Résumé du contenu de la page N° 1
Cisco ASA Series Firewall ASDM
Configuration Guide
Software Version 7.1
For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X,
ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X,
and the ASA Services Module
Released: December 3, 2012
Updated: March 31, 2014
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A
Résumé du contenu de la page N° 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Résumé du contenu de la page N° 3
CONTENTS About This Guide 21 Document Objectives 21 Related Documentation 21 Conventions 22 Obtaining Documentation and Submitting a Service Request 22 PART 1 Configuring Service Policies CHAPTER 1 Configuring a Service Policy 1-1 Information About Service Policies 1-1 Supported Features 1-1 Feature Directionality 1-2 Feature Matching Within a Service Policy 1-3 Order in Which Multiple Feature Actions are Applied 1-4 Incompatibility of Certain Feature Actions 1-5 Feature Matching for Multiple
Résumé du contenu de la page N° 4
Contents Defining Actions in an Inspection Policy Map 2-3 Identifying Traffic in an Inspection Class Map 2-3 Where to Go Next 2-4 Feature History for Inspection Policy Maps 2-4 PART 2 Configuring Network Address Translation CHAPTER 3 Information About NAT (ASA 8.3 and Later) 3-1 Why Use NAT? 3-1 NAT Terminology 3-2 NAT Types 3-3 NAT Types Overview 3-3 Static NAT 3-3 Dynamic NAT 3-8 Dynamic PAT 3-10 Identity NAT 3-12 NAT in Routed and Transparent Mode 3-12 NAT in Routed Mode 3-13 NAT in Transpa
Résumé du contenu de la page N° 5
Contents CHAPTER 4 Configuring Network Object NAT (ASA 8.3 and Later) 4-1 Information About Network Object NAT 4-1 Licensing Requirements for Network Object NAT 4-2 Prerequisites for Network Object NAT 4-2 Guidelines and Limitations 4-2 Default Settings 4-3 Configuring Network Object NAT 4-4 Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool 4-4 Configuring Dynamic PAT (Hide) 4-8 Configuring Static NAT or Static NAT-with-Port-Translation 4-11 Configuring Identity NAT 4-15 Configuring Per-
Résumé du contenu de la page N° 6
Contents Monitoring Twice NAT 5-29 Configuration Examples for Twice NAT 5-30 Different Translation Depending on the Destination (Dynamic PAT) 5-30 Different Translation Depending on the Destination Address and Port (Dynamic PAT) 5-39 Feature History for Twice NAT 5-48 CHAPTER 6 Configuring NAT (ASA 8.2 and Earlier) 6-1 NAT Overview 6-1 Introduction to NAT 6-1 NAT in Routed Mode 6-2 NAT in Transparent Mode 6-3 NAT Control 6-4 NAT Types 6-6 Policy NAT 6-11 NAT and Same Security Level Interfaces
Résumé du contenu de la page N° 7
Contents Default Settings 7-7 Configuring Access Rules 7-8 Adding an Access Rule 7-8 Adding an EtherType Rule (Transparent Mode Only) 7-9 Configuring Management Access Rules 7-10 Advanced Access Rule Configuration 7-11 Configuring HTTP Redirect 7-12 Feature History for Access Rules 7-14 CHAPTER 8 Configuring AAA Rules for Network Access 8-1 AAA Performance 8-1 Licensing Requirements for AAA Rules 8-1 Guidelines and Limitations 8-2 Configuring Authentication for Network Access 8-2 Information
Résumé du contenu de la page N° 8
Contents CHAPTER 10 Getting Started with Application Layer Protocol Inspection 10-1 Information about Application Layer Protocol Inspection 10-1 How Inspection Engines Work 10-1 When to Use Application Protocol Inspection 10-2 Guidelines and Limitations 10-3 Default Settings and NAT Limitations 10-4 Configuring Application Layer Protocol Inspection 10-7 CHAPTER 11 Configuring Inspection of Basic Internet Protocols 11-1 DNS Inspection 11-1 Information About DNS Inspection 11-2 Default Settings
Résumé du contenu de la page N° 9
Contents ICMP Inspection 11-39 ICMP Error Inspection 11-39 Instant Messaging Inspection 11-39 IM Inspection Overview 11-40 Adding a Class Map for IM Inspection 11-40 Select IM Map 11-41 IP Options Inspection 11-41 IP Options Inspection Overview 11-41 Configuring IP Options Inspection 11-42 Select IP Options Inspect Map 11-43 IP Options Inspect Map 11-44 Add/Edit IP Options Inspect Map 11-44 IPsec Pass Through Inspection 11-45 IPsec Pass Through Inspection Overview 11-45 Select IPsec-Pass-Thru
Résumé du contenu de la page N° 10
Contents CHAPTER 12 Configuring Inspection for Voice and Video Protocols 12-1 CTIQBE Inspection 12-1 CTIQBE Inspection Overview 12-1 Limitations and Restrictions 12-2 H.323 Inspection 12-2 H.323 Inspection Overview 12-3 How H.323 Works 12-3 H.239 Support in H.245 Messages 12-4 Limitations and Restrictions 12-4 Select H.323 Map 12-5 H.323 Class Map 12-5 Add/Edit H.323 Traffic Class Map 12-6 Add/Edit H.323 Match Criterion 12-6 H.323 Inspect Map 12-7 Phone Number Filtering 12-8 Add/Edit H.323 Pol
Résumé du contenu de la page N° 11
Contents SIP Class Map 12-23 Add/Edit SIP Traffic Class Map 12-24 Add/Edit SIP Match Criterion 12-24 SIP Inspect Map 12-26 Add/Edit SIP Policy Map (Security Level) 12-27 Add/Edit SIP Policy Map (Details) 12-28 Add/Edit SIP Inspect 12-30 Skinny (SCCP) Inspection 12-32 SCCP Inspection Overview 12-32 Supporting Cisco IP Phones 12-33 Restrictions and Limitations 12-33 Select SCCP (Skinny) Map 12-34 SCCP (Skinny) Inspect Map 12-34 Message ID Filtering 12-35 Add/Edit SCCP (Skinny) Policy Map (Securi
Résumé du contenu de la page N° 12
Contents Add/Edit GTP Map 14-9 RADIUS Accounting Inspection 14-10 RADIUS Accounting Inspection Overview 14-11 Select RADIUS Accounting Map 14-11 Add RADIUS Accounting Policy Map 14-11 RADIUS Inspect Map 14-12 RADIUS Inspect Map Host 14-12 RADIUS Inspect Map Other 14-13 RSH Inspection 14-13 SNMP Inspection 14-13 SNMP Inspection Overview 14-14 Select SNMP Map 14-14 SNMP Inspect Map 14-14 XDMCP Inspection 14-15 PART 5 Configuring Unified Communications CHAPTER 15 Information About Cisco Unified C
Résumé du contenu de la page N° 13
Contents Configuring the Local-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the Remote-Side Certificates for the Cisco Presence Federation Proxy 16-15 Configuring the UC-IME by using the Unified Communication Wizard 16-16 Configuring the Topology for the Cisco Intercompany Media Engine Proxy 16-17 Configuring the Private Network Settings for the Cisco Intercompany Media Engine Proxy 16-18 Adding a Cisco Unified Communications Manager Server for the UC-IME Proxy 1
Résumé du contenu de la page N° 14
Contents Adding or Editing a Record Entry in a CTL File 17-16 Creating the Media Termination Instance 17-17 Creating the Phone Proxy Instance 17-18 Adding or Editing the TFTP Server for a Phone Proxy 17-20 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy 17-21 Feature History for the Phone Proxy 17-22 CHAPTER 18 Configuring the TLS Proxy for Encrypted Voice Inspection 18-1 Information about the TLS Proxy for Encrypted Voice Inspection 18-1 Decryption and Inspection of U
Résumé du contenu de la page N° 15
Contents Architecture for Cisco Unified Presence for SIP Federation Deployments 20-1 Trust Relationship in the Presence Federation 20-4 Security Certificate Exchange Between Cisco UP and the Security Appliance 20-5 XMPP Federation Deployments 20-5 Configuration Requirements for XMPP Federation 20-6 Licensing for Cisco Unified Presence 20-7 Configuring Cisco Unified Presence Proxy for SIP Federation 20-8 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 20-9 F
Résumé du contenu de la page N° 16
Contents CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryonic Connections 22-2 Disabling TCP Intercept for Management Packets for Clientless SSL Compatibility 22-2 Dead Connection Detection (DCD) 22-2 TCP Sequence Randomization 22-3 TCP Normalization 22-3 TCP State Bypass 22-3 Licensing Requirements for Connection Settings 22-4 Guidelines and Limitations 22-5 Default Settings 22-5 Configuring Connection Settings 22-6 Ta
Résumé du contenu de la page N° 17
Contents Viewing QoS Standard Priority Queue Statistics 23-13 Feature History for QoS 23-14 CHAPTER 24 Troubleshooting Connections and Resources 24-1 Testing Your Configuration 24-1 Pinging ASA Interfaces 24-1 Verifying ASA Configuration and Operation, and Testing Interfaces Using Ping 24-3 Determining Packet Routing with Traceroute 24-6 Tracing Packets with Packet Tracer 24-7 Monitoring Performance 24-8 Monitoring System Resources 24-9 Blocks 24-9 CPU 24-10 Memory 24-10 Monitoring Connections
Résumé du contenu de la page N° 18
Contents (Optional) Configuring the User Identity Monitor 25-25 Configuring the Cloud Web Security Policy 25-26 Monitoring Cloud Web Security 25-26 Related Documents 25-27 Feature History for Cisco Cloud Web Security 25-27 CHAPTER 26 Configuring the Botnet Traffic Filter 26-1 Information About the Botnet Traffic Filter 26-1 Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 How the Botnet Traffic Filter Works 26-
Résumé du contenu de la page N° 19
Contents Monitoring Basic Threat Detection Statistics 27-4 Feature History for Basic Threat Detection Statistics 27-5 Configuring Advanced Threat Detection Statistics 27-5 Information About Advanced Threat Detection Statistics 27-5 Guidelines and Limitations 27-5 Default Settings 27-6 Configuring Advanced Threat Detection Statistics 27-6 Monitoring Advanced Threat Detection Statistics 27-7 Feature History for Advanced Threat Detection Statistics 27-8 Configuring Scanning Threat Detection 27-8
Résumé du contenu de la page N° 20
Contents Feature History for URL Filtering 29-12 PART 8 Configuring Modules CHAPTER 30 Configuring the ASA CX Module 30-1 Information About the ASA CX Module 30-1 How the ASA CX Module Works with the ASA 30-2 Monitor-Only Mode 30-3 Information About ASA CX Management 30-4 Information About Authentication Proxy 30-5 Information About VPN and the ASA CX Module 30-5 Compatibility with ASA Features 30-5 Licensing Requirements for the ASA CX Module 30-6 Prerequisites 30-6 Guidelines and Limitations