Summary of the content on the page No. 1
Cisco ASA 5500 Series Configuration
Guide using the CLI
Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA
5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: N/A, Online only
Summary of the content on the page No. 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Summary of the content on the page No. 3
CONTENTS About This Guide lxv Document Objectives lxv Audience lxv Related Documentation lxv Conventions lxvi Obtaining Documentation and Submitting a Service Request lxvii PART 1 Getting Started with the ASA CHAPTER 1 Introduction to the Cisco ASA 5500 Series 1-1 Hardware and Software Compatibility 1-1 VPN Specifications 1-1 New Features 1-1 New Features in Version 8.6(1) 1-2 New Features in Version 8.4(5) 1-4 New Features in Version 8.4(4.1) 1-6 New Features in Version 8.4(3) 1-9 New Feature
Summary of the content on the page No. 4
Contents Firewall Mode Overview 1-27 Stateful Inspection Overview 1-27 VPN Functional Overview 1-28 Security Context Overview 1-29 CHAPTER 2 Getting Started 2-1 Accessing the Appliance Command-Line Interface 2-1 Configuring ASDM Access for Appliances 2-2 Accessing ASDM Using the Factory Default Configuration 2-2 Accessing ASDM Using a Non-Default Configuration (ASA 5505) 2-3 Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher) 2-5 Starting ASDM 2-6 Connecting to ASDM for the
Summary of the content on the page No. 5
Contents Preinstalled License 3-21 Permanent License 3-21 Time-Based Licenses 3-21 Time-Based License Activation Guidelines 3-21 How the Time-Based License Timer Works 3-21 How Permanent and Time-Based Licenses Combine 3-22 Stacking Time-Based Licenses 3-23 Time-Based License Expiration 3-23 Shared AnyConnect Premium Licenses 3-23 Information About the Shared Licensing Server and Participants 3-24 Communication Issues Between Participant and Server 3-25 Information About the Shared Licensing B
Summary of the content on the page No. 6
Contents Information About Routed Firewall Mode 4-2 Information About Transparent Firewall Mode 4-2 Licensing Requirements for the Firewall Mode 4-6 Default Settings 4-6 Guidelines and Limitations 4-6 Setting the Firewall Mode 4-8 Feature History for Firewall Mode 4-9 Configuring ARP Inspection for the Transparent Firewall 4-9 Information About ARP Inspection 4-10 Licensing Requirements for ARP Inspection 4-10 Default Settings 4-10 Guidelines and Limitations 4-10 Configuring ARP Inspection 4-1
Summary of the content on the page No. 7
Contents An Outside User Visits a Web Server on the Inside Network 4-26 An Outside User Attempts to Access an Inside Host 4-27 CHAPTER 5 Configuring Multiple Context Mode 5-1 Information About Security Contexts 5-1 Common Uses for Security Contexts 5-2 Context Configuration Files 5-2 Context Configurations 5-2 System Configuration 5-2 Admin Context Configuration 5-2 How the ASA Classifies Packets 5-3 Valid Classifier Criteria 5-3 Classification Examples 5-4 Cascading Security Contexts 5-6 Mana
Summary of the content on the page No. 8
Contents Removing a Security Context 5-24 Changing the Admin Context 5-24 Changing the Security Context URL 5-25 Reloading a Security Context 5-26 Reloading by Clearing the Configuration 5-26 Reloading by Removing and Re-adding the Context 5-27 Monitoring Security Contexts 5-27 Viewing Context Information 5-27 Viewing Resource Allocation 5-29 Viewing Resource Usage 5-32 Monitoring SYN Attacks in Contexts 5-33 Viewing Assigned MAC Addresses 5-35 Viewing MAC Addresses in the System Configuration
Summary of the content on the page No. 9
Contents Guidelines and Limitations 6-9 Default Settings 6-11 Starting Interface Configuration (ASA 5510 and Higher) 6-12 Task Flow for Starting Interface Configuration 6-12 Converting In-Use Interfaces to a Redundant or EtherChannel Interface 6-13 Enabling the Physical Interface and Configuring Ethernet Parameters 6-22 Configuring a Redundant Interface 6-25 Configuring a Redundant Interface 6-25 Changing the Active Interface 6-27 Configuring an EtherChannel 6-27 Adding Interfaces to the Ether
Summary of the content on the page No. 10
Contents Configuring and Enabling Switch Ports as Trunk Ports 7-9 Monitoring Interfaces 7-11 Configuration Examples for ASA 5505 Interfaces 7-11 Access Port Example 7-11 Trunk Port Example 7-12 Where to Go Next 7-13 Feature History for ASA 5505 Interfaces 7-13 CHAPTER 8 Completing Interface Configuration (Routed Mode) 8-1 Information About Completing Interface Configuration in Routed Mode 8-1 Security Levels 8-1 Dual IP Stack (IPv4 and IPv6) 8-2 Licensing Requirements for Completing Interface
Summary of the content on the page No. 11
Contents Configuring Bridge Groups 9-7 Configuring General Interface Parameters 9-8 Configuring a Management Interface (ASA 5510 and Higher) 9-11 Configuring the MAC Address and MTU 9-12 Configuring IPv6 Addressing 9-15 Information About IPv6 9-15 Configuring a Global IPv6 Address and Other Options 9-17 Allowing Same Security Level Communication 9-18 Monitoring Interfaces 9-19 Configuration Examples for Interfaces in Transparent Mode 9-19 Feature History for Interfaces in Transparent Mode 9-20
Summary of the content on the page No. 12
Contents CHAPTER 11 Configuring DHCP 11-1 Information About DHCP 11-1 Licensing Requirements for DHCP 11-1 Guidelines and Limitations 11-2 Configuring a DHCP Server 11-2 Enabling the DHCP Server 11-3 Configuring DHCP Options 11-4 Options that Return an IP Address 11-4 Options that Return a Text String 11-4 Options that Return a Hexadecimal Value 11-5 Using Cisco IP Phones with a DHCP Server 11-6 Configuring DHCP Relay Services 11-7 DHCP Monitoring Commands 11-8 Feature History for DHCP 11-8 CH
Summary of the content on the page No. 13
Contents Information About Object Groups 13-2 Licensing Requirements for Objects and Groups 13-2 Guidelines and Limitations for Objects and Groups 13-3 Configuring Objects 13-3 Configuring a Network Object 13-3 Configuring a Service Object 13-4 Configuring Object Groups 13-6 Adding a Protocol Object Group 13-6 Adding a Network Object Group 13-7 Adding a Service Object Group 13-8 Adding an ICMP Type Object Group 13-9 Nesting Object Groups 13-10 Removing Object Groups 13-11 Monitoring Objects an
Summary of the content on the page No. 14
Contents Adding an Extended Access List 15-3 Adding Remarks to Access Lists 15-5 Monitoring Extended Access Lists 15-5 Configuration Examples for Extended Access Lists 15-5 Configuration Examples for Extended Access Lists (No Objects) 15-6 Configuration Examples for Extended Access Lists (Using Objects) 15-6 Where to Go Next 15-7 Feature History for Extended Access Lists 15-7 CHAPTER 16 Adding an EtherType Access List 16-1 Information About EtherType Access Lists 16-1 Licensing Requirements fo
Summary of the content on the page No. 15
Contents CHAPTER 18 Adding a Webtype Access List 18-1 Licensing Requirements for Webtype Access Lists 18-1 Guidelines and Limitations 18-1 Default Settings 18-2 Using Webtype Access Lists 18-2 Task Flow for Configuring Webtype Access Lists 18-2 Adding Webtype Access Lists with a URL String 18-3 Adding Webtype Access Lists with an IP Address 18-4 Adding Remarks to Access Lists 18-5 What to Do Next 18-5 Monitoring Webtype Access Lists 18-5 Configuration Examples for Webtype Access Lists 18-5 Fea
Summary of the content on the page No. 16
Contents Configuration Examples for Access List Logging 20-4 Feature History for Access List Logging 20-5 Managing Deny Flows 20-5 Information About Managing Deny Flows 20-6 Licensing Requirements for Managing Deny Flows 20-6 Guidelines and Limitations 20-6 Default Settings 20-7 Managing Deny Flows 20-7 Monitoring Deny Flows 20-7 Feature History for Managing Deny Flows 20-8 PART 6 Configuring IP Routing CHAPTER 21 Routing Overview 21-1 Information About Routing 21-1 Switching 21-2 Path Determi
Summary of the content on the page No. 17
Contents CHAPTER 22 Configuring Static and Default Routes 22-1 Information About Static and Default Routes 22-1 Licensing Requirements for Static and Default Routes 22-2 Guidelines and Limitations 22-2 Configuring Static and Default Routes 22-2 Configuring a Static Route 22-3 Adding or Editing a Static Route 22-3 Configuring a Default Static Route 22-4 Limitations on Configuring a Default Static Route 22-4 Configuring IPv6 Default and Static Routes 22-5 Monitoring a Static or Default Route 22-
Summary of the content on the page No. 18
Contents Configuring OSPF Area Parameters 24-10 Configuring OSPF NSSA 24-11 Defining Static OSPF Neighbors 24-12 Configuring Route Calculation Timers 24-13 Logging Neighbors Going Up or Down 24-13 Restarting the OSPF Process 24-14 Configuration Example for OSPF 24-14 Monitoring OSPF 24-16 Feature History for OSPF 24-17 CHAPTER 25 Configuring RIP 25-1 Information About RIP 25-1 Routing Update Process 25-2 RIP Routing Metric 25-2 RIP Stability Features 25-2 RIP Timers 25-2 Licensing Requirements
Summary of the content on the page No. 19
Contents Multicast Addresses 26-2 Licensing Requirements for Multicast Routing 26-2 Guidelines and Limitations 26-3 Enabling Multicast Routing 26-3 Customizing Multicast Routing 26-4 Configuring Stub Multicast Routing and Forwarding IGMP Messages 26-4 Configuring a Static Multicast Route 26-4 Configuring IGMP Features 26-5 Disabling IGMP on an Interface 26-6 Configuring IGMP Group Membership 26-6 Configuring a Statically Joined IGMP Group 26-6 Controlling Access to Multicast Groups 26-7 Limiti
Summary of the content on the page No. 20
Contents Defining a Network for an EIGRP Routing Process 27-5 Configuring Interfaces for EIGRP 27-6 Configuring Passive Interfaces 27-7 Configuring the Summary Aggregate Addresses on Interfaces 27-8 Changing the Interface Delay Value 27-9 Enabling EIGRP Authentication on an Interface 27-9 Defining an EIGRP Neighbor 27-10 Redistributing Routes Into EIGRP 27-11 Filtering Networks in EIGRP 27-12 Customizing the EIGRP Hello Interval and Hold Time 27-13 Disabling Automatic Route Summarization 27-14