solutions include the Cisco Unified Mobile Communicator (Cisco UMC), an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and the Cisco Unified Mobility Advantage (Cisco UMA) server. The Cisco Unified Mobility solution streamlines the communication experience, enabling single number reach and integration of mobile endpoints into the Unified Communications infrastructure. The security appliance acts as a proxy, terminating and reoriginating the TLS signaling between the Cisco UMC and Cisco UMA. As part of the proxy security functionality, inspection is enabled for the Cisco UMA Mobile Multiplexing Protocol (MMP), the protocol between Cisco UMC and Cisco UMA. Presence Federation Proxy: Secure connectivity between Cisco Unified Presence servers and Cisco/Microsoft Presence servers Cisco Unified Presence solution collects information about the availability and status of users, such as whether they are using communication devices, such as IP phones at particular times. It also collects information regarding their communications capabilities, such as whether web collaboration or video conferencing is enabled. Using user information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco UCM can improve productivity by helping users connect with colleagues more efficiently through determining the most effective way for collaborative communication. Using the ASA as a secure presence federation proxy, businesses can securely connect their Cisco Unified Presence (Cisco UP) servers to other Cisco or Microsoft Presence servers, enabling intra-enterprise communications. The security appliance terminates the TLS connectivity between the servers, and can inspect and apply policies for the SIP communications between the servers. Cisco Intercompany Media Engine Proxy: Secure connectivity between Cisco UCM servers in different enterprises for IP Phone traffic As more unified communications are deployed within enterprises, cases where business-to-business calls utilize unified communications on both sides with the Public Switched Network (PSTN) in the middle become increasingly common. All outside calls go over circuits to telephone providers and from there are delivered to all external destinations. The Cisco Intercompany Media Engine gradually creates dynamic, encrypted VoIP connections between businesses, so that a collection of enterprises that work together end up looking like one giant business with secure VoIP interconnections between them. There are three components to a Cisco Intercompany Media Engine deployment within an enterprise: a Cisco Intercompany Media Engine server, a call agent (the Cisco Unified Communications Manager) and an ASA running the Cisco Intercompany Media Engine Proxy.
15-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information About Cisco Unified Communications Proxy Features TLS Proxy Applications in Cisco Unified Communications The ASA provides perimeter security by encrypting signaling connections between enterprises and preventing unathorized calls. An ASA running the Cisco Intercompany Media Engine Proxy can either be deployed as an Internet firewall or be designated as a Cisco Intercompany Media Engine Proxy and placed in the DMZ, off the path of the regular Internet traffic. TLS Proxy Applications in Cisco Unified Communications Table 15-1 shows the Cisco Unified Communications applications that utilize the TLS proxy on the ASA. The ASA supports TLS proxy for various voice applications. For the phone proxy, the TLS proxy running on the ASA has the following key features: The ASA forces remote IP phones connecting to the phone proxy through the Internet to be in secured mode even when the Cisco UCM cluster is in non-secure mode. The TLS proxy is implemented on the ASA to intercept the TLS signaling from IP phones. The TLS proxy decrypts the packets, sends packets to the inspection engine for NAT rewrite and protocol conformance, optionally encrypts packets, and sends them to Cisco UCM or sends them in clear text if the IP phone is configured to be in nonsecure mode on the Cisco UCM. The ASA acts as a media terminator as needed and translates between SRTP and RTP media streams. The TLS proxy is a transparent proxy that works based on establishing trusted relationship between the TLS client, the proxy (the ASA), and the TLS server. Table 15-1 TLS Proxy Applications and the Security Appliance Application TLS Client TLS ServerClient AuthenticationSecurity Appliance Server RoleSecurity Appliance Client Role Phone Proxy and TLS ProxyIP phone Cisco UCM Yes Proxy certificate, self-signed or by internal CALocal dynamic certificate signed by the ASA CA (might not need certificate for phone proxy application) Mobility Proxy Cisco UMC Cisco UMA No Using the Cisco UMA private key or certificate impersonationAny static configured certificate Presence Federation ProxyCisco UP or MS LCS/OCSCisco UP or MS LCS/OCSYe s P r o x y certificate, self-signed or by internal CAUsing the Cisco UP private key or certificate impersonation
15-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 15 Information About Cisco Unified Communications Proxy Features Licensing for Cisco Unified Communications Proxy Features For the Cisco Unified Mobility solution, the TLS client is a Cisco UMA client and the TLS server is a Cisco UMA server. The ASA is between a Cisco UMA client and a Cisco UMA server. The mobility proxy (implemented as a TLS proxy) for Cisco Unified Mobility allows the use of an imported PKCS-12 certificate for server proxy during the handshake with the client. Cisco UMA clients are not required to present a certificate (no client authentication) during the handshake. For the Cisco Unified Presence solution, the ASA acts as a TLS proxy between the Cisco UP server and the foreign server. This allows the ASA to proxy TLS messages on behalf of the server that initiates the TLS connection, and route the proxied TLS messages to the client. The ASA stores certificate trustpoints for the server and the client, and presents these certificates on establishment of the TLS session. Licensing for Cisco Unified Communications Proxy Features The Cisco Unified Communications proxy features supported by the ASA require a Unified Communications Proxy license: Phone proxy TLS proxy for encrypted voice inspection Presence federation proxy Intercompany media engine proxy NoteIn Version 8.2(2) and later, the Mobility Advantage proxy no longer requires a Unified Communications Proxy license. The following table shows the Unified Communications Proxy license details by platform for the phone proxy, TLS proxy for encrypted voice inspection, and presence federation proxy: NoteThis feature is not available on No Payload Encryption models. Model License Requirement 1 ASA 5505 Base License and Security Plus License: 2 sessions. Optional license: 24 sessions. ASA 5510 Base License and Security Plus License: 2 sessions. Optional licenses: 24, 50, or 100 sessions. ASA 5520 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, or 1000 sessions. ASA 5540 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, or 2000 sessions. ASA 5550 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, or 3000 sessions. ASA 5580 Base License: 2 sessions. Optional licenses: 24, 50, 100, 250, 500, 750, 1000, 2000, 3000, 5000, or 10,000 sessions. 2