Cisco ASA 5508-X, Configuration Manual

Page 1: ...go offices Cisco ASA Series Firewall CLI Configuration Guide Software Version 9 4 For the ASA 5506 X ASA 5506H X ASA 5506W X ASA 5508 X ASA 5512 X ASA 5515 X ASA 5516 X ASA 5525 X ASA 5545 X ASA 5555 X ASA 5585 X ASA Services Module and the Adaptive Security Virtual Appliance First Published March 23 2015 Last Updated April 7 2015 Text Part Number N A Online only ...

Page 2: ...LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR...

Page 3: ...e Security Device Manager ASDM a web based GUI application ASDM includes configuration wizards to guide you through some common configuration scenarios and online help for less common scenarios Throughout this guide the term ASA applies generically to supported models unless specified otherwise Related Documentation For more information see Navigating the Cisco ASA Series Documentation at http www...

Page 4: ...s an RSS feed and deliver content directly to your desktop using a reader application The RSS feeds are a free service x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars string A nonquoted set of characters Do not use quotation marks around the string or the string will ...

Page 5: ...ge 1 2 URL Filtering page 1 3 Threat Protection page 1 3 Network Address Translation page 1 4 Application Inspection page 1 5 Use Case Expose a Server to the Public page 1 5 How to Implement Firewall Services The following procedure provides a general sequence for implementing firewall services However each step is optional needed only if you want to provide the service to your network Before You ...

Page 6: ... information already defined in your Active Directory AD server Then configure the ASA to get this information and add user or group criteria to your access rules Install Cisco Identity Services Engine ISE on a separate server to implement Cisco Trustsec You can then add security group criteria to your access rules Install the ASA FirePOWER module on the ASA and implement identity policies in the ...

Page 7: ...ou configure your filtering policies in ScanCenter and then configure the ASA to send traffic to your Cloud Web Security account Install the ASA FirePOWER module on the ASA and use URL filtering criteria in your ASA FirePOWER access rules These policies apply to any traffic that you redirect to the module Related Topics ASA and Cisco Cloud Web Security page 8 1 ASA FirePOWER Module page 7 1 Threat...

Page 8: ...of the main functions of Network Address Translation NAT is to enable private IP networks to connect to the Internet NAT replaces a private IP address with a public IP address translating the private addresses in the internal private network into legal routable addresses that can be used on the public Internet In this way NAT conserves public addresses because you can advertise at a minimum only o...

Page 9: ...h interface or both Related Topics Service Policy Using the Modular Policy Framework page 11 1 Getting Started with Application Layer Protocol Inspection page 12 1 Inspection of Basic Internet Protocols page 13 1 Inspection for Voice and Video Protocols page 14 1 Inspection of Database Directory and Management Protocols page 15 1 Use Case Expose a Server to the Public You can make certain applicat...

Page 10: ... static 209 165 201 10 Step 3 Add an access rule to the access group attached to the outside interface to permit web access to the server hostname config access list outside_access_in line 1 extended permit tcp any4 object myWebServ eq http Step 4 If you do not already have an access group on the outside interface apply it using the access group command hostname config access group outside_access_...

Page 11: ...P A R T 1 Access Control ...

Page 12: ......

Page 13: ...lines for Objects IPv6 Guidelines Supports IPv6 with the following restrictions The ASA does not support IPv6 nested network object groups so you cannot group an object with IPv6 entries under another IPv6 object group You can mix IPv4 and IPv6 entries in a network object group you cannot use a mixed object group for NAT Additional Guidelines and Limitations Objects must have unique names because ...

Page 14: ... firewall configuration guide for more information about configuring object NAT Procedure Step 1 Create or edit a network object using the object name hostname config object network object_name Example hostname config object network email server Step 2 Add an address to the object using one of the following commands Use the no form of the command to remove the object host IPv4_address IPv6_address...

Page 15: ...800 200C 417A network object IPv4_address IPv4_mask IPv6_address IPv6_prefix The address of a network or host For IPv4 subnets include the mask after a space for example 10 0 0 0 255 0 0 0 For IPv6 include the address and prefix as a single unit no spaces such as 2001 DB8 0 CD30 60 network object object object_name The name of an existing network object group object object_group_name The name of a...

Page 16: ...ost 10 1 4 89 hostname config network network object host 10 1 4 100 You then nest all three groups together as follows hostname config object group network admin hostname config network group object eng hostname config network group object hr hostname config network group object finance Configure Service Objects and Service Groups Service objects and groups identify protocols and ports Use these ...

Page 17: ... service object group includes a mix of protocols if desired including optional source and destination ports for TCP or UDP Before You Begin You can model all services using the generic service object group which is explained here However you can still configure the types of service group objects that were available prior to ASA 8 3 1 These legacy objects include TCP UDP TCP UDP port groups protoc...

Page 18: ...ct icmp echo hostname config service object group service object object my service hostname config service object group group object Engineering_groups Step 3 Optional Add a description hostname config service object group description string Examples The following example shows how to add both TCP and UDP services to a service object group hostname config object group service CommonApps hostname c...

Page 19: ...object group using the object name hostname config object group user group_name Example hostname config object group user admins Step 2 Add users and groups to the user object group using one or more of the following commands Use the no form of the command to remove an object user domain_NETBIOS_name username A username If there is a space in the domain name or username you must enclose the domain...

Page 20: ...te on the ASA to control access to network resources You can use the security object group as part of an access group or service policy For information on how to integrate the ASA with Trustsec see Chapter 6 ASA and Cisco TrustSec Tip If you create a group with tags or names that are not known to the ASA any rules that use the group will be inactive until the tags or names are resolved with ISE Pr...

Page 21: ...e defines the time range only You must then use the object in an access control rule Procedure Step 1 Create the time range time range name Step 2 Optional Add a start or end time or both to the time range absolute start time date end time date If you do not specify a start time the default start time is now The time is in the 24 hour format hh mm For example 8 00 is 8 00 a m and 20 00 is 8 00 p m...

Page 22: ...ursday asa4 config time range contract A access asa4 config time range absolute end 12 00 1 September 2025 asa4 config time range periodic weekdays 08 00 to 17 00 asa4 config time range periodic Monday Wednesday Friday 18 00 to 20 00 asa4 config time range periodic Tuesday Thursday 17 30 to 18 30 Monitoring Objects To monitor objects and groups enter the following commands show access list Display...

Page 23: ...ject access list extended access list webtype access list remark User Object Groups for Identity Firewall 8 4 2 User object groups for identity firewall were introduced We introduced the following commands object network user user Security Group Object Groups for Cisco TrustSec 8 4 2 Security group object groups for Cisco TrustSec were introduced We introduced the following commands object network...

Page 24: ...2 12 Cisco ASA Series Firewall CLI Configuration Guide Chapter 2 Objects for Access Control History for Objects ...

Page 25: ... About ACLs Access control lists ACLs identify traffic flows by one or more characteristics including source and destination IP address IP protocol ports EtherType and other parameters depending on the type of ACL ACLs are used in a variety of features ACLs are made up of one or more access control entries ACEs ACL Types The ASA uses the following types of ACLs Extended ACLs Extended ACLs are the ...

Page 26: ...d to configure management access according to the general operations configuration guide Identify traffic for AAA rules Extended AAA rules use ACLs to identify traffic Augment network access control for IP traffic for a given user Extended downloaded from a AAA server per user You can configure the RADIUS server to download a dynamic ACL to be applied to the user or the server can send the name of...

Page 27: ...tion Use the show access list name command to view the ACL entries and their line numbers to help determine the right number to use For other types of ACL you must rebuild the ACL or better use ASDM to change the order of ACEs Permit Deny vs Match Do Not Match Access control entries either permit or deny traffic that matches the rule When you apply an ACL to a feature that determines whether traff...

Page 28: ... command Botnet Traffic Filter traffic classification dynamic filter enable classify list command AAA Rules aaa match commands WCCP wccp redirect list group list command For example if you configure NAT for an inside server 10 1 1 5 so that it has a publicly routable IP address on the outside 209 165 201 5 then the access rule to allow the outside traffic to access the inside server needs to refer...

Page 29: ... and cluster units as normal IPv6 Extended and webtype ACLs allow a mix of IPv4 and IPv6 addresses Standard ACLs do not allow IPv6 addresses EtherType ACLs do not contain IP addresses Additional Guidelines When you specify a network mask the method is different from the Cisco IOS software access list command The ASA uses a network mask for example 255 255 255 0 for a Class C mask The Cisco IOS mas...

Page 30: ...8 0DB8 800 200C 417A any hitcnt 0 0x79797f94 access list outside_access_in line 3 extended permit ip user group LOCAL usergroup any any hitcnt 0 0xb0f5b1e1 Add an ACE The command for adding an ACE is access list name line line num type parameters The line number argument works for extended ACLs only If you include the line number the ACE is inserted at that location in the ACL and the ACE that was...

Page 31: ...nded ACLs An extended ACL is composed of all ACEs with the same ACL ID or name Extended ACLs are the most complex and feature rich type of ACL and you can use them for many features The most noteworthy use of extended ACLs is as access groups applied globally or to interfaces which determine the traffic that will be denied or permitted to flow through the box But extended ACLs are also used to det...

Page 32: ...col and a source or destination port or ICMP type and code object group service_grp_id Specifies a service object group created using the object group service command Source Address Destination Address The source_address_argument specifies the IP address or FQDN from which the packet is being sent and the dest_address_argument specifies the IP address or FQDN to which the packet is being sent host...

Page 33: ...st the basic address matching ACE where the protocol is tcp or udp Because these protocols use ports you can add port specifications to the ACE For example you can target HTTP traffic on TCP port 80 To add an ACE for IP address or FQDN matching where the protocol is TCP or UDP use the following command access list access_list_name line line_number extended deny permit tcp udp source_address_argume...

Page 34: ... object group icmp_grp_id Specifies an object group for ICMP ICMP6 created using the object group service or deprecated object group icmp command For an explanation of the other keywords see Add an Extended ACE for IP Address or Fully Qualified Domain Name Based Matching page 3 7 Add an Extended ACE for User Based Matching Identity Firewall The user based extended ACE is just the basic address mat...

Page 35: ...Cisco TrustSec page 3 11 Add an Extended ACE for Security Group Based Matching Cisco TrustSec The security group Cisco TrustSec extended ACE is just the basic address matching ACE where you include security groups or tags to the source or destination matching criteria By creating rules based on security groups you can avoid tying rules to static host or network addresses Because you must still sup...

Page 36: ...he ACL from accessing a website at address 209 165 201 29 All other traffic is allowed hostname config access list ACL_IN extended deny tcp any host 209 165 201 29 eq www hostname config access list ACL_IN extended permit ip any any The following ACL that uses object groups restricts several hosts on the inside network from accessing several web servers All other traffic is allowed hostname config...

Page 37: ...tended permit ip any any hostname config access group ACL_IN in interface inside If you make two network object groups one for the inside hosts and one for the web servers then the configuration can be simplified and can be easily modified to add more hosts hostname config object group network denied hostname config network network object host 10 1 1 4 hostname config network network object host 1...

Page 38: ...tions The following sections explain each type of ACE Add a Webtype ACE for URL Matching page 3 14 Adding a Webtype ACE for IP Address Matching page 3 15 Examples for Webtype ACLs page 3 16 Add a Webtype ACE for URL Matching To match traffic based on the URL the user is trying to access use the following command access list access_list_name webtype deny permit url url_string any log level interval...

Page 39: ...enter the log option without any arguments you enable syslog message 106102 at the default level 6 and for the default interval 300 seconds Log options are level A severity level between 0 and 7 The default is 6 interval secs The time interval in seconds between syslog messages from 1 to 600 The default is 300 disable Disables all ACL logging default Enables logging to message 106103 This setting ...

Page 40: ...e one of the following lt less than gt greater than eq equal to neq not equal to range an inclusive range of values When you use this operator specify two port numbers for example range 100 200 The port can be the integer or name of a TCP port Examples for Webtype ACLs The following example shows how to deny access to a specific company URL hostname config access list acl_company webtype deny url ...

Page 41: ...scenario we have a root folder named shares that contains two sub folders named Marketing_Reports and Sales_Reports We want to specifically deny access to the shares Marketing_Reports folder access list CIFS_Avoid webtype deny url cifs 172 16 10 40 shares Marketing_Reports However due to the implicit deny all at the end of the ACL the above ACL makes all of the sub folders inaccessible shares Sale...

Page 42: ...ows common traffic originating on the inside interface hostname config access list ETHER ethertype permit ipx hostname config access list ETHER ethertype permit mpls unicast hostname config access group ETHER in interface inside The following ACL allows some EtherTypes through the ASA but it denies IPX hostname config access list ETHER ethertype deny ipx hostname config access list ETHER ethertype...

Page 43: ...n also create rules that refer to objects that do not exist or delete objects that are in use by access rules However you will get a commit error if you delete an object used by other rules such as NAT Procedure Step 1 Start the session hostname configure session session_name hostname config s If the session_name already exists you open that session Otherwise you are creating a new session Use the...

Page 44: ...ion and use the clear session session_name configuration command which empties the session without deleting it revert Committed sessions only To undo your changes returning the configuration back to what it was before you committed the session and delete the session show configuration session session_name To show the changes made in the session Monitoring ACLs To monitor ACLs enter one of the foll...

Page 45: ...must use the real untranslated addresses and ports for these features Using the real address and port means that if the NAT configuration changes you do not need to change the ACLs For more information see IP Addresses Used for Extended ACLs When You Use NAT page 3 4 Support for Identity Firewall in extended ACLs 8 4 2 You can now use identity firewall users and groups for the source and destinati...

Page 46: ...access list extended access list webtype We removed the following commands ipv6 access list ipv6 access list webtype ipv6 vpn filter Extended ACL and object enhancement to filter ICMP traffic by ICMP code 9 0 1 ICMP traffic can now be permitted denied based on ICMP code We introduced or modified the following commands access list extended service object service Configuration session for editing AC...

Page 47: ...is allowed through the ASA There are several different layers of rules that work together to implement your access control policy Extended access rules Layer 3 traffic assigned to interfaces You can apply separate rule sets ACLs in the inbound and outbound directions An extended access rule permits or denies traffic based on the source and destination traffic criteria Extended access rules assigne...

Page 48: ...ss rules are always processed before the general global access rules Global access rules apply only to inbound traffic Inbound and Outbound Rules You can configure access rules based on the direction of traffic Inbound Inbound access rules apply to traffic as it enters an interface Global and management access rules are always inbound Outbound Outbound rules apply to traffic as it exits an interfa...

Page 49: ... the packet against each rule in the order in which the rules are listed in the applied ACL After a match is found no more rules are checked For example if you create an access rule at the beginning that explicitly permits all traffic for an interface no further rules are ever checked Implicit Permits For routed mode the following types of traffic are allowed through by default Unicast IPv4 and IP...

Page 50: ... traffic that you previously allowed with an extended ACL or implicitly allowed from a high security interface to a low security interface However if you explicitly deny all traffic with an EtherType rule then IP and ARP traffic is denied only physical protocol traffic such as auto negotiation is still allowed If you configure a global access rule then the implicit deny comes after the global rule...

Page 51: ...sparent firewall mode can allow any IP traffic through Note Because these special types of traffic are connectionless you need to apply an access rule to both interfaces so returning traffic is allowed through The following table lists common traffic types that you can allow through the transparent firewall Management Access Rules You can configure access rules that control management traffic dest...

Page 52: ...Intermediate System IS IS The following types of traffic are not supported 802 3 formatted frames These frames are not handled by the rule because they use a length field as opposed to a type field EtherType Rules for Returning Traffic Because EtherTypes are connectionless you need to apply the rule to both interfaces if you want traffic to pass in both directions Allowing MPLS If you allow MPLS e...

Page 53: ...on Use the asp rule engine transactional commit access group command In ASDM rule descriptions are based on the access list remarks that come before the rule in the ACL for new rules you create in ASDM any descriptions are also configured as remarks before the related rule However the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI Normally you cannot...

Page 54: ...inst the interface ACL No per user override vpn filter Traffic is matched first against the interface ACL then against the VPN filter per user override vpn filter Traffic is matched against the VPN filter only The control plane keyword specifies if the rule is for to the box traffic For a global access group specify the global keyword to apply the extended ACL to the inbound direction of all inter...

Page 55: ...single host or to a network ip_address mask Step 2 Create rules for ICMPv6 IPv6 traffic ipv6 icmp permit deny host ipv6_address ipv6 network prefix length any icmp_type interface_name If you do not specify an icmp_type the rule applies to all types For the address you can apply the rule to any address to a single host or to a network ipv6 network prefix length Step 3 Optional Set rate limits on IC...

Page 56: ...yslog event viewer such as the one in ASDM to view messages related to access rules If you use default logging you see syslog message 106023 for explicitly denied flows only Traffic that matches the implicit deny entry that ends the rule list is not logged If the ASA is attacked the number of syslog messages for denied packets can be very large We recommend that you instead enable logging using sy...

Page 57: ...udes typical configuration examples for permitting or denying network access The following example adds a network object for inside server 1 performs static NAT for the server and enables access from the outside for inside server 1 hostname config object network inside server1 hostname config host 10 1 1 1 hostname config nat inside outside static 209 165 201 12 hostname config access list outside...

Page 58: ...fig access list outsideacl extended permit object group myaclog interface inside any History for Access Rules Feature Name Platform Releases Description Interface access rules 7 0 1 Controlling network access through the ASA using ACLs We introduced the following command access group Global access rules 8 3 1 Global access rules were introduced We modified the following command access group Suppor...

Page 59: ... 9 0 1 ICMP traffic can now be permitted denied based on ICMP code We introduced or modified the following commands access list extended service object service Transactional Commit Model on Access Group Rule Engine 9 1 5 When enabled a rule update is applied after the rule compilation is completed without affecting the rule matching performance We introduced the following commands asp rule engine ...

Page 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...

Page 61: ...r group names rather than through source IP addresses The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped usernames instead of network IP addresses The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active Directory AD Agent that provides the ...

Page 62: ...rt of the Identity Firewall on the ASA Active Directory administrators manage it The reliability and accuracy of the data depends on data in Active Directory Supported versions include Windows Server 2003 Windows Server 2008 and Windows Server 2008 R2 servers Active Directory AD Agent The AD Agent runs on a Windows server Supported Windows servers include Windows 2003 Windows 2008 and Windows 2008...

Page 63: ...tes users and generates user login security logs Alternatively the client can log into the network through a cut through proxy or VPN 2 ASA AD Server The ASA sends an LDAP query for the Active Directory groups configured on the AD Server The ASA consolidates local and Active Directory groups and applies access rules and Modular Policy Framework security policies based on user identity 5 ASA Client...

Page 64: ...to 512 user groups in active ASA policies A single access rule can contain one or more user groups or users Supports multiple domains Availability The ASA retrieves group information from the Active Directory and falls back to web authentication for IP addresses when the AD Agent cannot map a source IP address to a user identity The AD Agent continues to function when any of the Active Directory s...

Page 65: ...installed on a separate Windows server Scenario 2 shows a deployment with multiple Active Directory servers and multiple AD Agents installed on separate Windows servers Figure 5 3 Deployment Scenario with Redundant Components The following figure shows how all Identity Firewall components Active Directory server the AD Agent and the clients are installed and communicate on the LAN ASA AD Server AD...

Page 66: ...ure 5 5 WAN based Deployment The following figure also shows a WAN based deployment to support a remote site The Active Directory server is installed on the main site LAN However the AD Agent is installed and accessed by the clients at the remote site The remote clients connect to the Active Directory servers at the main site over a WAN Client ASA AD Servers AD Agent 304003 LAN NetBIOS Probe mkg e...

Page 67: ...d check before configuring the Identity Firewall Failover The Identity Firewall supports user identity IP address mapping and AD Agent status replication from active to standby when Stateful Failover is enabled However only user identity IP address mapping AD Agent status and domain status are replicated User and user group records are not replicated to the standby ASA When failover is configured ...

Page 68: ...esses With this implementation all the packets from the same router are able to pass the check because the ASA is unable to ascertain the actual MAC addresses behind the router The following ASA features do not support using the identity based object and FQDN in an extended ACL Route maps Crypto maps WCCP NAT Group policy except for VPN filters DAP You can use the user identity update active user ...

Page 69: ...the following characters are not valid For user group names the following characters are not valid How you configure the Identity Firewall to retrieve user information from the AD Agent affects the amount of memory used by the feature You specify whether the ASA uses on demand retrieval or full download retrieval Choosing on demand retrieval has the benefit of using less memory because only users ...

Page 70: ...ctive Directory Domain page 5 10 See also Deployment Scenarios page 5 4 for the ways in which you can deploy the Active Directory servers to meet your environment requirements Step 2 Configure the AD Agent in ASA See Configure Active Directory Agents page 5 13 See also Deployment Scenarios page 5 4 for the ways in which you can deploy the AD Agents to meet your environment requirements Step 3 Conf...

Page 71: ...ecifying the ldap base dn command is optional If you do not specify this command the ASA retrieves the defaultNamingContext from the Active Directory and uses it as the base DN Step 4 Specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request ldap scope subtree Example hostname config aaa server host ldap scope subtree Step 5 Specif...

Page 72: ...ed Specifying this command is optional Step 9 Allow the ASA to access the Active Directory domain controller over SSL ldap over ssl enable Example hostname config aaa server host ldap over ssl enable To support LDAP over SSL Active Directory server needs to be configured to have this support By default the Active Directory does not have SSL configured If SSL is not configured in the Active Directo...

Page 73: ... tag protocol radius Example hostname config aaa server adagent protocol radius Step 2 Enable the AD Agent mode ad agent mode Example hostname config ad agent mode Step 3 Configure the AAA server as part of a AAA server group and the AAA server parameters that are host specific for the AD Agent aaa server server tag interface name host server ip name key timeout seconds Example hostname config aaa...

Page 74: ... If the domain name includes a space enclose the entire name in quotation marks The domain name is not case sensitive The default domain is used for all users and user groups when a domain has not been explicitly configured for those users or groups When a default domain is not specified the default domain for users and groups is LOCAL For multiple context modes you can set a default domain name f...

Page 75: ... assigned to the IP address must be the only one in the NetBIOS response Otherwise the user identity of that IP address is considered invalid User not needed As long as the ASA received a NetBIOS response from the client the user identity is considered valid The Identity Firewall only performs NetBIOS probing for those users identities that are in the active state and exist in at least one securit...

Page 76: ...e When the domain is down and the disable user identity rule keyword is configured the ASA disables the user identity IP address mapping for that domain Additionally the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user identity user command By default this command is disabled Step 9 Enable user not found tracking By default this command...

Page 77: ...event to the ASA Step 13 Define the hello timer between the ASA and the AD Agent user identity ad agent hello timer seconds seconds retry times number Example hostname config user identity ad agent hello timer seconds 20 retry times 3 The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello packets The ASA uses the hello packet to obtain ASA replication statu...

Page 78: ... access rule configure your policy as usual for users and groups but then include a AAA rule that permits all None users you must permit these users so they can later trigger a AAA rule Then configure a AAA rule that denies Any users these users are not subject to the AAA rule and were handled already by the access rule but permits all None users For example access list 100 ex permit ip user CISCO...

Page 79: ...nt and received packet count The scanning keyword specifies that the ASA collect only the sent drop count When you configure a policy map to collect user statistics the ASA collects detailed statistics for selected users When you specify the user statistics command without the accounting or scanning keywords the ASA collects both accounting and scanning statistics Examples for the Identity Firewal...

Page 80: ...ntering the access list 100 ex deny any any command to allow unauthenticated incoming users to trigger AAA cut through proxy In the auth access list command permit user NONE rules guarantee only unauthenticated trigger cut through proxy Ideally they should be the last lines hostname config access list listenerAuth extended permit tcp any any hostname config aaa authentication match listenerAuth in...

Page 81: ...le when user idfw logs in the user can access network resources in the 10 0 00 24 subnet However when user user1 logs in access to network resources in 10 0 00 24 subnet is denied Note that all VPN users are stored under the LOCAL domain Therefore it is only meaningful to apply the rules for LOCAL users or object groups that include LOCAL users Note IDFW rules can only be applied to VPN filters un...

Page 82: ...ntity Firewall History for the Identity Firewall Table 5 1 History for the Identity Firewall Feature Name Releases Description Identity Firewall 8 4 2 The Identity Firewall feature was introduced We introduced or modified the following commands user identity enable user identity default domain user identity domain user identity logout probe user identity inactive user timer user identity poll impo...

Page 83: ...based rules that enforcement devices such as switches and routers with firewall features or dedicated firewalls can reliably use for making access control decisions As a result the availability and propagation of endpoint attributes or client identity attributes have become increasingly important requirements to enable security across the customers networks at the access distribution and core laye...

Page 84: ... switch or access point after successful authentication The Security group eXchange Protocol SXP is a protocol developed for Cisco TrustSec to propagate the IP to SGT mapping database across network devices that do not have SGT capable hardware support to hardware that supports SGTs and security group ACLs SXP a control plane protocol passes IP SGT mapping from authentication points such as legacy...

Page 85: ...sco TrustSec tag to user identity mapping and Cisco TrustSec tag to server resource mapping In the Cisco TrustSec feature the Cisco Secure Access Control System a policy server with integrated 802 1x and SGT support acts as the PAP Policy Enforcement Point PEP A policy enforcement point is the entity that carries out the decisions policy rules and actions made by the PDP for each AR PEP devices le...

Page 86: ...sed policies can coexist on the ASA Any combination of network user based and security group based attributes can be configured in a security policy To configure the ASA to function with Cisco TrustSec you must import a Protected Access Credential PAC file from the ISE Importing the PAC file to the ASA establishes a secure communication channel with the ISE After the channel is established the ASA...

Page 87: ...is used as the source of the mapping Multiple sources can exist for each IP SGT mapped entry If the ASA is configured as a Speaker the ASA transmits all IP SGT mapping entries to its SXP peers 5 If a security policy is configured on the ASA with that SGT or security group name the ASA enforces the policy You can create security policies on the ASA that include SGTs or security group names To enfor...

Page 88: ...eted on the PAP a previously known security group tag can become unknown but no change in policy status occurs on the ASA A previously known security group name can become unresolved and the policy is then inactivated If the security group name is reused the policy is recompiled using the new tag If a new security group is added on the PAP a previously unknown security group tag can become known a...

Page 89: ... to be both a Speaker and a Listener for an SXP connection can cause SXP looping which means that SXP data can be received by an SXP peer that originally transmitted it SXP Chattiness The rate of SXP information flow is proportional to the rate at which end hosts authenticate into the network After an SXP peering is established the listener device downloads the entire IP SGT database from the spea...

Page 90: ...imer The time value is the same as the reconciliation timer and is configurable After an SXP peer terminates its SXP connection the ASA starts a delete hold down timer Only SXP peers designated as Listeners can terminate a connection If an SXP peer connects while the delete hold down timer is running the ASA starts the reconciliation timer then the ASA updates the IP SGT mapping database to learn ...

Page 91: ...hat have been assigned to the interface is sent and the IP SGT local database is updated The IP SGT local database on each slave unit can be updated with the IP address information for the master unit by using the address pool configuration that has been synchronized to it where the first address in the pool for each interface always belongs to the master unit When a slave unit boots it notifies t...

Page 92: ...the ASA provide the shared secret that you create here on the ISE The AAA server on the ASA uses this shared secret to communicate with the ISE 6 Specify a device name device ID password and a download interval for the ASA See the ISE documentation for how to perform these tasks Create a Security Group on the ISE When configuring the ASA to communicate with the ISE you specify a AAA server When co...

Page 93: ...from flash or from a remote server via TFTP FTP HTTP HTTPS or SMB The PAC file does not have to reside on the ASA flash before you can import it Note The PAC file includes a shared key that allows the ASA and ISE to secure the RADIUS transactions that occur between them For this reason make sure that you store it securely on the ASA Guidelines for Cisco TrustSec This section includes the guideline...

Page 94: ...that the ASA 5585 X can map the IP address to the security group tag without the need to receive tagged packets The ASASM does not support Layer 2 Security Group Tagging Imposition Additional Guidelines Cisco TrustSec supports the Smart Call Home feature in single context and multi context mode but not in the system context The ASA can only be configured to interoperate in a single Cisco TrustSec ...

Page 95: ...cate that those security policies changed The multi cast types are not supported in ISE 1 0 An SXP connection stays in the initializing state among two SXP peers interconnected by the ASA as shown in the following example SXP peer A ASA SXP peer B Therefore when configuring the ASA to integrate with Cisco TrustSec you must enable the no NAT no SEQ RAND and MD5 AUTHENTICATION TCP options on the ASA...

Page 96: ...ep 2 Exit from the aaa server group configuration mode exit Example hostname config aaa server group exit Step 3 Configure a AAA server as part of a AAA server group and set host specific connection data hostname config aaa server server tag interface name host server ip Example hostname config aaa server ISEserver inside host 192 0 2 1 The interface name argument specifies the network interface w...

Page 97: ...0 2 1 hostname config aaa server host key myexclusivemumblekey hostname config aaa server host exit hostname config cts server group ISEserver Step 7 Import a PAC File This section describes how to import a PAC file Before You Begin The ASA must be configured as a recognized Cisco TrustSec network device in the ISE before the ASA can generate a PAC file Obtain the password used to encrypt the PAC ...

Page 98: ...assword A9875Za551 Enter the PAC file data in ASCII hex format End with the word quit on a line by itself hostname exec_pac_hex 01002904050000010000000000000000 hostname exec_pac_hex 00000000000000001111111111111111 hostname exec_pac_hex 11111111111111112222222222222222 hostname exec_pac_hex 222222222222222276d7d64b6be4804b hostname exec_pac_hex 0b4fdca3aeee11950ecd0e47c34157e5 hostname exec_pac_h...

Page 99: ...is message is generic and does not specify the reason why SXP is not working To configure SXP perform the following steps Procedure Step 1 Enable SXP on the ASA By default SXP is disabled cts sxp enable Example hostname config cts sxp enable Step 2 Configure the default source IP address for SXP connections cts sxp default source ip ipaddress Example hostname config cts sxp default source ip 192 1...

Page 100: ...ding on state the ASA restarts the retry timer We recommend that you configure the retry timer to a different value from its SXP peer devices Step 5 Specify the value of the default reconcile timer cts sxp reconciliation period timervalue Example hostname config cts sxp reconciliation period 60 After an SXP peer terminates its SXP connection the ASA starts a hold down timer If an SXP peer connects...

Page 101: ...ress argument is the local IPv4 or IPv6 address of the SXP connection The source IP address must be the same as the ASA outbound interface or the connection fails We recommend that you do not configure a source IP address for an SXP connection and allow the ASA to perform a route ARP lookup to determine the source IP address for the SXP connection Indicate whether or not to use the authentication ...

Page 102: ...n the ASA security group table so refresh the data on the ASA to make sure that any security group changes made on the ISE are reflected on the ASA Note We recommend that you schedule policy configuration changes on the ISE and the manual data refresh on the ASA during a maintenance window Handling policy configuration changes in this way maximizes the chances of security group names getting resol...

Page 103: ...ring an access group or the Modular Policy Framework Additional examples match src hr admin sg name from any network to dst host 172 23 59 53 access list idw acl permit ip security group name hr admin sg name any host 172 23 59 53 match src hr admin sg name from host 10 1 1 1 to dst any access list idfw acl permit ip security group name hr admin sg name host 10 1 1 1 any match src tag 22 from any ...

Page 104: ... inserts security group tags on the outgoing packet and processes security group tags on the incoming packet based on a manual per interface configuration This feature allows inline hop by hop propagation of endpoint identity across network devices and provides seamless Layer 2 SGT Imposition between each hop The following figure shows a typical example of Layer 2 SGT Imposition Figure 6 3 Layer 2...

Page 105: ...fic Interface Configuration Tagged Packet Received Untagged Packet Received Table 6 4 Egress Traffic Interface Configuration Tagged or Untagged Packet Sent No command is issued Untagged The cts manual command is issued Tagged The cts manual command and the propagate sgt command are both issued Tagged The cts manual command and the no propagate sgt command are both issued Untagged Table 6 5 To the ...

Page 106: ...anual propagate sgt Step 4 Apply a policy to a manually configured CTS link policy static sgt sgt_number trusted Example hostname config if cts manual policy static sgt 50 trusted The static keyword specifies an SGT policy to incoming traffic on the link The sgt sgt_number keyword argument pair specifies the SGT number to apply to incoming traffic from the peer Valid values are from 2 65519 The tr...

Page 107: ...e displays output from the packet tracer command to show security group tag mapping to an IP address hostname packet tracer input inside tcp inline tag 100 security group name alpha 30 security group tag 31 300 Mapping security group 30 alpha to IP address 10 1 1 2 Mapping security group 31 bravo to IP address 192 168 1 2 Phase 1 Type ROUTE LOOKUP Subtype input Result ALLOW Config Additional Infor...

Page 108: ...erface gi0 1 cts manual propagate sgt policy static sgt 100 trusted cts role based sgt map 10 1 1 100 sgt 50 AnyConnect VPN Support for Cisco TrustSec ASA Version 9 3 1 fully supports security group tagging of VPN sessions A Security Group Tag SGT can be assigned to a VPN session using an external AAA server or by configuration of the local user database This tag can then be propagated through the...

Page 109: ...e no security group tag value sgt command to return the configuration to the default Monitoring Cisco TrustSec See the following commands for monitoring Cisco TrustSec show running config cts show running config all cts role based sgt map This command shows the user defined IP SGT binding table entries show cts sxp connections This command shows the SXP connections on the ASA for a particular user...

Page 110: ...sed on a security group We introduced or modified the following commands access list extended cts sxp enable cts server group cts sxp default cts sxp retry period cts sxp reconciliation period cts sxp connection peer cts import pac cts refresh environment data object group security security group show running config cts show running config object group clear configure cts clear configure object gr...

Page 111: ...rewall services including Next Generation Intrusion Prevention System NGIPS Application Visibility and Control AVC URL filtering and Advanced Malware Protection AMP The ASA FirePOWER module runs a separate application from the ASA The module can be a hardware module on the ASA 5585 X only or a software module all other models How the ASA FirePOWER Module Works with the ASA page 7 1 ASA FirePOWER M...

Page 112: ...ace You must operate the ASA in single context transparent mode to configure traffic forwarding Be sure to configure consistent policies on the ASA and the ASA FirePOWER Both policies should reflect the inline or monitor only mode of the traffic The following sections explain these modes in more detail ASA FirePOWER Inline Mode In inline mode traffic goes through the firewall checks before being f...

Page 113: ...r monitoring purposes only The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode for example traffic might be marked would have dropped in events You can use this information for traffic analysis and to help you decide if inline mode is desirable Note You cannot configure both inline tap monitor only mode and normal inli...

Page 114: ...nts You can use this information for traffic analysis and to help you decide if inline mode is desirable Traffic in this setup is never forwarded neither the module nor the ASA sends the traffic on to its ultimate destination You must operate the ASA in single context and transparent modes to use this configuration The following figure shows an interface configured for traffic forwarding That inte...

Page 115: ...on HTTP traffic Do not configure Cloud Web Security ScanSafe inspection If you configure both ASA FirePOWER inspection and Cloud Web Security inspection for the same traffic the ASA only performs ASA FirePOWER inspection Do not enable the Mobile User Security MUS server it is not compatible with the ASA FirePOWER module Other application inspections on the ASA are compatible with the ASA FirePOWER...

Page 116: ...upported If you are using Java 7 update 51 up to Java 8 you need to configure identity certificates for both the ASA and the ASA FirePOWER module See Install an Identity Certificate for ASDM You can never use both ASDM and FireSIGHT Management Center you must choose one or the other Additional Guidelines and Limitations See Compatibility with ASA Features page 7 5 You cannot change the software ty...

Page 117: ...t enter and exit the Management 1 0 or 1 1 interface Because this interface is not an ASA data interface traffic cannot pass through the ASA over the backplane you need to physically cable the management interface to an ASA interface The ASA FirePOWER module needs Internet access See the following typical cabling setup to allow ASA FirePOWER access to the Internet through the ASA management interf...

Page 118: ...s the ASA inside interface and to configure the module gateway IP address For other models you must remove the ASA configured name and IP address for Management 0 0 or 1 1 and then configure the other interfaces as indicated above Note If you want to deploy a separate router on the inside network then you can route between management and inside In this case you can manage both the ASA and ASA Fire...

Page 119: ... 7 6 or you can use the following ASA command to change the management IP address and then connect using SSH session 1 sfr do setup host ip ip_address mask gateway_ip Use 1 for a hardware module sfr for a software module Configure ASA FirePOWER Basic Settings The first time you access the ASA FirePOWER module CLI you are prompted for basic configuration parameters You must also add the module to t...

Page 120: ...ule page 7 10 Configure the Security Policy on the ASA FirePOWER Module The security policy controls the services provided by the module such as Next Generation IPS filtering and application filtering You configure the security policy on the ASA FirePOWER module using one of the following methods For more information about ASA FirePOWER configuration see the online help or the ASA FirePOWER Module...

Page 121: ...mple hostname config access list my sfr acl permit ip any 10 1 1 0 255 255 255 0 hostname config access list my sfr acl2 permit ip any 10 2 1 0 255 255 255 0 hostname config class map my sfr class hostname config cmap match access list my sfr acl If you want to send multiple traffic classes to the module you can create multiple class maps for use in the security policy For information on matching ...

Page 122: ...lobal keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Configure Passive Traffic Forwarding If you want to operate the module in passive monitor only mode where the m...

Page 123: ...hutdown Repeat for any additional interfaces Examples The following example makes GigabitEthernet 0 5 a traffic forwarding interface interface gigabitethernet 0 5 no nameif traffic forward sfr monitor only no shutdown Managing the ASA FirePOWER Module This section includes procedures that help you manage the module Install or Reimage the Module page 7 13 Reset the Password page 7 18 Reload or Rese...

Page 124: ...ps uninstall reload When reimaging the ASA FirePOWER module use the same shutdown and uninstall commands to remove the old image For example sw module module sfr uninstall If you have an active service policy redirecting traffic to an IPS or CX module you must remove that policy For example if the policy is a global one you could use no service policy ips_policy global If the service policy includ...

Page 125: ...ion sfr console Opening console session with module sfr Connected to module sfr Escape character sequence is CTRL X Cisco ASA SFR Boot Image 5 3 1 asasfr login admin Password Admin123 If the module boot has not completed the session command will fail with a message about not being able to connect over ttyS1 Wait and try again Step 6 Configure the system so that you can install the system software ...

Page 126: ...dule You will see a different login prompt because you are logging into the fully functional module hostname session sfr console Opening console session with module sfr Connected to module sfr Escape character sequence is CTRL X Sourcefire ASA5555 v5 4 1 build 58 Sourcefire3D login Step 9 See Configure ASA FirePOWER Basic Settings page 7 9 to complete the setup Reimage the ASA 5585 X ASA FirePOWER...

Page 127: ... server in tftpboot images filename img the IMAGE value is images filename img For example ADDRESS 10 5 190 199 SERVER 10 5 11 170 GATEWAY 10 5 1 1 IMAGE asasfr boot 5 3 1 26 54 img Step 5 Save the settings sync Step 6 Initiate the download and boot process tftp You will see marks to indicate progress When the boot completes after several minutes you will see a login prompt Step 7 Log in as admin ...

Page 128: ...r user with CLI Configuration permissions can log in and change the password If there are no other users with the required permissions you can reset the admin password from the ASA Before You Begin In multiple context mode perform this procedure in the system execution space The password reset option on the ASA hw module and sw module commands does not work with ASA FirePOWER Procedure Step 1 Rese...

Page 129: ...one of the following commands Hardware module ASA 5585 X hw module module 1 shutdown Software module all other models sw module module sfr shutdown Uninstall a Software Module Image You can uninstall a software module image and its associated configuration Before You Begin In multiple context mode perform this procedure in the system execution space Procedure Step 1 Uninstall the software module i...

Page 130: ...ole session session sfr console The only way out of a console session is to press Ctrl Shift 6 x Logging out of the module leaves you at the module login prompt Note Do not use the session sfr console command in conjunction with a terminal server where Ctrl Shift 6 x is the escape sequence to return to the terminal server prompt Ctrl Shift 6 x is also the sequence to escape the ASA FirePOWER conso...

Page 131: ...nstalling the module The following is sample output from the show module command for an ASA 5585 X with an ASA FirePOWER hardware module installed hostname show module Mod Card Type Model Serial No 0 ASA 5585 X Security Services Processor 10 wi ASA5585 SSP 10 JAF1507AMKE 1 ASA 5585 X FirePOWER Security Services Proce ASA5585 SSP SFR10 JAF1510BLSA Mod MAC Address Range Hw Version Fw Version Sw Vers...

Page 132: ... sfr command to display statistics and status for each service policy that includes the sfr command Use clear service policy to clear the counters The following example shows the ASA FirePOWER service policy and the current statistics as well as the module status In monitor only mode the input counters remain at zero ciscoasa show service policy sfr Global policy Service policy global_policy Class...

Page 133: ... This counter is incremented when the security appliance receives a FirePOWER HA request packet but could not process it and the packet is dropped sfr invalid encap This counter is incremented when the security appliance receives a FirePOWER packet with invalid message header and the packet is dropped sfr bad handle received Received Bad flow handle in a packet from FirePOWER Module thus dropping ...

Page 134: ...2 4 ASA FirePOWER 5 3 1 The ASA FirePOWER module supplies next generation firewall services including Next Generation IPS NGIPS Application Visibility and Control AVC URL filtering and Advanced Malware Protection AMP You can use the module in single or multiple context mode and in routed or transparent mode We introduced or modified the following commands capture interface asa_dataplane debug sfr ...

Page 135: ...5516 X support for the ASA FirePOWER software module including support for configuring the module in ASDM ASA 9 4 1 ASDM 7 4 1 ASA FirePOWER 5 4 1 You can run the ASA FirePOWER software module on the ASA 5506W X ASA 5506H X ASA 5508 X and ASA 5516 X You can manage the module using FireSIGHT Management Center or you can use ASDM Feature Platform Releases Description ...

Page 136: ...7 26 Cisco ASA Series Firewall CLI Configuration Guide Chapter 7 ASA FirePOWER Module History for the ASA FirePOWER Module ...

Page 137: ...bout the traffic based on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from malware The ASA can optionally authenticate and identify users with Identity Firewall and AAA rules The ASA encrypts and includes the user credentials including usernames and user groups in the traffic it redirects to Cloud Web Security The Cloud Web Security service then uses th...

Page 138: ...de Default username and group For traffic that does not have an associated user name or group you can configure an optional default username and group name These defaults are applied to all users that match a service policy rule for Cloud Web Security Authentication Keys Each ASA must use an authentication key that you obtain from Cloud Web Security The authentication key lets Cloud Web Security i...

Page 139: ...A modifies the name to use only one backslash to conform to typical ScanCenter notation when including the group in the redirected HTTP request The default group name is sent in the following format domain group name On the ASA you need to configure the optional domain name to be followed by 2 backslashes however the ASA modifies the name to use only one backslash to conform to typical ScanCenter ...

Page 140: ...m group plus group key after the exempt rule to apply policy per ASA 4 Traffic from users in America Management will match the exempt rule while all other traffic will match the rule for the ASA from which it originated Many combinations of keys groups and policy rules are possible Failover from Primary to Backup Proxy Server When you subscribe to the Cisco Cloud Web Security service you are assig...

Page 141: ... Cloud Web Security servers Clientless SSL VPN is not supported with Cloud Web Security be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security When an interface to the Cloud Web Security proxy servers goes down output from the show scansafe server command shows both servers up for approximately 15 25 minutes This condition may occur because the polling ...

Page 142: ...y Whitelisted Traffic page 8 8 Step 3 Configure a Service Policy to Send Traffic to Cloud Web Security page 8 9 Step 4 Optional Configure the User Identity Monitor page 8 13 Step 5 Configure the Cloud Web Security Policy page 8 14 Configure Communications with the Cloud Web Security Proxy Server You must identify the Cloud Web Security proxy servers so that user web requests can be redirected prop...

Page 143: ...server before determining the server is unreachable retry count value Example hostname cfg scansafe retry count 2 Polls are performed every 30 seconds Valid values are from 2 to 100 and the default is 5 Step 4 Configure the authentication key that the ASA sends to the Cloud Web Security proxy servers to indicate from which organization the request comes license hex_key Example hostname cfg scansaf...

Page 144: ...s called whitelisting traffic You configure the whitelist in a ScanSafe inspection class map You can use usernames and group names derived from both identity firewall and AAA rules You cannot whitelist based on IP address or on destination URL When you configure your Cloud Web Security service policy rule you refer to the class map in your policy Although you can achieve the same results of exempt...

Page 145: ...ig policy map type inspect scansafe cws_inspect_pmap2 hostname config pmap parameters hostname config pmap p https hostname config pmap p default group2 default_group2 hostname config pmap p class whitelist1 hostname config pmap c whitelist Configure a Service Policy to Send Traffic to Cloud Web Security Your service policy consists of multiple service policy rules applied globally or applied to e...

Page 146: ... tcp 443 The following procedure describes an ACL match a Create ACLs access list extended command to identify the traffic you want to send to Cloud Web Security You must create separate ACLs for HTTP and HTTPS traffic Because Cloud Web Security works on HTTP HTTPS traffic only any other traffic defined in the ACL is ignored A permit ACE sends matching traffic to Cloud Web Security A deny ACE exem...

Page 147: ...signed globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name You can only apply one policy to each interface or globally policy map name Example hostname config policy map global_policy b Identify one of the traffic class maps you created for Cloud Web Security inspection class name Example hostname config pmap class cws_class1 c Configure ScanSafe...

Page 148: ...ap type inspect scansafe match any whitelist1 hostname config cmap match user user1 group cisco hostname config cmap match user user2 hostname config cmap match group group1 hostname config cmap match user user3 group group3 hostname config policy map type inspect scansafe cws_inspect_pmap1 hostname config pmap parameters hostname config pmap p http hostname config pmap p default group default_gro...

Page 149: ...re to be considered active For example although you can configure your Cloud Web Security service policy rule to use an ACL with users and groups thus activating any relevant groups it is not required You could use an ACL based entirely on IP addresses Because Cloud Web Security can base its ScanCenter policy on user identity you might need to download groups that are not part of an active ACL to ...

Page 150: ... Web Security activity such as the number of connections redirected to the proxy server the number of current connections being redirected and the number of white listed connections hostname show scansafe statistics Current HTTP sessions 0 Current HTTPS sessions 0 Total HTTP Sessions 0 Total HTTPS Sessions 0 Total Fail HTTP sessions 0 Total Fail HTTPS sessions 0 Total Bytes In 0 Bytes Total Bytes ...

Page 151: ...he ASA hostname config scansafe general options hostname cfg scansafe server primary ip 192 168 115 225 hostname cfg scansafe retry count 5 hostname cfg scansafe license 366C1D3F5CE67D33D3E9ACEC265261E5 Step 2 Configure identity firewall settings Because groups are a key feature of ScanCenter policies you should consider enabling the identity firewall if you are not already using it However identi...

Page 152: ...onfig policy map type inspect scansafe http pmap hostname config pmap parameters hostname config pmap p default group httptraffic hostname config pmap p http hostname config pmap p class whiteListCmap hostname config pmap p whitelist hostname config policy map type inspect scansafe https pmap hostname config pmap parameters hostname config pmap p default group httpstraffic hostname config pmap p h...

Page 153: ...login dn cn administrator cn Users dc asascanlab dc local hostname config aaa server host ldap login password Password1 Step 2 Configure the Active Directory Agent Using RADIUS The following example shows how to configure the Active Directory Agent on your ASA using RADIUS hostname config aaa server adagent protocol radius hostname config aaa server group ad agent mode hostname config aaa server g...

Page 154: ...entity action mac address mismatch remove user ip hostname config user identity ad agent active user database full download There are two download modes with Identify Firewall Full download and On demand Full download Whenever a user logs into the network the IDFW tells the ASA the User identity immediately recommended on the ASA 5512 X and above On demand Whenever a user logs into the network the...

Page 155: ... was introduced Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic It can also redirect and report about web traffic based on user identity We introduced or modified the following commands class map type inspect scansafe default user group http s parameters inspect scansafe license match user group policy map type inspect scansafe retry count sc...

Page 156: ...8 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 8 ASA and Cisco Cloud Web Security History for Cisco Cloud Web Security ...

Page 157: ...P A R T 2 Network Address Translation ...

Page 158: ......

Page 159: ...any network RFC 1918 defines the private IP addresses you can use internally that should not be advertised 10 0 0 0 through 10 255 255 255 172 16 0 0 through 172 31 255 255 192 168 0 0 through 192 168 255 255 One of the main functions of NAT is to enable private IP networks to connect to the Internet NAT replaces a private IP address with a public IP address translating the private addresses in th...

Page 160: ...e host before it is translated In a typical NAT scenario where you want to translate the inside network when it accesses the outside the inside network would be the real network Note that you can translate any network connected to the ASA not just an inside network Therefore if you configure NAT to translate outside addresses real can refer to the outside network when it accesses the inside networ...

Page 161: ...jects you might see a failure in the translation of indirect addresses that do not belong to either of the objects Network Object NAT page 9 3 Twice NAT page 9 3 Comparing Network Object NAT and Twice NAT page 9 4 Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules Network object NAT is a quick and easy way to config...

Page 162: ...NAT configuration instead of the actual IP addresses The network object IP address serves as the real address This method lets you easily add NAT to network objects that might already be used in other parts of your configuration Twice NAT You identify a network object or network object group for both the real and mapped addresses In this case NAT is not a parameter of the network object the networ...

Page 163: ... do not configure a twice NAT rule in this section that might match your VPN traffic instead of matching the invisible rule If VPN does not work due to NAT failure consider adding twice NAT rules to section 3 instead Section 2 Network object NAT If a match in section 1 is not found section 2 rules are applied in the following order as automatically determined by the ASA 1 Static rules 2 Dynamic ru...

Page 164: ...ed interfaces You can also specify any interface for the real address and a specific interface for the mapped address or vice versa For example you might want to specify any interface for the real address and specify the outside interface for the mapped address if you use the same private addresses on multiple interfaces and you want to translate them all to the same global pool when accessing the...

Page 165: ...supported For transparent mode a PAT pool is not supported for IPv6 For static NAT you can specify an IPv6 subnet up to 64 Larger subnets are not supported When using FTP with NAT46 when an IPv4 FTP client connects to an IPv6 FTP server the client must use either the extended passive mode EPSV or extended port mode EPRT PASV and PORT commands are not supported with IPv6 IPv6 NAT Recommendations Yo...

Page 166: ...erver1 host 209 165 200 225 object network Server1_mapped host 10 1 2 67 object service REAL_ftp service tcp destination eq ftp object service MAPPED_ftp service tcp destination eq 2021 object network MyOutNet subnet 209 165 201 0 255 255 255 224 nat inside outside source static MyInsNet MapInsNet destination static Server1_mapped Server1 service MAPPED_ftp REAL_ftp If you change the NAT configura...

Page 167: ...configuration to determine the egress interface but you have the option to always use a route lookup instead See Routing NAT Packets page 10 11 for more information You can improve system performance and reliability by using the transactional commit model for NAT See the basic settings chapter in the general operations configuration guide for more information Use the asp rule engine transactional ...

Page 168: ...oups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets Use the object network and object group network commands to create the objects Consider the following guidelines when creating objects for twice NAT A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses The group cannot contain ...

Page 169: ... NAT Guidelines for Service Objects for Real and Mapped Ports You can optionally configure service objects for Source real port Static only or Destination real port Source mapped port Static only or Destination mapped port Use the object service command to create the objects Consider the following guidelines when creating objects for twice NAT NAT only supports TCP or UDP When translating a port b...

Page 170: ...e real host initiates the connection The translation is in place only for the duration of the connection and a given user does not keep the same IP address after the translation times out Users on the destination network therefore cannot initiate a reliable connection to a host that uses dynamic NAT even if the connection is allowed by an access rule Note For the duration of the translation a remo...

Page 171: ...se PAT or a PAT fall back method if this event occurs often because PAT provides over 64 000 translations using ports of a single address You have to use a large number of routable addresses in the mapped pool and routable addresses may not be available in large quantities The advantage of dynamic NAT is that some protocols cannot use PAT PAT does not work with the following IP protocols that do n...

Page 172: ...ss of a single host For example 10 1 1 1 or 2001 DB8 0DB8 800 200C 417A subnet IPv4_address IPv4_mask IPv6_address IPv6_prefix The address of a network For IPv4 subnets include the mask after a space for example 10 0 0 0 255 0 0 0 For IPv6 include the address and prefix as a single unit no spaces such as 2001 DB8 0 CD30 60 range start_address end_address A range of addresses You can specify IPv4 o...

Page 173: ...interface address hostname config object network nat range1 hostname config network object range 10 10 10 10 10 10 10 20 hostname config network object object network pat ip1 hostname config network object host 10 10 10 21 hostname config network object object group network nat pat grp hostname config network object network object object nat range1 hostname config network object network object obj...

Page 174: ...onal Create service objects for the destination real ports and the destination mapped ports For dynamic NAT you can only perform port translation on the destination A service object can contain both a source and destination port but only the destination port is used in this case If you specify the source port it will be ignored Step 3 Configure dynamic NAT nat real_ifc mapped_ifc line after auto l...

Page 175: ...le The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You cannot configure the dns keyword if you configure a destination address See DNS and NAT page 10 21 for more information Unidirectional Optional Specify unidirectional so the destination addresses cannot initiate traffic to the source addresses Inactive Optional To make this rule inactive withou...

Page 176: ...config nat inside outside source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2 Dynamic PAT The following topics describe dynamic PAT About Dynamic PAT page 9 18 Configure Dynamic Network Object PAT page 9 20 Configure Dynamic Twice PAT page 9 22 Configure Per Session PAT or Multi Session PAT page 9 25 About Dynamic PAT Dynamic PAT translates multiple real addresses to a single ...

Page 177: ...stream that is different from the control path See Default Inspections and NAT Limitations page 12 6 for more information about NAT and PAT support Dynamic PAT might also create a large number of connections appearing to come from a single IP address and servers might interpret the traffic as a DoS attack You can configure a PAT pool of addresses and use a round robin assignment of PAT addresses t...

Page 178: ... Because NAT pools are created for every mapped protocol IP address port range round robin results in a large number of concurrent NAT pools which use memory Extended PAT results in an even larger number of concurrent NAT pools Configure Dynamic Network Object PAT This section describes how to configure network object NAT for dynamic PAT Procedure Step 1 Optional Create a host or range network obj...

Page 179: ... the mapped_ifc You must use this keyword when you want to use the interface IP address you cannot enter it inline or as an object For a PAT pool you can specify one or more of the following options Round robin The round robin keyword enables round robin address allocation for a PAT pool Without round robin by default all ports for a PAT address will be allocated before the next PAT address is use...

Page 180: ...owing example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network hostname config object network IPv4_POOL hostname config network object range 203 0 113 1 203 0 113 254 hostname config object network IPv6_INSIDE hostname config network object subnet 2001 DB8 96 hostname config network object nat inside outside dynamic pat pool IPv4_POOL Configure...

Page 181: ...to section 3 instead after the network object NAT rules then use the after auto keyword You can insert a rule anywhere in the applicable section using the line argument Source addresses Real Specify a network object group or the any keyword Use the any keyword if you want to translate all traffic from the real interface to the mapped interface Mapped Configure one of the following Network object S...

Page 182: ...me object or group for both the real and mapped addresses Destination port Optional Specify the service keyword along with the mapped and real service objects For identity port translation simply use the same service object for both the real and mapped ports DNS Optional for a source only rule The dns keyword translates DNS replies Be sure DNS inspection is enabled it is enabled by default You can...

Page 183: ...sion PAT or Multi Session PAT By default all TCP PAT traffic and all UDP DNS traffic uses per session PAT To use multi session PAT for traffic you can configure per session PAT rules a permit rule uses per session PAT and a deny rule uses multi session PAT Per session PAT improves the scalability of PAT and for clustering allows each member unit to own PAT connections multi session PAT connections...

Page 184: ...lly created rules Be sure to create your rules in the order you want them applied xlate per session permit deny tcp udp source_ip operator src_port destination_ip operator dest_port Example hostname config xlate per session deny tcp any4 209 165 201 3 eq 1720 For the source and destination IP addresses you can configure the following host ip_address Specifies an IPv4 or IPv6 host address ip_addres...

Page 185: ...or port for each subsequent translation so bidirectional initiation is not supported The following figure shows a typical static NAT scenario The translation is always active so both real and remote hosts can initiate connections Figure 9 5 Static NAT Note You can disable bidirectionality if desired Static NAT with Port Translation Static NAT with port translation lets you specify a real and mappe...

Page 186: ...equire application inspection for secondary channels for example FTP and VoIP the ASA automatically translates the secondary ports Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP HTTP and SMTP These servers are actually different devices on the real network but for each server you can specify ...

Page 187: ... ASA outside interface to an inside host then you can map the inside host IP address port 23 to the ASA interface address port 23 Note that although Telnet to the ASA is not allowed to the lowest security interface static NAT with interface port translation redirects the Telnet session instead of denying it One to Many Static NAT Typically you configure static NAT with a one to one mapping However...

Page 188: ...e you have a load balancer at 10 1 2 27 Depending on the URL requested it redirects traffic to the correct web server For details on how to configure this example see Inside Load Balancer with Multiple Mapped Addresses Static NAT One to Many page 10 4 Figure 9 9 One to Many Static NAT Example 10 1 2 27 10 1 2 27 10 1 2 27 209 165 201 3 Inside Outside 209 165 201 4 209 165 201 5 Security Appliance ...

Page 189: ...irectional subsequent mappings allow traffic to be initiated to the real host but all traffic from the real host uses only the first mapped address for the source The following figure shows a typical few to many static NAT scenario Figure 9 10 Few to Many Static NAT For a many to few or many to one configuration where you have more real addresses than mapped addresses you run out of mapped address...

Page 190: ...et Step 2 Create or edit the network object for which you want to configure NAT object network obj_name Example hostname config object network my host obj1 Step 3 Skip when editing an object that has the right address Define the real IPv4 or IPv6 addresses that you want to translate host IPv4_address IPv6_address The IPv4 or IPv6 address of a single host For example 10 1 1 1 or 2001 DB8 0DB8 800 2...

Page 191: ...Static NAT with port translation only routed mode only The IP address of the mapped interface is used as the mapped address If you specify ipv6 then the IPv6 address of the interface is used For this option you must configure a specific interface for the mapped_ifc You must use this keyword when you want to use the interface IP address you cannot enter it inline or as an object Be sure to also con...

Page 192: ...nfig network object nat inside outside static 2001 DB8 BBBB 96 Configure Static Twice NAT or Static NAT with Port Translation This section describes how to configure a static NAT rule using twice NAT Procedure Step 1 Create host or range network objects object network command or network object groups object group network command for the source real addresses the source mapped addresses the destina...

Page 193: ...n using the line argument Source addresses Real Specify a network object or group Do not use the any keyword which would be used for identity NAT Mapped Specify a different network object or group For static interface NAT with port translation only you can specify the interface keyword routed mode only If you specify ipv6 then the IPv6 address of the interface is used If you specify interface be s...

Page 194: ...e outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004 The traffic is untranslated to the internal FTP server at 192 168 10 100 6500 through 65004 Note that you specify the source port range in the service object and not the destination port because you want to translate the source address and port as identified in t...

Page 195: ...exempt the client traffic from NAT The following figure shows a typical identity NAT scenario Figure 9 12 Identity NAT The following topics explain how to configure identity NAT Configure Identity Network Object NAT page 9 37 Configure Identity Twice NAT page 9 39 Configure Identity Network Object NAT This section describes how to configure an identity NAT rule using network object NAT Procedure S...

Page 196: ...sure to include the parentheses In routed mode if you do not specify the real and mapped interfaces all interfaces are used You can also specify the keyword any for one or both of the interfaces for example any outside Mapped IP addresses Be sure to configure the same IP address for both the mapped and real address Use one of the following mapped_inline_host_ip An inline IP address The netmask pre...

Page 197: ...bject for the source real addresses and instead use the keywords any any in the nat command If you want to configure destination static interface NAT with port translation only you can skip adding an object for the destination mapped addresses and instead specify the interface keyword in the nat command If you do create objects consider the following guidelines The mapped object or group can conta...

Page 198: ... the same object or group for both the real and mapped addresses Ports Optional Specify the service keyword along with the real and mapped service objects For source port translation the objects must specify the source service The order of the service objects in the command for source port translation is service real_obj mapped_obj For destination port translation the objects must specify the dest...

Page 199: ...es are shown twice first with the basic address configuration then later in the configuration the object with the NAT rule The complete object with the address and NAT rule is not shown as a unit show xlate Shows current NAT session information History for NAT Feature Name Platform Releases Description Network Object NAT 8 3 1 Configures NAT for a network object IP address es We introduced or modi...

Page 200: ... 2 from 8 3 1 8 3 2 and 8 4 1 all identity NAT configurations will now include the no proxy arp and route lookup keywords to maintain existing functionality The unidirectional keyword is removed We modified the following command nat static no proxy arp route lookup PAT pool and round robin address assignment 8 4 2 8 5 1 You can now specify a pool of PAT addresses instead of a single address You ca...

Page 201: ...ee unequal sized tiers either 1024 to 65535 or 1 to 65535 We modifed the following commands nat dynamic pat pool mapped_object flat include reserve and nat source dynamic pat pool mapped_object flat include reserve This feature is not available in 8 5 1 or 8 6 1 Extended PAT for a PAT pool 8 4 3 Each PAT IP address allows up to 65535 ports If 65535 ports do not provide enough translations you can ...

Page 202: ...t recommend using this feature unless you know you need it contact Cisco TAC to confirm feature compatibility with your network See the following limitations Only supports Cisco IPsec and AnyConnect Client Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied Does not support load balancing because of routing issues Does not suppor...

Page 203: ...dress Without the per session feature the maximum connection rate for one address for an IP protocol is approximately 2000 per second With the per session feature the connection rate for one address for an IP protocol is 65535 average lifetime By default all TCP traffic and UDP DNS traffic use a per session PAT xlate For traffic that requires multi session PAT such as H 323 SIP or Skinny you can d...

Page 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...

Page 205: ...ing are some configuration examples for network object NAT Providing Access to an Inside Web Server Static NAT page 10 1 NAT for Inside Hosts Dynamic NAT and NAT for an Outside Web Server Static NAT page 10 2 Inside Load Balancer with Multiple Mapped Addresses Static NAT One to Many page 10 4 Single Address for FTP HTTP and SMTP Static NAT with Port Translation page 10 5 Providing Access to an Ins...

Page 206: ...the object hostname config network object nat inside outside static 209 165 201 10 NAT for Inside Hosts Dynamic NAT and NAT for an Outside Web Server Static NAT The following example configures dynamic NAT for inside users on a private network when they access the outside Also when inside users connect to an outside web server that web server address is translated to an address that appears to be ...

Page 207: ... object network myInsNet hostname config network object subnet 10 1 2 0 255 255 255 0 Step 3 Enable dynamic NAT for the inside network using the dynamic NAT pool object hostname config network object nat inside outside dynamic myNatPool Step 4 Create a network object for the outside web server hostname config object network myWebServ hostname config network object host 209 165 201 12 Step 5 Config...

Page 208: ...One to Many for an Inside Load Balancer Procedure Step 1 Create a network object for the addresses to which you want to map the load balancer hostname config object network myPublicIPs hostname config network object range 209 165 201 3 209 265 201 8 Step 2 Create a network object for the load balancer hostname config object network myLBHost hostname config network object host 10 1 2 27 Step 3 Conf...

Page 209: ...pping the FTP port to itself hostname config object network FTP_SERVER hostname config network object host 10 1 2 27 hostname config network object nat inside outside static 209 165 201 3 service tcp ftp ftp Step 2 Create a network object for the HTTP server and configure static NAT with port translation mapping the HTTP port to itself hostname config object network HTTP_SERVER hostname config net...

Page 210: ...s Translation page 10 9 Different Translation Depending on the Destination Dynamic Twice PAT The following figure shows a host on the 10 1 2 0 24 network accessing two different servers When the host accesses the server at 209 165 201 11 the real address is translated to 209 165 202 129 port When the host accesses the server at 209 165 200 225 the real address is translated to 209 165 202 130 port...

Page 211: ...ying the same address for the real and mapped destination addresses Step 5 Add a network object for the DMZ network 2 hostname config object network DMZnetwork2 hostname config network object subnet 209 165 200 224 255 255 255 224 Step 6 Add a network object for the PAT address hostname config object network PATaddress2 hostname config network object host 209 165 202 130 Step 7 Configure the secon...

Page 212: ... TelnetObj hostname config network object service tcp destination eq telnet Step 5 Configure the first twice NAT rule hostname config nat inside outside source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj Because you do not want to translate the destination address or port you need to configure identity NAT for them by specifyin...

Page 213: ...host The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209 165 201 0 27 network A translation does not exist for the 209 165 200 224 27 network so the translated host cannot connect to that network nor can a host on that network connect to the translated host Figure 10 7 Twice Static NAT with Destination Address Translation NAT in ...

Page 214: ...eir networks NAT in transparent mode has the following requirements and limitations Because the transparent firewall does not have any interface IP addresses you cannot use interface PAT ARP inspection is not supported Moreover if for some reason a host on one side of the ASA sends an ARP request to a host on the other side of the ASA and the initiating host real address is mapped to a different a...

Page 215: ...ectly to the host 4 For host 192 168 1 2 the same process occurs except for returning traffic the ASA looks up the route in its routing table and sends the packet to the downstream router at 10 1 1 3 based on the ASA static route for 192 168 1 0 24 See Transparent Mode Routing Requirements for Remote Networks page 10 14 for more information about required routes Routing NAT Packets The ASA needs t...

Page 216: ...small this method can be used For PAT you can even use the IP address of the mapped interface Note If you configure the mapped interface to be any interface and you specify a mapped address on the same network as one of the mapped interfaces then if an ARP request for that mapped address comes in on a different interface then you need to manually configure an ARP entry for that network on the ingr...

Page 217: ...f you have a twice NAT rule although the NAT rule must match both the source and destination addresses the proxy ARP decision is made only on the source address If the ASA ARP response is received before the actual host ARP response then traffic will be mistakenly sent to the ASA see the following figure Figure 10 10 Proxy ARP Problems with Identity NAT In rare cases you need proxy ARP for identit...

Page 218: ...y the source and destination interfaces as part of the NAT rule Routed mode The ASA determines the egress interface in one of the following ways You configure the interface in the NAT rule The ASA uses the NAT rule to determine the egress interface However you have the option to always use a route lookup instead In certain scenarios a route lookup override is required for example see NAT and VPN M...

Page 219: ... the VPN tunnel then Internet bound VPN traffic must also go through the ASA When the VPN traffic enters the ASA the ASA decrypts the packet the resulting packet includes the VPN client local address 10 3 3 10 as the source For both inside and VPN client local networks you need a public IP address provided by NAT to access the Internet The below example uses interface PAT rules To allow the VPN tr...

Page 220: ...traffic Because forward and reverse flows do not match the ASA drops the packet when it is received To avoid this failure you need to exempt the inside to VPN client traffic from the interface PAT rule by using an identity NAT rule between those networks Identity NAT simply translates an address to the same address VPN Client 209 165 201 10 Internet Src 209 165 201 10 10 3 3 10 203 0 113 1 6070 10...

Page 221: ...s a site to site tunnel connecting the Boulder and San Jose offices For traffic that you want to go to the Internet for example from 10 1 1 6 in Boulder to www example com you need a public IP address provided by NAT to access the Internet The below example uses interface PAT rules However for traffic that you want to go over the VPN tunnel for example from 10 1 1 6 in Boulder to 10 2 2 78 in San ...

Page 222: ... Enable hairpin for VPN client traffic same security traffic permit intra interface Identify local VPN network perform object interface PAT when going to Internet 10 1 1 6 ASA1 ASA2 10 2 2 78 Internet Src 10 1 1 6 10 1 1 6 203 0 113 1 6070 Src 10 1 1 6 10 1 1 6 Dst 10 2 2 78 10 2 2 78 San Jose Inside Boulder Inside 1 IM to 10 2 2 78 Src 10 1 1 6 A HTTP to www example com Src 10 1 1 6 3 IM received...

Page 223: ...ic sanjose_inside sanjose_inside See the following sample NAT configuration for ASA2 San Jose Identify inside San Jose network perform object interface PAT when going to Internet object network sanjose_inside subnet 10 2 2 0 255 255 255 0 nat inside outside dynamic interface Identify inside Boulder network for use in twice NAT rule object network boulder_inside subnet 10 1 1 0 255 255 255 0 Identi...

Page 224: ...e 10 14 for more information about the route lookup option Figure 10 17 VPN Management Access See the following sample NAT configuration for the above network Enable hairpin for non split tunneled VPN client traffic same security traffic permit intra interface Enable management access on inside ifc management access inside Identify local VPN network perform object interface PAT when going to Inter...

Page 225: ...dress in DNS queries and replies that match a NAT rule for example the A record for IPv4 the AAAA record for IPv6 or the PTR record for reverse DNS queries For DNS replies traversing from a mapped interface to any other interface the record is rewritten from the mapped value to the real value Inversely for DNS replies traversing from any interface to a mapped interface the record is rewritten from...

Page 226: ...com is on the inside interface You configure the ASA to statically translate the ftp cisco com real address 10 1 3 14 to a mapped address 209 165 201 10 that is visible on the outside network In this case you want to enable DNS reply modification on this static rule so that inside users who have access to ftp cisco com using the real address receive the real address from the DNS server and not the...

Page 227: ...rver on Separate Networks The following figure shows a user on the inside network requesting the IP address for ftp cisco com which is on the DMZ network from an outside DNS server The DNS server replies with the mapped address 209 165 201 10 according to the static rule between outside and DMZ even though the user is not on the DMZ network The ASA translates the address inside the DNS reply to 10...

Page 228: ... Network The following figure shows an FTP server and DNS server on the outside The ASA has a static translation for the outside server In this case when an inside user requests the address for ftp cisco com from the DNS server the DNS server responds with the real address 209 165 20 10 Because you want inside users to use the mapped address for ftp cisco com 10 1 2 56 you need to configure DNS re...

Page 229: ...utside server In this case when an inside IPv6 user requests the address for ftp cisco com from the DNS server the DNS server responds with the real address 209 165 200 225 Because you want inside users to use the mapped address for ftp cisco com 2001 DB8 D1A5 C8E1 you need to configure DNS reply modification for the static translation This example also includes a static NAT translation for the DN...

Page 230: ...ig object network DNS_SERVER hostname config network object host 209 165 201 15 hostname config network object nat outside inside static 2001 DB8 D1A5 C90F 128 net to net Step 3 Configure an IPv4 PAT pool for translating the inside IPv6 network hostname config object network IPv4_POOL hostname config network object range 203 0 113 1 203 0 113 254 ftp cisco com 209 165 200 225 IPv4 Internet IPv6 Ne...

Page 231: ...ure shows an FTP server and DNS server on the outside The ASA has a static translation for the outside server In this case when an inside user performs a reverse DNS lookup for 10 1 2 56 the ASA modifies the reverse DNS query with the real address and the DNS server responds with the server name ftp cisco com Figure 10 22 PTR Modification DNS Server on Host Network ftp cisco com 209 165 201 10 DNS...

Page 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...

Page 233: ...P A R T 3 Service Policies and Application Inspection ...

Page 234: ......

Page 235: ...ice Policies page 11 18 Examples for Service Policies Modular Policy Framework page 11 18 History for Service Policies page 11 21 About Service Policies The following topics describe how service policies work The Components of a Service Policy page 11 1 Features Configured with Service Policies page 11 4 Feature Directionality page 11 4 Feature Matching Within a Service Policy page 11 5 Order in W...

Page 236: ... maps which define actions to apply to inspected traffic Keep in mind that inspection policy maps are not the same as service policy maps The following example compares how service policies appear in the CLI with how they appear in ASDM Note that there is not a one to one mapping between the figure call outs and lines in the CLI The following CLI is generated by the rules shown in the figure above...

Page 237: ...ss list inside_mpc_2 Policy map that actually defines the service policy rule set named test inside policy In ASDM this corresponds to the folder at call out 1 policy map test inside policy First rule in test inside policy named sip class inside Inspects SIP traffic The sip class inside rule applies the sip high inspection policy map to SIP inspection In ASDM each rule corresponds to call out 2 cl...

Page 238: ...ice Policies Feature For Through Traffic For Management Traffic See Application inspection multiple types All except RADIUS accounting RADIUS accounting only Chapter 12 Getting Started with Application Layer Protocol Inspection Chapter 13 Inspection of Basic Internet Protocols Chapter 14 Inspection for Voice and Video Protocols Chapter 15 Inspection of Database Directory and Management Protocols C...

Page 239: ...tion inspection includes multiple inspection types and most are mutually exclusive For inspections that can be combined each inspection is considered to be a separate feature Examples of Packet Matching For example If a packet matches a class map for connection limits and also matches a class map for an application inspection then both actions are applied If a packet matches a class map for HTTP i...

Page 240: ...meouts TCP sequence number randomization and TCP state bypass Note When a the ASA performs a proxy service such as AAA or CSC or it modifies the TCP payload such as FTP inspection the TCP normalizer acts in dual mode where it is applied before and after the proxy or payload modifying service 3 ASA CSC 4 Application inspections that can be combined with other inspections a IPv6 b IP options c WAAS ...

Page 241: ...he ASA applies the FTP inspection So in this case only you can configure multiple inspections for the same class map Normally the ASA does not use the port number to determine which inspection to apply thus giving you the flexibility to apply inspections to non standard ports for example This traffic class does not include the default ports for Cloud Web Security inspection 80 and 443 An example o...

Page 242: ...fferent policy map on the returning interface For example if you configure IPS on the inside and outside interfaces but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2 then a non stateful Ping will match virtual sensor 1 outbound but will match virtual sensor 2 inbound Guidelines for Service Policies IPv6 Guidelines Supports IPv6 for the following features Ap...

Page 243: ...nnections use the new service policy Existing connections continue to use the policy that was configured at the time of the connection establishment Output for the show command will not include data about the old connections For example if you remove a QoS service policy from an interface then add a modified version then the show service policy command only displays QoS counters associated with ne...

Page 244: ... h323 h225 _default_h323_map inspect h323 ras _default_h323_map inspect ip options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service policy global_policy global Note See Incompatibility of Certain Feature Actions page 11 6 for more information about the specia...

Page 245: ...l other traffic You can use the class default class if desired rather than making your own match any class map In fact some features are only available for class default class map class default match any Configure Service Policies To configure service policies using the Modular Policy Framework perform the following steps Step 1 Identify the traffic on which you want to act by creating Layer 3 4 c...

Page 246: ...teria For example you might want to drop all HTTP requests with a URL including the text example com See Configure Application Layer Protocol Inspection page 12 9 Step 3 Define the actions you want to perform on each Layer 3 4 class map by creating a Layer 3 4 policy map as described in Define Actions Layer 3 4 Policy Map page 11 16 Step 4 Determine on which interfaces you want to apply the policy...

Page 247: ...ypes of class maps use the same name space so you cannot reuse a name already used by another type of class map The CLI enters class map configuration mode Example hostname config class map all_udp Step 2 Optional Add a description to the class map description string Example hostname config cmap description All UDP traffic Step 3 Match traffic using one of the following commands Unless otherwise s...

Page 248: ...ports and protocols in the ACL are ignored match dscp value1 value2 value8 Matches the DSCP value in an IP header up to eight DSCP values hostname config cmap match dscp af43 cs1 ef match precedence value1 value2 value3 value4 Matches up to four precedence values represented by the TOS byte in the IP header where value1 through value4 can be 0 to 7 corresponding to the possible precedences hostnam...

Page 249: ...eatures Configured with Service Policies page 11 4 Procedure Step 1 Create a management class map where class_map_name is a string up to 40 characters in length class map type management class_map_name The name class default is reserved All types of class maps use the same name space so you cannot reuse a name already used by another type of class map The CLI enters class map configuration mode Ex...

Page 250: ...ple hostname config pmap class all http Step 3 Specify one or more actions for this class map See Features Configured with Service Policies page 11 4 Note If there is no match default inspection traffic command in a class map then at most one inspect command is allowed to be configured under the class Step 4 Repeat the process for each class map you want to include in this policy map Examples The ...

Page 251: ...dle 2 0 0 hostname config pmap c set connection conn max 2000 When a Telnet connection is initiated it matches class telnet_traffic Similarly if an FTP connection is initiated it matches class ftp_traffic For any TCP connection other than Telnet and FTP it will match class tcp_traffic Even though a Telnet or FTP connection can match class tcp_traffic the ASA does not make this match because they p...

Page 252: ...ples for Service Policies Modular Policy Framework This section includes several Modular Policy Framework examples Applying Inspection and QoS Policing to HTTP Traffic page 11 18 Applying Inspection to HTTP Traffic Globally page 11 19 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers page 11 19 Applying Inspection to HTTP Traffic with NAT page 11 20 Applying Inspection ...

Page 253: ...mmands for this example hostname config class map http_traffic hostname config cmap match port tcp eq 80 hostname config policy map http_traffic_policy hostname config pmap class http_traffic hostname config pmap c inspect http hostname config service policy http_traffic_policy global Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers In this example any HTTP connection ...

Page 254: ...g class map http_serverB hostname config cmap match access list serverB hostname config policy map policy_serverA hostname config pmap class http_serverA hostname config pmap c inspect http hostname config pmap c set connection conn max 100 hostname config policy map policy_serverB hostname config pmap class http_serverB hostname config pmap c inspect http hostname config service policy policy_ser...

Page 255: ...192 168 1 1 Mapped IP 209 165 200 225 Server 209 165 201 1 port 80 insp Security appliance 143416 Feature Name Releases Description Modular Policy Framework 7 0 1 Modular Policy Framework was introduced Management class map for use with RADIUS accounting traffic 7 2 1 The management class map was introduced for use with RADIUS accounting traffic The following commands were introduced class map typ...

Page 256: ...11 22 Cisco ASA Series Firewall CLI Configuration Guide Chapter 11 Service Policy Using the Modular Policy Framework History for Service Policies ...

Page 257: ... protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path see the general operations configuration guide for more information about the fast path As a result inspection engines can affect overall throughput Several common inspection engines are enabled on the ASA by default but you might need to enable others depending on your network The followi...

Page 258: ...es any required operations for the packet the ASA forwards the packet to the destination system 6 The destination system responds to the initial request 7 The ASA receives the reply packet looks up the connection in the connection database and forwards the packet because it belongs to an established session The default configuration of the ASA includes a set of application inspection entries that ...

Page 259: ...plication Traffic matching criteria You match application traffic to criteria specific to the application such as a URL string for which you then enable actions For some traffic matching criteria you use regular expressions to match text inside a packet Be sure to create and test the regular expressions before you configure the policy map either singly or grouped together in a regular expression c...

Page 260: ...ion then it will never match any further match criteria If the first action is to log the packet then a second action such as resetting the connection can occur If a packet matches multiple match or class commands that are the same then they are matched in the order they appear in the policy map For example for a packet with the header length of 1001 it will match the first command below and be lo...

Page 261: ...cated over the state link IPv6 Supports IPv6 for the following inspections DNS FTP HTTP ICMP SCCP Skinny SIP SMTP IPsec pass through IPv6 VXLAN Supports NAT64 for the following inspections DNS FTP HTTP ICMP Additional Guidelines Some inspection engines do not support PAT NAT outside NAT or NAT between same security interfaces For more information about NAT support see Default Inspections and NAT L...

Page 262: ...tion to the traffic on all interfaces a global policy Default application inspection traffic includes traffic to the default ports for each protocol You can only apply one global policy so if you want to alter the global policy for example to apply inspection to non standard ports or to add inspections that are not enabled by default you need to either edit the default policy or disable it and app...

Page 263: ...raffic directed to an ASA interface is never inspected ICMP ERROR ILS LDAP TCP 389 No extended PAT No NAT64 Instant Messaging IM Varies by client No extended PAT No NAT64 RFC 3860 IP Options No NAT64 RFC 791 RFC 2113 IPsec Pass Through UDP 500 No PAT No NAT64 IPv6 No NAT64 RFC 2460 MGCP UDP 2427 2727 No extended PAT No NAT64 Clustering No static PAT RFC 2705bis 05 MMP TCP 5443 No extended PAT No N...

Page 264: ...000 No NAT on same security interfaces No extended PAT No per session PAT No NAT64 NAT46 or NAT66 Clustering No static PAT Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances SMTP and ESMTP TCP 25 No NAT64 RFC 821 1123 SNMP UDP 161 162 No NAT or PAT RFC 1155 1157 1212 1213 1215 v 2 RFC 1902 1908 v 3 RFC 2570 2580 SQL Net TCP 1521 No extended PAT No NAT64 Cluster...

Page 265: ...ault policy maps For example if you enable ESMTP inspection without specifying a map _default_esmtp_map is used The default inspection is described in the sections that explain each inspection type You can view these default maps using the show running config all policy map command DNS inspection is the only one that uses an explicitly configured default map preset_dns_map Configure Application La...

Page 266: ...r in this procedure shows which protocols allow inspection policy maps with pointers to the instructions on configuring them Step 3 Add or edit a Layer 3 4 policy map that sets the actions to take with the class map traffic hostname config policy map name hostname config pmap The default policy map is called global_policy This policy map includes the default inspections listed in Default Inspectio...

Page 267: ...p name in this command ftp strict map_name See FTP Inspection page 13 8 Use the strict keyword to increase the security of protected networks by preventing web browsers from sending embedded commands in FTP requests See Strict FTP page 13 9 for more information If you added an FTP inspection policy map according to Configure an FTP Inspection Policy Map page 13 10 identify the map name in this com...

Page 268: ...3 33 If you added an IPv6 inspection policy map according to Configure an IPv6 Inspection Policy Map page 13 34 identify the map name in this command mgcp map_name See MGCP Inspection page 14 12 If you added an MGCP inspection policy map according to Configuring an MGCP Inspection Policy Map for Additional Inspection Control page 14 14 identify the map name in this command netbios map_name See Net...

Page 269: ...IP inspection policy map according to Configure SIP Inspection Policy Map page 14 24 identify the map name in this command Specify a TLS proxy to enable inspection of encrypted traffic skinny map_name tls proxy proxy_name See Skinny SCCP Inspection page 14 30 If you added a Skinny inspection policy map according to Configure a Skinny SCCP Inspection Policy Map for Additional Inspection Control pag...

Page 270: ...ASA performance can be impacted If you want to match non standard ports then create a new class map for the non standard ports See Default Inspections and NAT Limitations page 12 6 for the standard ports for each inspection engine You can combine multiple class maps in the same policy if desired so you can create one class map to match certain traffic and another to match different traffic However...

Page 271: ...rmation when matching a regular expression to packets In general matching against long input strings or trying to match a large number of regular expressions will reduce system performance Note As an optimization the ASA searches on the deobfuscated URL Deobfuscation compresses multiple forward slashes into a single slash For strings that commonly use double slashes like http be sure to search for...

Page 272: ...n uppercase letter a c Character range class Matches any character in the range a z matches any lowercase letter You can mix characters and ranges abcq z matches a b c q r s t u v w x y z and so does a cq z The dash character is literal only if it is the last or the first character within the brackets abc or abc Quotation marks Preserves trailing or leading spaces in the string For example test pr...

Page 273: ...he regular_expression argument can be up to 100 characters in length Examples The following example creates two regular expressions for use in an inspection policy map hostname config regex url_example example com hostname config regex url_example2 example2 com Create a Regular Expression Class Map A regular expression class map identifies one or more regular expression It is simply a collection o...

Page 274: ...match any URLs hostname config cmap match regex url_example hostname config cmap match regex url_example2 History for Application Inspection Feature Name Releases Description Inspection policy maps 7 2 1 The inspection policy map was introduced The following command was introduced class map type inspect Regular expressions and policy maps 7 2 1 Regular expressions and policy maps were introduced t...

Page 275: ...e 13 1 FTP Inspection page 13 8 HTTP Inspection page 13 14 ICMP Inspection page 13 21 ICMP Error Inspection page 13 21 Instant Messaging Inspection page 13 21 IP Options Inspection page 13 26 IPsec Pass Through Inspection page 13 30 IPv6 Inspection page 13 33 NetBIOS Inspection page 13 37 PPTP Inspection page 13 39 SMTP and Extended SMTP Inspection page 13 39 TFTP Inspection page 13 45 DNS Inspect...

Page 276: ... is enabled so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query Translation of the DNS record based on the NAT configuration is enabled Protocol enforcement is enabled which enables DNS message format check including domain...

Page 277: ... class maps To specify traffic that should not match the class map use the match not command For example if the match not command specifies the string example com then any traffic that includes example com does not match the class map For the traffic that you identify in this class map you specify actions to take on the traffic in the inspection policy map If you want to perform different actions ...

Page 278: ...he question keyword specifies the question portion of a DNS message The resource record keyword specifies one of these sections of the resource record answer authority or additional For example match resource record answer match not domain name regex regex_name class class_name Matches the DNS message domain name list against the specified regular expression or regular expression class d Enter exi...

Page 279: ... Set one or more parameters You can set the following options use the no form of the command to disable the option dns guard Enables DNS Guard The ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query id mismatch count number durati...

Page 280: ...Policy The default ASA configuration includes DNS inspection on the default port applied globally on all interfaces A common method for customizing the inspection configuration is to customize the default global policy You can alternatively create a new service policy as desired for example an interface specific policy Procedure Step 1 If necessary create an L3 L4 class map to identify the traffic...

Page 281: ...by the Botnet Traffic Filter Include this keyword only if you use Botnet Traffic Filtering We suggest that you enable DNS snooping only on interfaces where external DNS requests are going Enabling DNS snooping on all UDP DNS traffic including that going to an internal DNS server creates unnecessary load on the ASA Example hostname config class no inspect dns hostname config class inspect dns dns m...

Page 282: ...and the idle timer for each app_id runs independently Because the app_id expires independently a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build up However when you enter the show conn command you see the idle timer of a DNS connection being reset by a new DNS session This is due to the nature of the shared DNS con...

Page 283: ... appear in an error string Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs If the strict option is enabled each FTP command and response sequence is tracked for the following anomalous activity Truncated command Number of commas in the PORT and PASV reply command is checked to see if it is five If it is not five then the PORT comma...

Page 284: ...based on user values is also supported so that it is possible for FTP sites to post files for download but restrict access to certain users You can block FTP connections based on file type server name and other attributes System message logs are generated if an FTP connection is denied after inspection If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients and l...

Page 285: ...tch not command then any traffic that does not match the criterion in the match not command has the action applied match not filename regex regex_name class class_name Matches the filename in the FTP transfer against the specified regular expression or regular expression class match not filetype regex regex_name class class_name Matches the file type in the FTP transfer against the specified regul...

Page 286: ... reset log The reset keyword drops the packet closes the connection and sends a TCP reset to the server or client Add the log keyword to send a system log message You can specify multiple class or match commands in the policy map For information about the order of class and match commands see How Multiple Traffic Classes are Handled page 12 4 Step 5 To configure parameters that affect the inspecti...

Page 287: ...includes default ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 11 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example ho...

Page 288: ...global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Verifying and Monitoring FTP Inspection FTP application inspection generates the foll...

Page 289: ...cation firewall and is available when you configure an HTTP inspection policy map can help prevent attackers from using HTTP messages for circumventing network security policy HTTP application inspection can block tunneled applications and non ASCII characters in HTTP requests and responses preventing malicious content from reaching the web server Size limiting of various elements in HTTP request ...

Page 290: ...directly in the policy map a Create the class map by entering the following command hostname config class map type inspect http match all match any class_map_name hostname config cmap Where the class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all criteria to match the class map The match any keyword specifies that the traffic ma...

Page 291: ...ect copy delete edit get getattribute getattributenames getproperties head index lock mkcol mkdir move notify options poll post propfind proppatch put revadd revlabel revlog revnum save search setattribute startrev stoprev subscribe trace unedit unlock unsubscribe match not request uri regex regex_name class class_name length gt bytes Matches text found in the HTTP request message URI against the ...

Page 292: ...me hostname config pmap c Specify traffic directly in the policy map using one of the match commands described for HTTP class maps If you use a match not command then any traffic that does not match the criterion in the match not command has the action applied b Specify the action you want to perform on the matching traffic by entering the following command hostname config pmap c drop connection l...

Page 293: ...match regex url2 hostname config cmap exit hostname config class map type regex match any methods_to_log hostname config cmap match regex get hostname config cmap match regex put hostname config cmap exit hostname config class map type inspect http http_url_policy hostname config cmap match request uri regex class url_to_log hostname config cmap match request method regex class methods_to_log host...

Page 294: ...u are specifying the class you created earlier in this procedure Step 4 Configure HTTP inspection inspect http http_policy_map Where http_policy_map is the optional HTTP inspection policy map You need a map only if you want non default inspection processing For information on creating the HTTP inspection policy map see Configure an HTTP Inspection Policy Map page 13 16 Example hostname config clas...

Page 295: ...ssages ICMP error messages generated by the intermediate nodes between the inside host and the ASA reach the outside host without consuming any additional NAT resource This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA When the ASA does not translate the intermediate hops all the intermediate hops appear with the mappe...

Page 296: ...mple if the match not command specifies the string example com then any traffic that includes example com does not match the class map For the traffic that you identify in this class map you specify actions to take on the traffic in the inspection policy map If you want to perform different actions for each match command you should identify the traffic directly in the policy map a Create the class...

Page 297: ...ocol d Enter exit to leave class map configuration mode Step 2 Create an IM inspection policy map hostname config policy map type inspect im policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 3 Optional To add a description to the policy map enter the following command hostname config pmap description strin...

Page 298: ...tname config cmap match filename regex exe_files hostname config class map type inspect im match all yahoo_im_policy hostname config cmap match login name regex class yahoo_src_login_name_regex hostname config cmap match peer login name regex class yahoo_dst_login_name_regex hostname config class map type inspect im match all yahoo_im_policy2 hostname config cmap match version regex yahoo_version_...

Page 299: ...obal_policy as the policy name Step 3 Identify the L3 L4 class map you are using for IM inspection class name Example hostname config pmap class inspection_default To edit the default policy or to use the special inspection_default class map in a new policy specify inspection_default for the name Otherwise you are specifying the class you created earlier in this procedure Step 4 Configure IM inspe...

Page 300: ...s IP Options provide for control functions that are required in some situations but unnecessary for most common communications In particular IP Options include provisions for time stamps security and special routing Use of IP Options is optional and the field can contain zero one or more options For a list of IP options with references to the relevant RFCs see the IANA page http www iana org assig...

Page 301: ...t boundary Router Alert RTRALT or IP Option 20 This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router This inspection is valuable when implementing RSVP and similar protocols that require relatively complex processing from the routers along the packet s delivery path Dropping RSVP packets containing the Router Alert option ca...

Page 302: ... form of the command to disable the option In all cases the allow action allows packets that contain the option without modification the clear action allows the packets but removes the option from the header Any packet that contains an option that you do not include in the map is dropped For a description of the options see Supported IP Options for Inspection page 13 27 eool action allow clear All...

Page 303: ...ed earlier in this procedure Step 4 Configure IP options inspection inspect ip options ip_options_policy_map Where ip_options_policy_map is the optional IP options inspection policy map You need a map only if you want non default inspection processing For information on creating the IP options inspection policy map see Configure an IP Options Inspection Policy Map page 13 28 Example hostname confi...

Page 304: ...eginning of the session and negotiation of cryptographic keys to be used during the session IPsec can be used to protect data flows between a pair of hosts for example computer users or servers between a pair of security gateways such as routers or firewalls or between a security gateway and a host IPsec Pass Through application inspection provides convenient traversal of ESP IP protocol 50 and AH...

Page 305: ...s a To enter parameters configuration mode enter the following command hostname config pmap parameters hostname config pmap p b Set one or more parameters You can set the following options use the no form of the command to disable the option esp per client max number timeout time Allows ESP tunnels and sets the maximum connections allowed per client and the idle timeout in hh mm ss format To allow...

Page 306: ...e policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 11 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the g...

Page 307: ... policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface IPv6 Inspection IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header In addition IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6 packets Defaults for IPv6 Inspection page 13 33 Configure I...

Page 308: ...scription string Step 3 Optional Drop or log traffic based on the headers in IPv6 messages a Identify the traffic based on the IPv6 header hostname config pmap match header type Where type is one of the following ah Matches the IPv6 Authentication extension header count gt number Specifies the maximum number of IPv6 extension headers from 0 to 255 destination option Matches the IPv6 destination op...

Page 309: ... type 0 headers It also enforces header order and type policy map type inspect ipv6 ipv6 pm parameters verify header type verify header order match header hop by hop drop log match header destination option drop log match header routing address count gt 0 drop log match header routing type eq 0 drop log policy map global_policy class class default inspect ipv6 ipv6 pm service policy global_policy ...

Page 310: ...you are specifying the class you created earlier in this procedure Step 4 Configure IPv6 inspection inspect ipv6 ipv6_policy_map Where ipv6_policy_map is the optional IPv6 inspection policy map You need a map only if you want non default inspection processing For information on creating the inspection policy map see Configure an IPv6 Inspection Policy Map page 13 34 Example hostname config class n...

Page 311: ...pection Procedure Step 1 Create a NetBIOS inspection policy map hostname config policy map type inspect netbios policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 Enter parameters con...

Page 312: ...es match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 11 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the...

Page 313: ...between the two hosts When enabled PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic Specifically the ASA inspects the PPTP version announcements and the outgoing call request response sequence Only PPTP Version 1 as defined in RFC 2637 is inspected Further inspection on the TCP control channel is disa...

Page 314: ...MTP inspection engine changes the characters in the server SMTP banner to asterisks except for the 2 0 0 characters Carriage return CR and linefeed LF characters are ignored With SMTP inspection enabled a Telnet session used for interactive SMTP may hang if the following rules are not observed SMTP commands must be at least four characters in length must be terminated with carriage return and line...

Page 315: ...ged Connections with more than 100 recipients are dropped and logged Messages with body length greater than 998 bytes are logged Connections with header line length greater than 998 are dropped and logged Messages with MIME filenames greater than 255 characters are dropped and logged EHLO reply parameters matching others are masked Following is the policy map configuration policy map type inspect ...

Page 316: ...ters policy map configuration mode Step 2 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 3 To apply actions to matching traffic perform the following steps a Specify the traffic on which you want to perform actions using one of the following match commands If you use a match not command then any traffic that does not match t...

Page 317: ...traffic by entering the following command hostname config pmap c drop connection log mask log reset log log rate limit message_rate Not all options are available for each match command See the CLI help or the command reference for the exact options available The drop connection keyword drops the packet and closes the connection The mask keyword masks out the matching portion of the packet This act...

Page 318: ...p_map hostname config pmap match sender address regex class senders_black_list hostname config pmap c drop connection log hostname config policy map outside_policy hostname config pmap class inspection_default hostname config pmap c inspect esmtp advanced_esmtp_map hostname config service policy outside_policy interface outside Configure the ESMTP Inspection Service Policy The default ASA configur...

Page 319: ...see Configure the ESMTP Inspection Service Policy page 13 44 Example hostname config class no inspect esmtp hostname config class inspect esmtp esmtp map Note If you are editing the default global policy or any in use policy to use a different inspection policy map you must remove the ESMTP inspection with the no inspect esmtp command and then re add it with the new inspection policy map name Step...

Page 320: ...ation if necessary are allocated on a reception of a valid read RRQ or write WRQ request This secondary channel is subsequently used by TFTP for file transfer or error notification Only the TFTP server can initiate traffic over the secondary channel and at most one incomplete secondary channel can exist between the TFTP client and server An error notification from the server closes the secondary c...

Page 321: ...ports NAT PAT and bidirectional NAT This enables Cisco IP SoftPhone and other Cisco TAPI JTAPI applications to work successfully with Cisco CallManager for call setup across the ASA TAPI and JTAPI are used by many Cisco VoIP applications CTIQBE is used by Cisco TSP to communicate with Cisco CallManager For information on enabling CTIQBE inspection see Configure Application Layer Protocol Inspectio...

Page 322: ...l 1 LOCAL FOREIGN STATE HEARTBEAT 1 10 0 0 99 1117 172 29 1 77 2748 1 120 RTP RTCP PAT xlates mapped to 172 29 1 99 1028 1029 MEDIA Device ID 27 Call ID 0 Foreign 172 29 1 99 1028 1029 Local 172 29 1 88 26822 26823 The CTI device has already registered with the CallManager The device internal address and RTP listening port is PATed to 172 29 1 99 UDP port 1028 Its RTCP listening port is PATed to U...

Page 323: ... describe the H 323 application inspection H 323 Inspection Overview page 14 3 How H 323 Works page 14 4 H 239 Support in H 245 Messages page 14 5 Limitations for H 323 Inspection page 14 5 Configure H 323 Inspection page 14 6 Configuring H 323 and H 225 Timeout Values page 14 10 Verifying and Monitoring H 323 Inspection page 14 10 H 323 Inspection Overview H 323 inspection provides support for H ...

Page 324: ...ol Port You must permit traffic for the well known H 323 port 1719 for RAS signaling Additionally you must permit traffic for the well known H 323 port 1720 for the H 225 call signaling however the H 245 signaling ports are negotiated between the endpoints in the H 225 signaling When an H 323 gatekeeper is used the ASA opens an H 225 connection based on inspection of the ACF and RCF messages After...

Page 325: ...rs on the H 245 channel The ASA opens pinholes for the additional media channel and the media control channel The endpoints use open logical channel message OLC to signal a new channel creation The message extension is part of H 245 version 13 The decoding and encoding of the telepresentation session is enabled by default H 239 encoding and decoding is preformed by ASN 1 coder Limitations for H 32...

Page 326: ...ements directly in the policy map The following procedure explains both approaches Before You Begin Some traffic matching options use regular expressions for matching purposes If you intend to use one of those techniques first create the regular expression or regular expression class map Procedure Step 1 Optional Create an H 323 inspection class map by performing the following steps A class map gr...

Page 327: ...he policy map The CLI enters policy map configuration mode Step 3 Optional To add a description to the policy map enter the following command hostname config pmap description string Step 4 To apply actions to matching traffic perform the following steps You can specify multiple class or match commands in the policy map For information about the order of class and match commands see How Multiple Tr...

Page 328: ...rmance The optional enforce payloadtype keyword enforces the payload type to be audio or video based on the signaling exchange state checking h225 ras Enables state checking validation You can enter the command separately to enable state checking for H 225 and RAS Step 6 While still in parameter configuration mode you can configure HSI groups a Define an HSI group and enter HSI group configuration...

Page 329: ... new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 11 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to...

Page 330: ...s You can configure H 323 H 255 global timeout values on the Configuration Firewall Advanced Global Timeouts page You can set the interval for inactivity after which an H 255 signaling connection is closed default is 1 hour or an H 323 control connection is closed default is 5 minutes To configure the idle time after which an H 225 signaling connection is closed use the timeout h225 command The de...

Page 331: ...245 sessions established across the ASA by endpoints using slow start Slow start is when the two endpoints of a call open another TCP control channel for H 245 Fast start is where the H 245 messages are exchanged as part of the H 225 messages on the H 225 control channel The following is sample output from the show h245 command hostname show h245 Total 1 LOCAL TPKT FOREIGN TPKT 1 10 130 56 3 1041 ...

Page 332: ... is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external global addresses Examples of media gateways are Trunking gateways that interface between ...

Page 333: ...DP port 2727 to receive commands from the gateway Note MGCP inspection does not support the use of different IP addresses for MGCP signaling and RTP data A common and recommended practice is to send RTP data from a resilient IP address such as a loopback or virtual IP address however the ASA requires the RTP data to come from the same address as MGCP signaling Configure MGCP Inspection Use the fol...

Page 334: ...an the one a gateway sends a command to so that any of the call agents can send the response Call agents with the same group_id belong to the same group A call agent may belong to more than one group The group_id option is a number from 0 to 4294967295 The ip_address option specifies the IP address of the call agent Note MGCP call agents send AUEP messages to determine if MGCP end points are prese...

Page 335: ...t ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching statements see Identify Traffic Layer 3 4 Class Maps page 11 13 Step 2 Add or edit a policy map that sets the actions to take with the class map traffic policy map name Example hostname config p...

Page 336: ...figuration Firewall Advanced Global Timeouts page You can set the interval for inactivity after which an MGCP media connection is closed default is 5 minutes You can also set the timeout for PAT xlates 30 seconds The timeout mgcp command lets you set the interval for inactivity after which an MGCP media connection is closed The default is 5 minutes The timeout mgcp pat command lets you set the tim...

Page 337: ...RTSP is used by RealAudio RealNetworks Apple QuickTime 4 RealPlayer and Cisco IP TV connections Note For Cisco IP TV use RTSP TCP ports 554 and 8554 RTSP applications use the well known port 554 with TCP rarely UDP as a control channel The ASA only supports TCP in conformity with RFC 2326 This TCP control channel is used to negotiate the data channels that are used to transmit audio video traffic ...

Page 338: ...n The following restrictions apply to the RSTP inspection The ASA does not support multicast RTSP or RTSP messages over UDP The ASA does not have the ability to recognize HTTP cloaking where RTSP messages are hidden in the HTTP messages The ASA cannot perform NAT on RTSP messages because the embedded IP addresses are contained in the SDP files as part of HTTP or RTSP messages Packets could be frag...

Page 339: ...you identify in this class map you specify actions to take on the traffic in the inspection policy map If you want to perform different actions for each match command you should identify the traffic directly in the policy map a Create the class map by entering the following command hostname config class map type inspect rtsp match all match any class_map_name hostname config cmap Where class_map_n...

Page 340: ... or with drop connection sends a system log message The rate limit message_rate argument limits the rate of messages per second This option is available for request method matching You can specify multiple class or match commands in the policy map For information about the order of class and match commands see How Multiple Traffic Classes are Handled page 12 4 Step 5 To configure parameters that a...

Page 341: ...tname config class map rtsp_class_map hostname config cmap match access list rtsp In the default global policy the inspection_default class map is a special class map that includes default ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matching stateme...

Page 342: ...s and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface SIP Inspection SIP is a widely used protocol for Internet conferencing telephony presence events notification and instant messaging Partially because of its text ba...

Page 343: ...ine opens pinholes that time out according to the configured SIP timeout value This value must be configured at least five minutes longer than the subscription duration The subscription duration is defined in the Contact Expires value and is typically 30 minutes Because MESSAGE INFO requests are typically sent using a dynamically allocated port other than port 5060 they are required to go through ...

Page 344: ...ed RTP conformance Not enforced SIP conformance Do not perform state checking and header validation Also note that inspection of encrypted traffic is not enabled You must configure a TLS proxy to inspect encrypted traffic Configure SIP Inspection SIP application inspection provides address translation in message header and body dynamic opening of ports and basic sanity checks It also supports appl...

Page 345: ... that traffic must match all criteria to match the class map The match any keyword specifies that the traffic matches the class map if it matches at least one match statement The CLI enters class map configuration mode where you can enter one or more match commands b Optional To add a description to the class map enter the following command hostname config cmap description string Where string is t...

Page 346: ...owing command hostname config pmap class class_map_name hostname config pmap c Specify traffic directly in the policy map using one of the match commands described for SIP class maps If you use a match not command then any traffic that does not match the criterion in the match not command has the action applied b Specify the action you want to perform on the matching traffic by entering the follow...

Page 347: ...g log Enables strict verification of the header fields in the SIP messages according to RFC 3261 You must also choose the action to take for non conforming traffic drop packet drop connection reset or log and whether to enable or disable logging traffic non sip Allows non SIP traffic on the well known SIP signaling port trust verification server ip ip_address Identifies Trust Verification Services...

Page 348: ...er Example hostname config class map sip_class_map hostname config cmap match access list sip In the default global policy the inspection_default class map is a special class map that includes default ports for all inspection types match default inspection traffic If you are using this class map in either the default policy or for a new service policy you can skip this step For information on matc...

Page 349: ...e policy global_policy global The global keyword applies the policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Configure SIP Timeout Values The media connections are torn down within two ...

Page 350: ... The following sections describe SCCP application inspection SCCP Inspection Overview page 14 30 Supporting Cisco IP Phones page 14 31 Limitations for SCCP Inspection page 14 31 Default SCCP Inspection page 14 31 Configure SCCP Skinny Inspection page 14 32 Verifying and Monitoring SCCP Inspection page 14 35 SCCP Inspection Overview Skinny SCCP is a simplified protocol used in VoIP networks Cisco I...

Page 351: ...security interface compared to the TFTP server and Cisco CallManager no ACL or static entry is required to allow the Cisco IP Phones to initiate the connection Limitations for SCCP Inspection SCCP inspection is tested and supported for Cisco Unified Communications Manager CUCM 7 0 8 0 8 6 and 10 5 It is not supported for CUCM 8 5 or 9 x SCCP inspection might work with other releases and products I...

Page 352: ... inspection policy map when you enable SCCP inspection Procedure Step 1 Create an SCCP inspection policy map hostname config policy map type inspect skinny policy_map_name hostname config pmap Where the policy_map_name is the name of the policy map The CLI enters policy map configuration mode Step 2 Optional Add a description to the policy map hostname config pmap description string Step 3 Optiona...

Page 353: ...ts for media and signaling connections in hh mm ss format To have no timeout specify 0 for the number The default media timeout is 5 minutes the default signaling timeout is one hour Example The following example shows how to define an SCCP inspection policy map hostname config policy map type inspect skinny skinny map hostname config pmap parameters hostname config pmap p enforce registration hos...

Page 354: ..._default class map in a new policy specify inspection_default for the name Otherwise you are specifying the class you created earlier in this procedure Step 4 Configure SCCP inspection inspect skinny sccp_policy_map tls proxy proxy_name Where sccp_policy_map is the optional SCCP inspection policy map You need a map only if you want non default inspection processing For information on creating the ...

Page 355: ...TATE 1 10 0 0 11 52238 172 18 1 33 2000 1 MEDIA 10 0 0 11 22948 172 18 1 22 20798 2 10 0 0 22 52232 172 18 1 33 2000 1 MEDIA 10 0 0 22 20798 172 18 1 11 22948 The output indicates that a call has been established between two internal Cisco IP Phones The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively The following is sample output from the show xlate debug c...

Page 356: ... support in ASA clustering 9 4 1 You can now configure SIP inspection on the ASA cluster A control flow can be created on any unit due to load balancing but its child data flows must reside on the same unit TLS Proxy configuration is not supported We introduced the following command show cluster service policy SIP inspection support for Phone Proxy and UC IME Proxy was removed 9 4 1 You can no lon...

Page 357: ...TP Inspection page 15 5 ILS Inspection page 15 12 RADIUS Accounting Inspection page 15 13 RSH Inspection page 15 16 SNMP Inspection page 15 16 SQL Net Inspection page 15 18 Sun RPC Inspection page 15 19 XDMCP Inspection page 15 21 VXLAN Inspection page 15 22 History for Database Directory and Management Protocol Inspection page 15 22 DCERPC Inspection The following sections describe the DCERPC ins...

Page 358: ... supports the following UUIDs and messages End point mapper EPM UUID All EPM messages are supported ISystemMapper UUID non EPM Supported messages are RemoteCreateInstance opnum4 RemoteGetClassObject opnum3 Any message that does not contain an IP address or port information because these messages do not require inspection Configure DCERPC Inspection DCERPC inspection is not enabled by default You m...

Page 359: ...point mapper service You can configure the timeout for pinholes generated from the lookup operation If no timeout is configured for the lookup operation the timeout pinhole command or the default is used Example The following example shows how to define a DCERPC inspection policy map with the timeout configured for DCERPC pinholes hostname config policy map type inspect dcerpc dcerpc_map hostname ...

Page 360: ...rwise you are specifying the class you created earlier in this procedure Step 4 Configure DCERPC inspection inspect dcerpc dcerpc_policy_map Where dcerpc_policy_map is the optional DCERPC inspection policy map You need a map only if you want non default inspection processing For information on creating the inspection policy map see Configure a DCERPC Inspection Policy Map page 15 2 Example hostnam...

Page 361: ...t The GGSN is the interface between the GPRS wireless data network and other networks The SGSN performs mobility data session management and data compression Figure 15 1 GPRS Tunneling Protocol The UMTS is the commercial convergence of fixed line telephony mobile Internet and computer technology UTRAN is the networking protocol used for implementing wireless networks in this system GTP allows mult...

Page 362: ...nic connections to the standby unit Defaults for GTP Inspection GTP inspection is not enabled by default However if you enable it without specifying your own inspection map a default map is used which provides the following processing You need to configure a map only if you want different values Errors are not permitted The maximum number of requests is 200 The maximum number of tunnels is 500 The...

Page 363: ...ass_name Matches the access point name APN against the specified regular expression or regular expression class match not message id message_id range message_id_1 message_id_2 Matches the message ID which can be 1 to 255 You can specify a single ID or a range of IDs match not message length min bytes max bytes Matches messages where the length of the UDP payload GTP header plus the rest of the mes...

Page 364: ...est keyword specifies the maximum period of time allowed before beginning to receive the GTP message The signaling keyword specifies the period of inactivity after which the GTP signaling will be removed The tunnel keyword specifies the period of inactivity after which the GTP tunnel will be torn down Step 5 While still in parameter configuration mode configure IMSI prefix filtering if desired hos...

Page 365: ...work gsnpool32 hostname config network network object 192 168 100 0 255 255 255 0 hostname config object group network sgsn32 hostname config network network object host 192 168 50 100 hostname config policy map type inspect gtp gtp policy hostname config gtp map gtp policy hostname config pmap parameters hostname config pmap p permit response to object group sgsn32 from object group gsnpool32 Exa...

Page 366: ... the name Otherwise you are specifying the class you created earlier in this procedure Step 4 Configure GTP inspection inspect gtp gtp_policy_map Where gtp_policy_map is the optional GTP inspection policy map You need a map only if you want non default inspection processing For information on creating the inspection policy map see Configure a GTP Inspection Policy Map page 15 7 Example hostname co...

Page 367: ...gtp statistics gsn 10 9 9 9 1 in use 1 most used timeout 0 00 00 GTP GSN Statistics for 10 9 9 9 Idle 0 00 00 restart counter 0 Tunnels Active 0Tunnels Created 0 Tunnels Destroyed 0 Total Messages Received 2 Signaling Messages Data Messages total received 2 0 dropped 0 0 forwarded 2 0 Use the show service policy inspect gtp pdp context command to display PDP context related information For example...

Page 368: ...nactivity interval By default this interval is 60 minutes and can be adjusted using the TCP timeout command In ASDM this is on the Configuration Firewall Advanced Global Timeouts pane ILS LDAP follows a client server model with sessions handled over a single TCP connection Depending on the client s actions several of these sessions may be created During connection negotiation time a BIND PDU is se...

Page 369: ...of attack by ensuring the traffic seen by the GGSN is legitimate With the RADIUS accounting feature properly configured the ASA tears down a connection based on matching the Framed IP attribute in the Radius Accounting Request Start message with the Radius Accounting Request Stop message When the Stop message is seen with the matching IP address in the Framed IP attribute the ASA looks for all con...

Page 370: ... down all connections that have a source IP matching the User IP address on the configured interface validate attribute number Additional criteria to use when building a table of user accounts when receiving Accounting Request Start messages These attributes help when the ASA decides whether to tear down connections If you do not specify additional attributes to validate the decision is based sole...

Page 371: ... type management name match port access list parameter Example hostname config class map type management radius class map hostname config cmap match port udp eq radius acct In this example the match is for the radius acct UDP port which is 1646 You can specify a different port a range of ports match port udp range number1 number2 or use match access list acl_name and use an ACL Step 2 Add or edit ...

Page 372: ...terface RSH Inspection RSH inspection is enabled by default The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514 The client and server negotiate the TCP port number where the client listens for the STDERR output stream RSH inspection supports NAT of the negotiated port number if necessary For information on enabling RSH inspection see Configure Application L...

Page 373: ...y map that sets the actions to take with the class map traffic policy map name Example hostname config policy map global_policy In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name Step 4 Identify the L3 L4 class map you are using for SNMP inspection class name Example hostname ...

Page 374: ...e same port as the SQL control TCP port 1521 The security appliance acts as a proxy when SQL Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues The ASA translates all addresses and looks in the packets for all embedded ports to open for SQL Net Version 1 For SQL Net Version 2 all DATA or REDIRECT packets that immediately follow REDIR...

Page 375: ...ber of the service The client sends its Sun RPC queries to the server specifying the port identified by the port mapper process When the server replies the ASA intercepts this packet and opens both embryonic TCP and UDP connections on that port Tip Sun RPC inspection is enabled by default You simply need to manage the Sun RPC server table to identify which services are allowed to traverse the fire...

Page 376: ...er the following command hostname config clear sunrpc server active This clears the pinholes that are opened by Sun RPC application inspection for specific services such as NFS or NIS Verifying and Monitoring Sun RPC Inspection The sample output in this section is for a Sun RPC server with an IP address of 192 168 100 2 on the inside interface and a Sun RPC client with an IP address of 209 168 200...

Page 377: ...lockmgr 100021 4 udp 32771 nlockmgr 100021 1 tcp 32852 nlockmgr 100021 3 tcp 32852 nlockmgr 100021 4 tcp 32852 nlockmgr 100005 1 udp 647 mountd 100005 1 tcp 650 mountd 100005 2 udp 647 mountd 100005 2 tcp 650 mountd 100005 3 udp 647 mountd 100005 3 tcp 650 mountd In this output port 647 corresponds to the mountd daemon running over UDP The mountd process would more commonly be using port 32780 The...

Page 378: ...s those checks are done as a normal part of decapsulating VXLAN packets VXLAN packets are UDP normally on port 4789 This port is part of the default inspection traffic class so you can simply add VXLAN inspection to the inspection_default service policy rule Alternatively you can create a class for it using port or ACL matching History for Database Directory and Management Protocol Inspection Feat...

Page 379: ...P A R T 4 Connection Management and Threat Detection ...

Page 380: ......

Page 381: ...fic using service policies All traffic class timeouts have default values so you do not have to set them Connection limits and TCP Intercept By default there are no limits on how many connections can go through or to the ASA You can set limits on particular traffic classes using service policy rules to protect servers from denial of service DoS attacks Particularly you can set limits on embryonic ...

Page 382: ...se services on specific traffic classes only and not as a general service The following general procedure covers the gamut of possible connection setting configurations Pick and choose which to implement based on your needs Procedure Step 1 Configure Global Timeouts page 16 3 These settings change the default idle timeouts for various protocols for all traffic that passes through the device If you...

Page 383: ...his duration must be at least 1 minute The default is 2 minutes timeout icmp hh mm ss The idle time for ICMP between 0 0 2 and 1193 0 0 The default is 2 seconds 0 0 2 timeout sunrpc hh mm ss The idle time until a SunRPC slot is freed This duration must be at least 1 minute The default is 10 minutes timeout H323 hh mm ss The idle time after which H 245 TCP and H 323 UDP media connections close betw...

Page 384: ... multiple static routes exist to a network with different metrics the ASA uses the one with the best metric at the time of connection creation If a better route becomes available then this timeout lets connections be closed so a connection can be reestablished to use the better route The default is 0 the connection never times out To take advantage of this feature change the timeout to a new value...

Page 385: ... connections and embryonic connections where n is the number of cores For example if your model has 4 cores if you configure 6 concurrent connections and 4 embryonic connections you could have an additional 3 of each type To determine the number of cores for your model enter the show cpu core command Procedure Step 1 Create an L3 L4 class map to identify the servers you are protecting Use an acces...

Page 386: ...ntercept The rate interval keyword sets the size of the history monitoring window between 1 and 1440 minutes The default is 30 minutes During this interval the ASA samples the number of attacks 30 times The burst rate keyword sets the threshold for syslog message generation between 25 and 2147483647 The default is 400 per second When the burst rate is exceeded syslog message 733104 is generated Th...

Page 387: ...sing service policies Procedure Step 1 Create a TCP map to specify the TCP normalization criteria that you want to look for hostname config tcp map tcp map name Step 2 Configure the TCP map criteria by entering one or more of the following commands The defaults are used for any commands you do not enter Use the no form of a command to disable the setting check retransmission Prevent inconsistent T...

Page 388: ...q past window allow drop Set the action for packets that have past window sequence numbers namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window You can allow the packets only if the queue limit command is set to 0 disabled The default is to drop the packets synack data allow drop Allow or drop TCP SYNACK packets that contain data The defaul...

Page 389: ...ap class normalization In the default configuration the global_policy policy map is assigned globally to all interfaces If you want to edit the global_policy enter global_policy as the policy name For information on matching statements for class maps see Identify Traffic Layer 3 4 Class Maps page 11 13 b Apply the TCP map set connection advanced options tcp map name Example hostname config pmap c ...

Page 390: ...based on the security policy The ASA maximizes the firewall performance by checking the state of each packet is this a new connection or an established connection and assigning it to either the session management path a new connection SYN packet the fast path an established connection or the control plane path advanced inspection See the general operations configuration guide for more detailed inf...

Page 391: ...t path to establish the connection in the fast path Once in the fast path the traffic bypasses the fast path checks Guidelines for TCP State Bypass TCP State Bypass Unsupported Features The following features are not supported when you use TCP state bypass Application inspection Application inspection requires both inbound and outbound traffic to go through the same ASA so application inspection i...

Page 392: ...hostname config class map bypass class hostname config cmap match access list bypass Step 2 Add or edit a policy map that sets the actions to take with the class map traffic and identify the class map policy map name class name Example hostname config policy map global_policy hostname config pmap class bypass class In the default configuration the global_policy policy map is assigned globally to a...

Page 393: ...ion You can disable TCP initial sequence number randomization if necessary for example because data is getting scrambled For example If another in line firewall is also randomizing the initial sequence numbers there is no need for both firewalls to be performing this action even though this action does not affect the traffic If you use eBGP multi hop through the ASA and the eBGP peers are using MD...

Page 394: ...erent connection settings for specific traffic classes using service policies Use service policies to Customize connection limits and timeouts used to protect against DoS and SYN flooding attacks Implement Dead Connection Detection so that valid but idle connections remain alive Disable TCP sequence number randomization in cases where you do not need it Customize how the TCP Normalizer protects ag...

Page 395: ...equence number randomization TCP Intercept set connection conn max n The maximum number of simultaneous TCP or UDP connections that are allowed between 0 and 2000000 for the entire class The default is 0 which allows unlimited connections If two servers are configured to allow simultaneous TCP or UDP connections the connection limit is applied to each configured server separately Because the limit...

Page 396: ...1 and earlier or 0 0 30 for 9 1 2 and later and 1193 0 0 The default is 0 10 0 Half closed connections are not affected by DCD Also the ASA does not send a reset when taking down half closed connections set connection dcd retry interval max_retries Enable Dead Connection Detection DCD Before expiring an idle connection the ASA probes the end hosts to determine if the connection is valid If both ho...

Page 397: ...tname config cmap match any hostname config cmap policy map CONNS hostname config pmap class CONNS hostname config pmap c set connection conn max 1000 embryonic conn max 3000 hostname config pmap c set connection timeout idle 2 0 0 embryonic 0 40 0 half closed 0 20 0 dcd hostname config pmap c service policy CONNS interface outside You can enter set connection commands with multiple parameters or ...

Page 398: ...ommand was modified set connection timeout Timeout for connections using a backup static route 8 2 5 8 4 2 When multiple static routes exist to a network with different metrics the ASA uses the one with the best metric at the time of connection creation If a better route becomes available then this timeout lets connections be closed so a connection can be reestablished to use the better route The ...

Page 399: ...ing commands set connection conn max set connection embryonic conn max set connection per client embryonic max set connection per client max Decreased the half closed timeout minimum value to 30 seconds 9 1 2 The half closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection We modified the following co...

Page 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...

Page 401: ... we suggest performing QoS on the switch instead of the ASASM Switches have more capability in this area In general QoS is best performed on the routers and switches in the network which tend to have more extensive capabilities than the ASA This chapter describes how to apply QoS policies About QoS page 17 1 Guidelines for QoS page 17 3 Configure QoS page 17 4 Monitor QoS page 17 9 Configuration E...

Page 402: ...te Also called the committed information rate CIR it specifies how much data can be sent or forwarded per unit time on average Burst size Also called the Committed Burst Bc size it specifies in bytes per burst how much traffic can be sent within a given unit of time to not create scheduling concerns Time interval Also called the measurement interval it specifies the time quantum in seconds per bur...

Page 403: ...ract You can configure each of the QoS features alone if desired for the ASA Often though you configure multiple QoS features on the ASA so you can prioritize some traffic for example and prevent other traffic from causing bandwidth problems You can configure Priority queuing for specific traffic Policing for the rest of the traffic You cannot configure priority queuing and policing for the same s...

Page 404: ...p 3 Configure a Service Rule for Priority Queuing and Policing page 17 7 Determine the Queue and TX Ring Limits for a Priority Queue Use the following worksheets to determine the priority queue and TX ring limits Queue Limit Worksheet page 17 4 TX Ring Limit Worksheet page 17 5 Queue Limit Worksheet The following worksheet shows how to calculate the priority queue size Because queues are not of in...

Page 405: ...Maximum packet size Typically the maximum size is 1538 bytes or 1542 bytes for tagged Ethernet If you allow jumbo frames if supported for your platform then the packet size might be larger Delay The delay depends on your application For example to control jitter for VoIP you should use 20 ms Table 17 1 Queue Limit Worksheet 1 __________ Outbound bandwidth Mbps or Kbps Mbps x 125 __________ of byte...

Page 406: ...nal packets cannot get into the queue and are dropped called tail drop To avoid having the queue fill up you can use the queue limit command to increase the queue buffer size The upper limit of the range of values for the queue limit command is determined dynamically at run time To view this limit enter queue limit on the command line The key determinants are the memory needed to support the queue...

Page 407: ...me policy map See How QoS Features Interact page 17 3 for information about valid QoS configurations Before You Begin You cannot use the class default class map for priority traffic ASASM The ASASM only supports policing For policing to the box traffic is not supported For policing traffic to and from a VPN tunnel bypasses interface policing For policing when you match a tunnel group class map onl...

Page 408: ...ple hostname config policy map QoS_policy Step 6 Identify the class map you created for prioritized traffic class priority_map_name Example hostname config pmap class priority_class Step 7 Configure priority queuing for the class priority Example hostname config pmap c priority Step 8 Identify the class map you created for policed traffic class policing_map_name Example hostname config pmap class ...

Page 409: ...he policy map to all interfaces and interface applies the policy to one interface Only one global policy is allowed You can override the global policy on an interface by applying a service policy to that interface You can only apply one policy map to each interface Monitor QoS QoS Police Statistics page 17 9 QoS Priority Statistics page 17 10 QoS Priority Queue Statistics page 17 10 QoS Police Sta...

Page 410: ...istics command The results show the statistics for both the best effort BE queue and the low latency queue LLQ The following example shows the use of the show priority queue statistics command for the interface named test hostname show priority queue statistics test Priority Queue Statistics interface test Queue Type BE Packets Dropped 0 Packets Transmit 0 Packets Enqueued 0 Current Q Length 0 Max...

Page 411: ... permit ip 10 10 34 0 255 255 255 0 192 168 10 0 255 255 255 0 hostname config access list non tunneled extended permit tcp any any hostname config tunnel group tunnel grp1 type IPsec_L2L hostname config class map browse hostname config cmap description This class map matches all non tunneled tcp traffic hostname config cmap match access list non tunneled hostname config cmap class map TG1 voice h...

Page 412: ...um burst size of 10 500 bytes per second For the TC1 BestEffort class the maximum rate is 200 000 bits second with a maximum burst of 37 500 bytes second Traffic in the TC1 voice class has no policed maximum speed or burst rate because it belongs to a priority class hostname config access list tcp_traffic permit tcp any any hostname config class map tcp_traffic hostname config cmap match access li...

Page 413: ... police show priority queue statistics show service policy police show service policy priority show running config priority queue clear configure priority queue Shaping and hierarchical priority queuing 7 2 4 8 0 4 We introduced QoS shaping and hierarchical priority queuing We introduced the following commands shape show service policy shape Ten Gigabit Ethernet support for a standard priority que...

Page 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...

Page 415: ...ped already by the ASA Thus threat detection and IPS can work together to provide a more comprehensive threat defense Threat detection consists of the following elements Different levels of statistics gathering for various threats Threat detection statistics can help you manage threats to your ASA for example if you enable scanning threat detection then viewing statistics can help you analyze the ...

Page 416: ...and automatically shunning them for example Incomplete session detection such as TCP SYN attack detected or UDP session with no return data attack detected When the ASA detects a threat it immediately sends a system log message 733100 The ASA tracks two types of rates the average event rate over an interval and the burst event rate over a shorter burst interval The burst rate interval is 1 30th of...

Page 417: ...e part of a scanning attack the ASA checks the average and burst rate limits If either rate is exceeded for traffic sent from a host then that host is considered to be an attacker If either rate is exceeded for traffic received by a host then that host is considered to be a target The following table lists the default rate limits for scanning threat detection Caution The scanning threat detection ...

Page 418: ...ast 3600 seconds 320 drops sec over the last 120 second period Scanning attack detected 5 drops sec over the last 600 seconds 10 drops sec over the last 20 second period 4 drops sec over the last 3600 seconds 8 drops sec over the last 120 second period Incomplete session detected such as TCP SYN attack detected or UDP session with no return data attack detected combined 100 drops sec over the last...

Page 419: ...tep 2 Optional Change the default settings for one or more type of event threat detection rate acl drop bad packet drop conn limit drop dos drop fw drop icmp drop inspect drop interface drop scanning threat syn attack rate interval rate_interval average rate av_rate burst rate burst_rate Example hostname config threat detection rate dos drop rate interval 600 average rate 60 burst rate 100 For a d...

Page 420: ...s enabled by default Step 3 Optional Configure statistics for hosts host keyword TCP and UDP ports port keyword or non TCP UDP IP protocols protocol keyword threat detection statistics host port protocol number of rate 1 2 3 Example hostname config threat detection statistics host number of rate 2 hostname config threat detection statistics port number of rate 2 hostname config threat detection st...

Page 421: ...onally shun them Procedure Step 1 Enable scanning threat detection threat detection scanning threat shun except ip address ip_address mask object group network_object_group_id Example hostname config threat detection scanning threat shun except ip address 10 1 1 0 255 255 255 0 By default the system log message 733101 is generated when a host is identified as an attacker Enter this command multipl...

Page 422: ...The other arguments let you limit the display to specific categories For a description of each event type see Basic Threat Detection Statistics page 18 2 The output shows the average rate in events sec over two fixed time periods the last 10 minutes and the last 1 hour It also shows the current burst rate in events sec over the last completed burst interval which is 1 30th of the average rate inte...

Page 423: ... unfinished burst interval presently occurring is not included in the average rate For example if the average rate interval is 20 minutes then the burst interval is 20 seconds If the last burst interval was from 3 00 00 to 3 00 20 and you use the show command at 3 00 25 then the last 5 seconds are not included in the output The only exception to this rule is if the number of events in the unfinish...

Page 424: ...u can ignore this IP address in the display show threat detection statistics min display rate min_display_rate top port protocol rate 1 rate 2 rate 3 To view statistics for ports and protocols use the port protocol keyword The port protocol keyword shows statistics for both ports and protocols both must be enabled for the display and shows the combined statistics of TCP UDP port and IP protocol ty...

Page 425: ...st IP address tot ses The total number of sessions for this host since it was added to the database act ses The total number of active sessions that the host is currently involved in fw drop The number of firewall drops Firewall drops is a combined rate that includes all firewall related packet drops tracked in basic threat detection including ACL denials bad packets exceeded connection limits DoS...

Page 426: ...seconds whichever is larger For the example specified in the Average eps description the current rate is the rate from 3 19 30 to 3 20 00 Trigger The number of times the dropped packet rate limits were exceeded For valid traffic identified in the sent and received bytes and packets rows this value is always 0 because there are no rate limits to trigger for valid traffic Total events The total numb...

Page 427: ... 10 8 3 6 209 165 200 225 Examples for Threat Detection The following example configures basic threat detection statistics and changes the DoS attack rate settings All advanced threat detection statistics are enabled with the host statistics number of rate intervals lowered to 2 The TCP Intercept rate interval is also customized Scanning threat detection is enabled with automatic shunning for all ...

Page 428: ...owing commands were modified or introduced threat detection statistics tcp intercept show threat detection statistics top tcp intercept clear threat detection statistics Customize host statistics rate intervals 8 1 2 You can now customize the number of rate intervals for which statistics are collected The default number of rates was changed from 3 to 1 The following command was modified threat det...