Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
24-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Testing Your Configuration Tracing Packets with Packet Tracer The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as detailed information about the packets and how they are processed by the ASA. If a configuration command did not cause the packet to drop, the packet tracer tool can provide information about the cause in an easily readable format. In addition, you can trace the lifespan of a packet through the ASA to see whether the packet is operating correctly with the packet tracer tool. This tool enables you to do the following: Debug all packet drops in a production network. Verify the configuration is working as intended. Show all rules applicable to a packet, along with the CLI commands that caused the rule addition. Show a time line of packet changes in a data path. Inject tracer packets into the data path. Search for an IPv4 or IPv6 address based on the user identity and the FQDN. To use the packet tracer, perform the following steps: Step 1In the main ASDM application window, choose Tools > Packet Tracer. The Cisco ASDM Packet Tracer dialog box appears. Step 2Choose the source interface for the packet trace from the drop-down list. Step 3Specify the protocol type for the packet trace. Available protocol types include ICMP, IP, TCP, and UDP. Step 4In the Source drop-down list, select one of the following options: IP Address User FQDN Security Tag Security Name Select the Security Tag or Security Name options when you want to trace packets sent by the ASA when integrated with the Cisco TrustSec solution. Security names are created on the Cisco ISE and provide user-friendly names for security groups. If a security policy is configured on the ASA with that security tags or security names, the ASA enforces the policy. (You can create security policies on the ASA that contain security tags or security names. To enforce policies based on security group names, the ASA needs the security group table to map security names to security tags.) See the “Configuring the ASA to Integrate with Cisco TrustSec” section on page 39-1 in the general operations configuration guide for information about configuring the ASA to integrate with the Cisco TrustSec solution. Step 5Based on the option you selected from the Source drop-down list, enter the corresponding text for the item you want to trace; for example, enter the source IP address for the packet trace in the Source IP Address field. Step 6For TCP and UDP only, choose the source port for the packet trace from the drop-down list. Step 7In the Destination drop-down list, select one of the following options: IP Address
24-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Monitoring Performance FQDN Security Tag Security Name Step 8Based on the option you selected from the Destination drop-down list, enter the corresponding text for the item you want to trace; for example, enter the source IP address for the packet trace in the Destination IP Address field. Step 9For TCP and UDP only, choose the destination port for the packet trace from the drop-down list. Step 10For ICMP only, choose the type of packet trace from the Type drop-down list. Then enter the trace code and trace ID in the appropriate fields. Step 11For IP only, enter the protocol number in the Protocol field. Valid values range from 0 to 255. Step 12Click Start to trace the packet. The Information Display Area shows detailed messages about the results of the packet trace. NoteTo display a graphical representation of the packet trace, check the Show animation check box. Step 13Click Clear to start a new packet trace. Monitoring Performance To view ASA performance information in a graphical or tabular format, perform the following steps: Step 1In the ASDM main window, choose Monitoring > Properties > Connection Graphs > Perfmon. Step 2Select one or more entries from the Available Graphs list, then click Add to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click Remove. The available options are the following: AAA Perfmon—Displays the ASA AAA performance information. Inspection Perfmon—Displays the ASA inspection performance information. Web Perfmon—Displays the ASA web performance information, including URL access and URL server requests. Connections Perfmon—Displays the ASA connections performance information. Xlate Perfmon—Displays the ASA NAT performance information. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Step 3To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field. Step 4Click Show Graphs to view performance statistics in a new or updated graph window. Step 5Click the Ta b l e tab to view the same performance statistics in a tabular format. Step 6From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours.
24-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Monitoring System Resources Step 7(Optional) Click Export to display the Export Graph Data dialog box. The selected performance statistics to export are already checked. Step 8(Optional) Click Export again to display the Save dialog box. Step 9(Optional) Click Save to save the performance statistics to a text file (.txt) on your local drive for future reference. Step 10(Optional) Click Print to display the Print Graph dialog box. Step 11(Optional) Choose the graph or table name from the drop-down list, then click Print to display the Print dialog box. Step 12(Optional) Click OK to print the selected performance statistics. Monitoring System Resources This section includes the following topics: Blocks, page 24-9 CPU, page 24-10 Memory, page 24-10 Blocks To view the free and used memory blocks, perform the following steps: Step 1In the ASDM main window, choose Monitoring > Properties > System Resources Graphs > Blocks. Step 2Select one or more entries from the Available Graphs list, then click Add to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click Remove. The available options are the following: Blocks Used—Displays the ASA used memory blocks. Blocks Free—Displays the ASA free memory blocks. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Step 3To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field. Step 4Click Show Graphs to view system resource statistics in a new or updated graph window. Step 5Click the Ta b l e tab to view the same performance statistics in a tabular format. Step 6From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours. Step 7(Optional) Click Export to display the Export Graph Data dialog box. The selected memory block statistics to export are already checked. Step 8(Optional) Click Export again to display the Save dialog box.
24-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Monitoring System Resources Step 9(Optional) Click Save to save the memory block statistics to a text file (.txt) on your local drive for future reference. Step 10(Optional) Click Print to display the Print Graph dialog box. Step 11(Optional) Choose the graph or table name from the drop-down list, then click Print to display the Print dialog box. Step 12(Optional) Click OK to print the selected memory block statistics. CPU To view the CPU utilization, perform the following steps: Step 1In the ASDM main window, choose Monitoring > Properties > System Resources Graphs > CPU. Step 2Select one or more entries from the Available Graphs list, then click Add to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click Remove. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Step 3To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field. Step 4Click Show Graphs to view system resource statistics in a new or updated graph window. Step 5Click the Ta b l e tab to view the same performance statistics in a tabular format. Step 6From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours. Step 7(Optional) Click Export to display the Export Graph Data dialog box. The selected CPU utilization statistics to export are already checked. Step 8(Optional) Click Export again to display the Save dialog box. Step 9(Optional) Click Save to save the CPU utilization statistics to a text file (.txt) on your local drive for future reference. Step 10(Optional) Click Print to display the Print Graph dialog box. Step 11(Optional) Choose the graph or table name from the drop-down list, then click Print to display the Print dialog box. Step 12(Optional) Click OK to print the selected CPU utilization statistics. Memory To view the memory utilization, perform the following steps: Step 1In the ASDM main window, choose Monitoring > Properties > System Resources Graphs > Blocks.
24-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Monitoring Connections Step 2Select one or more entries from the Available Graphs list, then click Add to move them to the Selected Graphs list. To remove an entry from the Selected Graphs list, click Remove. The available options are the following: Free Memory—Displays the ASA free memory. Used Memory—Displays the ASA used memory. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Step 3To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title in the Graph Window Title field. Step 4Click Show Graphs to view system resource statistics in a new or updated graph window. Step 5Click the Ta b l e tab to view the same performance statistics in a tabular format. Step 6From the View drop-down list on either tab, choose to display updates to information in the following time periods: Real-time, data every 10 sec; Last 10 minutes, data every 10 sec; Last 60 minutes, data every 1 min; Last 12 hours, data every 12 minutes; or Last 5 days, data every two hours. Step 7(Optional) Click Export to display the Export Graph Data dialog box. The selected memory utilization statistics to export are already checked. Step 8(Optional) Click Export again to display the Save dialog box. Step 9(Optional) Click Save to save the memory utilization statistics to a text file (.txt) on your local drive for future reference. Step 10(Optional) Click Print to display the Print Graph dialog box. Step 11(Optional) Choose the graph or table name from the drop-down list, then click Print to display the Print dialog box. Step 12(Optional) Click OK to print the selected memory utilization statistics. Monitoring Connections To view current connections in a tabular format, in the ASDM main window, choose Monitoring > Properties > Connections. Each connection is identified by the following parameters: Protocol Source: –Security ID –Security Name –IP address –Port Destination: –Security ID –Security Name –IP address –Port
24-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 24 Troubleshooting Connections and Resources Monitoring Per-Process CPU Usage Idle time since the last packet was sent or received Amount of sent and received traffic on the connection Monitoring Per-Process CPU Usage You can monitor the processes that run on the CPU. You can obtain information about the percentage of CPU that is used by a certain process. CPU usage statistics are sorted in descending order to display the highest consumer at the top. Also included is information about the load on the CPU per process, at 5 seconds, 1 minute, and 5 minutes before the log time. This information is updated automatically every 5 seconds to provide real-time statistics. In ASDM, it is updated every 30 seconds. To view CPU usage on a per-process basis, perform the following steps: Step 1In the ASDM main window, choose Monitoring > Properties > Per-Process CPU Usage. Step 2To pause the auto-refresh of the screen, click Stop auto-refresh. Step 3To save the information on the screen to a local text file, click Save log to local file. The Save dialog box appears. Step 4Enter the name of the text file, then click Save. To color code processes according to their CPU usage range, click Configure CPU usage. The Color Settings dialog box appears. Step 5Choose one of the following range options: 49% and below, 50% to 79%, and 80% and above. Step 6Click the foreground or background cell to display the Pick a Color dialog box, and select the foreground and background colors for the given ranges. Step 7Click one of the following tabs to pick the color palette: Swatches, HSB, or RGB. When you are done, click OK. Step 8Click OK to view the color-coded entries. Step 9Click Refresh to refresh the data manually at any time.
CH A P T E R 25-1 Cisco ASA Series Firewall ASDM Configuration Guide 25 Configuring the ASA for Cisco Cloud Web Security Cisco Cloud Web Security provides web security and web filtering services through the Software-as-a-Service (SaaS) model. Enterprises with the ASA in their network can use Cloud Web Security services without having to install additional hardware. When Cloud Web Security is enabled on the ASA, the ASA transparently redirects selected HTTP and HTTPS traffic to the Cloud Web Security proxy servers. The Cloud Web Security proxy servers then scan the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware. The ASA can optionally authenticate and identify users with Identity Firewall (IDFW) and AAA rules. The ASA encrypts and includes the user credentials (including usernames and/or user groups) in the traffic it redirects to Cloud Web Security. The Cloud Web Security service then uses the user credentials to match the traffic to the policy. It also uses these credentials for user-based reporting. Without user authentication, the ASA can supply an (optional) default username and/or group, although usernames and groups are not required for the Cloud Web Security service to apply policy. You can customize the traffic you want to send to Cloud Web Security when you create your service policy rules. You can also configure a “whitelist” so that a subset of web traffic that matches the service policy rule instead goes directly to the originally requested web server and is not scanned by Cloud Web Security. You can configure a primary and a backup Cloud Web Security proxy server, each of which the ASA polls regularly to check for availability. NoteThis feature is also called “ScanSafe,” so the ScanSafe name appears in some commands.
25-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Information About Cisco Cloud Web Security This chapter includes the following sections: Information About Cisco Cloud Web Security, page 25-2 Licensing Requirements for Cisco Cloud Web Security, page 25-6 Prerequisites for Cloud Web Security, page 25-7 Guidelines and Limitations, page 25-7 Default Settings, page 25-8 Configuring Cisco Cloud Web Security, page 25-8 Monitoring Cloud Web Security, page 25-26 Related Documents, page 25-27 Feature History for Cisco Cloud Web Security, page 25-27 Information About Cisco Cloud Web Security This section includes the following topics: Redirection of Web Traffic to Cloud Web Security, page 25-2 User Authentication and Cloud Web Security, page 25-2 Authentication Keys, page 25-3 ScanCenter Policy, page 25-4 Cloud Web Security Actions, page 25-5 Bypassing Scanning with Whitelists, page 25-6 IPv4 and IPv6 Support, page 25-6 Failover from Primary to Backup Proxy Server, page 25-6 Redirection of Web Traffic to Cloud Web Security When an end user sends an HTTP or HTTPS request, the ASA receives it and optionally retrieves the user and/or group information. If the traffic matches an ASA service policy rule for Cloud Web Security, then the ASA redirects the request to the Cloud Web Security proxy servers. The ASA acts as an intermediary between the end user and the Cloud Web Security proxy server by redirecting the connection to the proxy server. The ASA changes the destination IP address and port in the client requests and adds Cloud Web Security-specific HTTP headers and then sends the modified request to the Cloud Web Security proxy server. The Cloud Web Security HTTP headers include various kinds of information, including the username and user group (if available). User Authentication and Cloud Web Security User identity can be used to apply policy in Cloud Web Security. User identity is also useful for Cloud Web Security reporting. User identity is not required to use Cloud Web Security. There are other methods to identify traffic for Cloud Web Security policy.