[PDF] Cisco ASA Series General Operations CLI Configuration Guide 9.1

View - Download Cisco ASA Series General Operations CLI Configuration Guide 9.1

Previous PDF

Next PDF

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide.

Addresses, phone numbers, and fax numbers

are listed on the Cisco website at www.cisco.com/go/offices.

Cisco ASA Series General Operations CLI

Configuration Guide

Software Version 9.1

For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, and the ASA Services Module

Released: December 3, 2012

Updated: March 31, 2014

Text Part Number: N/A, Online only

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public

domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display

output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in

illustrative content is unintentional and coincidental. Cisco ASA Series General Operations CLI Configuration Guide Copyright © 2012-2014 Cisco Systems, Inc. All rights reserved. i Cisco ASA Series General Operations CLI Configuration Guide

CONTENTS

About This Guidei

Document Objectivesi

Related Documentationi

Conventionsi

Obtaining Documentation and Submitting a Service Requestii

PART 1Getting Started with the ASA

CHAPTER 1Introduction to the Cisco ASA1-1

Hardware and Software Compatibility1-1

VPN Compatibility1-1

New Features1-2

New Features in ASA 9.1(5)1-2

New Features in ASA 9.1(4)1-3

New Features in ASA 9.1(3)1-5

New Features in ASA 9.1(2)1-7

New Features in ASA 9.1(1)1-13

Firewall Functional Overview1-14

Security Policy Overview1-14

Permitting or Denying Traffic with Access Lists1-15

Applying NAT1-15

Protecting from IP Fragments1-15

Using AAA for Through Traffic1-15

Applying HTTP, HTTPS, or FTP Filtering1-15

Applying Application Inspection1-15

Sending Traffic to a Module1-15

Applying QoS Policies1-16

Applying Connection Limits and TCP Normalization1-16

Enabling Threat Detection1-16

Enabling the Botnet Traffic Filter1-16

Configuring Cisco Unified Communications1-16

Firewall Mode Overview1-17

Stateful Inspection Overview1-17

VPN Functional Overview1-18

Contents

ii Cisco ASA Series General Operations CLI Configuration Guide

Security Context Overview1-19

ASA Clustering Overview1-19

CHAPTER 2Configuring the Switch for Use with the ASA Services Module2-1

Information About the Switch2-1

How the ASA Services Module Works with the Switch2-1

Supported Switch Hardware and Software2-3

Backplane Connection2-4

ASA and IOS Feature Interaction2-4

Information About SVIs2-5

Guidelines and Limitations2-5

Verifying the Module Installation2-6

Assigning VLANs to the ASA Services Module2-7

Using the MSFC as a Directly Connected Router (SVIs)2-10

Configuring the Switch for ASA Failover2-11

Assigning VLANs to the Secondary ASA Services Module2-11 Adding a Trunk Between a Primary Switch and Secondary Switch2-11 Ensuring Compatibility with Transparent Firewall Mode2-11 Enabling Autostate Messaging for Rapid Link Failure Detection2-11

Resetting the ASA Services Module2-12

Monitoring the ASA Services Module2-12

Feature History for the Switch for Use with the ASA Services Module2-15

CHAPTER 3Getting Started3-1

Accessing the Appliance Command-Line Interface3-1

Accessing the ASA Services Module Command-Line Interface3-2

Logging Into the ASA Services Module3-2

Information About Connection Methods3-3

Logging In3-4

Logging Out of a Console Session3-5

Logging Out3-5

Killing an Active Console Connection3-5

Logging Out of a Telnet Session3-6

Configuring ASDM Access for Appliances3-6

Accessing ASDM Using the Factory Default Configuration3-6

Customizing ASDM Access (ASA 5505)3-7

Customizing ASDM Access (ASA 5510 and Higher)3-10

Configuring ASDM Access for the ASA Services Module3-12

Contents

iii Cisco ASA Series General Operations CLI Configuration Guide

Starting ASDM3-14

Connecting to ASDM for the First Time3-15

Starting ASDM from the ASDM-IDM Launcher3-16

Starting ASDM from the Java Web Start Application3-16

Using ASDM in Demo Mode3-17

Factory Default Configurations3-18

Restoring the Factory Default Configuration3-19

ASA 5505 Default Configuration3-20

ASA 5505 Routed Mode Default Configuration3-20

ASA 5505 Transparent Mode Sample Configuration3-22

ASA 5510 and Higher Default Configuration3-24

Working with the Configuration3-24

Saving Configuration Changes3-25

Saving Configuration Changes in Single Context Mode3-25 Saving Configuration Changes in Multiple Context Mode3-25 Copying the Startup Configuration to the Running Configuration3-26

Viewing the Configuration3-27

Clearing and Removing Configuration Settings3-27

Creating Text Configuration Files Offline3-28

Applying Configuration Changes to Connections3-28

Reloading the ASA3-29

CHAPTER 4Managing Feature Licenses4-1

Supported Feature Licenses Per Model4-1

Licenses Per Model4-1

License Notes4-18

VPN License and Feature Compatibility4-23

Information About Feature Licenses4-23

Preinstalled License4-24

Permanent License4-24

Time-Based Licenses4-24

Time-Based License Activation Guidelines4-24

How the Time-Based License Timer Works4-25

How Permanent and Time-Based Licenses Combine4-25

Stacking Time-Based Licenses4-26

Time-Based License Expiration4-26

Shared AnyConnect Premium Licenses4-27

Information About the Shared Licensing Server and Participants4-27 Communication Issues Between Participant and Server4-28

Contents

iv Cisco ASA Series General Operations CLI Configuration Guide Information About the Shared Licensing Backup Server4-28

Failover and Shared Licenses4-29

Maximum Number of Participants4-29

Failover or ASA Cluster Licenses4-30

Failover License Requirements and Exceptions4-30

ASA Cluster License Requirements and Exceptions4-30

How Failover or ASA Cluster Licenses Combine4-31

Loss of Communication Between Failover or ASA Cluster Units4-32

Upgrading Failover Pairs4-32

No Payload Encryption Models4-32

Licenses FAQ4-33

Guidelines and Limitations4-33

Configuring Licenses4-35

Obtaining an Activation Key4-35

Activating or Deactivating Keys4-36

Configuring a Shared License4-37

Configuring the Shared Licensing Server4-37

Configuring the Shared Licensing Backup Server (Optional)4-39

Configuring the Shared Licensing Participant4-39

Monitoring Licenses4-40

Viewing Your Current License4-40

Monitoring the Shared License4-49

Feature History for Licensing4-50

CHAPTER 5Configuring the Transparent or Routed Firewall5-1

Information About the Firewall Mode5-1

Information About Routed Firewall Mode5-1

Information About Transparent Firewall Mode5-2

Using the Transparent Firewall in Your Network5-2

Bridge Groups5-3

Management Interface (ASA 5510 and Higher)5-4

Allowing Layer 3 Traffic5-4

Allowed MAC Addresses5-5

Passing Traffic Not Allowed in Routed Mode5-5

Passing Traffic For Routed-Mode Features5-5

BPDU Handling5-5

MAC Address vs. Route Lookups5-6

ARP Inspection5-6

MAC Address Table5-7

Contents

v Cisco ASA Series General Operations CLI Configuration Guide

Licensing Requirements for the Firewall Mode5-7

Default Settings5-7

Guidelines and Limitations5-8

Setting the Firewall Mode5-9

Configuring ARP Inspection for the Transparent Firewall5-10

Task Flow for Configuring ARP Inspection5-10

Adding a Static ARP Entry5-10

Enabling ARP Inspection5-11

Customizing the MAC Address Table for the Transparent Firewall5-12

Adding a Static MAC Address5-12

Setting the MAC Address Timeout5-12

Disabling MAC Address Learning5-13

Monitoring the Transparent Firewall5-13

Monitoring ARP Inspection5-13

Monitoring the MAC Address Table5-13

Firewall Mode Examples5-14

How Data Moves Through the ASA in Routed Firewall Mode5-14

An Inside User Visits a Web Server5-15

An Outside User Visits a Web Server on the DMZ5-16

An Inside User Visits a Web Server on the DMZ5-17

An Outside User Attempts to Access an Inside Host5-17

A DMZ User Attempts to Access an Inside Host5-19

How Data Moves Through the Transparent Firewall5-20

An Inside User Visits a Web Server5-21

An Inside User Visits a Web Server Using NAT5-22

An Outside User Visits a Web Server on the Inside Network5-23 An Outside User Attempts to Access an Inside Host5-24

Feature History for the Firewall Mode5-25

PART 2Configuring High Availability and Scalability

CHAPTER 6Configuring Multiple Context Mode6-1

Information About Security Contexts6-1

Common Uses for Security Contexts6-2

Context Configuration Files6-2

Context Configurations6-2

System Configuration6-2

Admin Context Configuration6-2

Contents

vi Cisco ASA Series General Operations CLI Configuration Guide

How the ASA Classifies Packets6-3

Valid Classifier Criteria6-3

Classification Examples6-4

Cascading Security Contexts6-6

Management Access to Security Contexts6-7

System Administrator Access6-7

Context Administrator Access6-8

Information About Resource Management6-8

Resource Classes6-8

Resource Limits6-8

Default Class6-9

Using Oversubscribed Resources6-10

Using Unlimited Resources6-11

Information About MAC Addresses6-11

Default MAC Address6-12

Interaction with Manual MAC Addresses6-12

Failover MAC Addresses6-12

MAC Address Format6-12

Licensing Requirements for Multiple Context Mode6-13

Prerequisites6-14

Guidelines and Limitations6-14

Default Settings6-15

Configuring Multiple Contexts6-15

Task Flow for Configuring Multiple Context Mode6-15

Enabling or Disabling Multiple Context Mode6-16

Enabling Multiple Context Mode6-16

Restoring Single Context Mode6-16

Configuring a Class for Resource Management6-17

Configuring a Security Context6-19

Automatically Assigning MAC Addresses to Context Interfaces6-24 Changing Between Contexts and the System Execution Space6-24

Managing Security Contexts6-25

Removing a Security Context6-25

Changing the Admin Context6-26

Changing the Security Context URL6-26

Reloading a Security Context6-27

Reloading by Clearing the Configuration6-28

Reloading by Removing and Re-adding the Context6-28

Monitoring Security Contexts6-28

Contents

vii Cisco ASA Series General Operations CLI Configuration Guide

Viewing Context Information6-29

Viewing Resource Allocation6-30

Viewing Resource Usage6-33

Monitoring SYN Attacks in Contexts6-34

quotesdbs_dbs28.pdfusesText_34

[PDF] Dresscode UBS ? l 'attention des collaborateurs PKB - Le Figaro

[PDF] Note technique : Procédures d affectation 2017 Post 3 (gestion

[PDF] vademecum des procedures d orientation et d affectation

[PDF] Documents annexes ? la « circulaire relative ? la mise en #339 uvre de

[PDF] Guide Après la 3e rentrée 2017 - Académie de Créteil - Onisep

[PDF] notice instructions pour APOGEE - fnege

[PDF] Burkina Faso - Loi n°2008-28 du 13 mai 2008 portant Code du

[PDF] COMMISSION DU CODEX ALIMENTARIUS

[PDF] programme des reunions du codex alimentarius pour l 'annee 2017

[PDF] CODE D 'USAGES INTERNATIONAL RECOMMAND -PRINCIPES

[PDF] le codex alimentarius - Food and Agriculture Organization of the

[PDF] PROJET DE NORME RVISE POUR LE MIEL

[PDF] Deux manuscrits retrouvés de Léonard de Vinci - unesdoc - Unesco

[PDF] Leonardo da Vinci 's Codex Leicester On View at MIA - Minneapolis

[PDF] norme générale pour les contaminants et les toxines présents dans