Summary of the content on the page No. 1
Cisco ASA Series Firewall CLI
Configuration Guide
Software Version 9.1
For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X,
ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X,
and the ASA Services Module
Released: December 3, 2012
Updated: March 31, 2014
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Text Part Number: N/A,
Summary of the content on the page No. 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Summary of the content on the page No. 3
CONTENTS About This Guide xxv Document Objectives xxv Related Documentation xxv Conventions xxv Obtaining Documentation and Submitting a Service Request xxvi PART 1 Configuring Service Policies Using the Modular Policy Framework CHAPTER 1 Configuring a Service Policy Using the Modular Policy Framework 1-1 Information About Service Policies 1-1 Supported Features 1-2 Feature Directionality 1-2 Feature Matching Within a Service Policy 1-3 Order in Which Multiple Feature Actions are Applied 1-4 I
Summary of the content on the page No. 4
Contents Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 1-20 Applying Inspection to HTTP Traffic with NAT 1-21 Feature History for Service Policies 1-22 CHAPTER 2 Configuring Special Actions for Application Inspections (Inspection Policy Map) 2-1 Information About Inspection Policy Maps 2-1 Guidelines and Limitations 2-2 Default Inspection Policy Maps 2-3 Defining Actions in an Inspection Policy Map 2-4 Identifying Traffic in an Inspection Class Map 2-5 Where to
Summary of the content on the page No. 5
Contents Main Differences Between Network Object NAT and Twice NAT 3-13 Information About Network Object NAT 3-14 Information About Twice NAT 3-14 NAT Rule Order 3-18 NAT Interfaces 3-19 Routing NAT Packets 3-19 Mapped Addresses and Routing 3-19 Transparent Mode Routing Requirements for Remote Networks 3-21 Determining the Egress Interface 3-22 NAT for VPN 3-22 NAT and Remote Access VPN 3-23 NAT and Site-to-Site VPN 3-24 NAT and VPN Management Access 3-26 Troubleshooting NAT and VPN 3-28 DNS a
Summary of the content on the page No. 6
Contents DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) 4-25 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) 4-26 Feature History for Network Object NAT 4-28 CHAPTER 5 Configuring Twice NAT 5-1 Information About Twice NAT 5-1 Licensing Requirements for Twice NAT 5-2 Prerequisites for Twice NAT 5-2 Guidelines and Limitations 5-2 Default Settings 5-4 Configuring Tw
Summary of the content on the page No. 7
Contents Access Rules for Returning Traffic 6-5 Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules 6-5 Management Access Rules 6-6 Information About EtherType Rules 6-6 Supported EtherTypes and Other Traffic 6-6 Access Rules for Returning Traffic 6-7 Allowing MPLS 6-7 Licensing Requirements for Access Rules 6-7 Prerequisites 6-7 Guidelines and Limitations 6-7 Default Settings 6-8 Configuring Access Rules 6-8 Monitoring Access Rules 6-10 Configuration
Summary of the content on the page No. 8
Contents Configuring a RADIUS Server to Download Per-User Access Control List Names 7-21 Configuring Accounting for Network Access 7-21 Using MAC Addresses to Exempt Traffic from Authentication and Authorization 7-23 Feature History for AAA Rules 7-25 PART 4 Configuring Application Inspection CHAPTER 9 Getting Started with Application Layer Protocol Inspection 9-1 Information about Application Layer Protocol Inspection 9-1 How Inspection Engines Work 9-1 When to Use Application Protocol Inspec
Summary of the content on the page No. 9
Contents IP Options Inspection Overview 10-24 Configuring an IP Options Inspection Policy Map for Additional Inspection Control 10-25 IPsec Pass Through Inspection 10-25 IPsec Pass Through Inspection Overview 10-26 Example for Defining an IPsec Pass Through Parameter Map 10-26 IPv6 Inspection 10-26 Information about IPv6 Inspection 10-27 Default Settings for IPv6 Inspection 10-27 (Optional) Configuring an IPv6 Inspection Policy Map 10-27 Configuring IPv6 Inspection 10-29 NetBIOS Inspection 10-
Summary of the content on the page No. 10
Contents Verifying and Monitoring MGCP Inspection 11-14 RTSP Inspection 11-14 RTSP Inspection Overview 11-15 Using RealPlayer 11-15 Restrictions and Limitations 11-15 Configuring an RTSP Inspection Policy Map for Additional Inspection Control 11-16 SIP Inspection 11-18 SIP Inspection Overview 11-18 SIP Instant Messaging 11-19 Configuring a SIP Inspection Policy Map for Additional Inspection Control 11-20 Configuring SIP Timeout Values 11-24 Verifying and Monitoring SIP Inspection 11-24 Skinny
Summary of the content on the page No. 11
Contents RSH Inspection 13-10 SNMP Inspection 13-10 SNMP Inspection Overview 13-10 Configuring an SNMP Inspection Policy Map for Additional Inspection Control 13-10 XDMCP Inspection 13-11 PART 5 Configuring Unified Communications CHAPTER 14 Information About Cisco Unified Communications Proxy Features 14-1 Information About the Adaptive Security Appliance in Cisco Unified Communications 14-1 TLS Proxy Applications in Cisco Unified Communications 14-3 Licensing for Cisco Unified Communications
Summary of the content on the page No. 12
Contents Working with Certificates in the Unified Communication Wizard 15-23 Exporting an Identity Certificate 15-23 Installing a Certificate 15-23 Generating a Certificate Signing Request (CSR) for a Unified Communications Proxy 15-24 Saving the Identity Certificate Request 15-25 Installing the ASA Identity Certificate on the Mobility Advantage Server 15-26 Installing the ASA Identity Certificate on the Presence Federation and Cisco Intercompany Media Engine Servers 15-26 CHAPTER 16 Configur
Summary of the content on the page No. 13
Contents Creating the TLS Proxy Instance for a Non-secure Cisco UCM Cluster 16-20 Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster 16-21 Creating the Media Termination Instance 16-23 Creating the Phone Proxy Instance 16-24 Enabling the Phone Proxy with SIP and Skinny Inspection 16-26 Configuring Linksys Routers with UDP Port Forwarding for the Phone Proxy 16-27 Configuring Your Router 16-28 Troubleshooting the Phone Proxy 16-28 Debugging Information from the Security Appliance 16-28 D
Summary of the content on the page No. 14
Contents CTL Client Overview 17-3 Licensing for the TLS Proxy 17-5 Prerequisites for the TLS Proxy for Encrypted Voice Inspection 17-7 Configuring the TLS Proxy for Encrypted Voice Inspection 17-7 Task flow for Configuring the TLS Proxy for Encrypted Voice Inspection 17-8 Creating Trustpoints and Generating Certificates 17-9 Creating an Internal CA 17-10 Creating a CTL Provider Instance 17-11 Creating the TLS Proxy Instance 17-12 Enabling the TLS Proxy Instance for Skinny or SIP Inspection 17-
Summary of the content on the page No. 15
Contents Configuration Requirements for XMPP Federation 19-6 Licensing for Cisco Unified Presence 19-7 Configuring Cisco Unified Presence Proxy for SIP Federation 19-8 Task Flow for Configuring Cisco Unified Presence Federation Proxy for SIP Federation 19-9 Creating Trustpoints and Generating Certificates 19-9 Installing Certificates 19-10 Creating the TLS Proxy Instance 19-12 Enabling the TLS Proxy for SIP Inspection 19-13 Monitoring Cisco Unified Presence 19-14 Configuration Example for Cisc
Summary of the content on the page No. 16
Contents Configuring the Cisco UC-IMC Proxy by using the UC-IME Proxy Pane 20-30 Configuring the Cisco UC-IMC Proxy by using the Unified Communications Wizard 20-32 Troubleshooting Cisco Intercompany Media Engine Proxy 20-33 Feature History for Cisco Intercompany Media Engine Proxy 20-36 PART 6 Configuring Connection Settings and QoS CHAPTER 22 Configuring Connection Settings 22-1 Information About Connection Settings 22-1 TCP Intercept and Limiting Embryonic Connections 22-2 Disabling TCP Int
Summary of the content on the page No. 17
Contents Licensing Requirements for QoS 23-5 Guidelines and Limitations 23-5 Configuring QoS 23-6 Determining the Queue and TX Ring Limits for a Standard Priority Queue 23-7 Configuring the Standard Priority Queue for an Interface 23-8 Configuring a Service Rule for Standard Priority Queuing and Policing 23-9 Configuring a Service Rule for Traffic Shaping and Hierarchical Priority Queuing 23-13 (Optional) Configuring the Hierarchical Priority Queuing Policy 23-13 Configuring the Service Rule 2
Summary of the content on the page No. 18
Contents Cloud Web Security Actions 25-5 Bypassing Scanning with Whitelists 25-6 IPv4 and IPv6 Support 25-6 Failover from Primary to Backup Proxy Server 25-6 Licensing Requirements for Cisco Cloud Web Security 25-6 Prerequisites for Cloud Web Security 25-7 Guidelines and Limitations 25-7 Default Settings 25-8 Configuring Cisco Cloud Web Security 25-8 Configuring Communication with the Cloud Web Security Proxy Server 25-8 (Multiple Context Mode) Allowing Cloud Web Security Per Security Context
Summary of the content on the page No. 19
Contents Botnet Traffic Filter Address Types 26-2 Botnet Traffic Filter Actions for Known Addresses 26-2 Botnet Traffic Filter Databases 26-2 Information About the Dynamic Database 26-2 Information About the Static Database 26-3 Information About the DNS Reverse Lookup Cache and DNS Host Cache 26-4 How the Botnet Traffic Filter Works 26-5 Licensing Requirements for the Botnet Traffic Filter 26-6 Prerequisites for the Botnet Traffic Filter 26-6 Guidelines and Limitations 26-6 Default Settings 2
Summary of the content on the page No. 20
Contents Configuring Advanced Threat Detection Statistics 27-6 Information About Advanced Threat Detection Statistics 27-6 Guidelines and Limitations 27-6 Default Settings 27-7 Configuring Advanced Threat Detection Statistics 27-7 Monitoring Advanced Threat Detection Statistics 27-9 Feature History for Advanced Threat Detection Statistics 27-14 Configuring Scanning Threat Detection 27-15 Information About Scanning Threat Detection 27-15 Guidelines and Limitations 27-16 Default Settings 27-16 C